Penetration!Testing!with!Kali!Linux!

0. $!Penetration!Testing:!What!You!Should!Know!..............................................................!13
0.1!L!About!Kali!Linux!..............................................................................................................................!13!
0.2!L!About!Penetration!Testing!..............................................................................................................!13!
0.3!L!Legal!...................................................................................................................................................!15!
0.4!L!The!megacorpone.com!Domain!......................................................................................................!15!
0.5!L!Offensive!Security!Labs!...................................................................................................................!15!
0.5.1%&%VPN%Labs%Overview%....................................................................................................................%15!
0.5.2%&%Lab%Control%Panel%........................................................................................................................%17!
0.5.3%&%Reporting%.....................................................................................................................................%18!

1. $!Getting!Comfortable!with!Kali!Linux!.............................................................................!22
1.1!L!Finding!Your!Way!Around!Kali!.....................................................................................................!22!
1.1.1%&%Booting%Up%Kali%Linux%................................................................................................................%22!
1.1.2%&%The%Kali%Menu%.............................................................................................................................%23!
1.1.3%&%Find,%Locate,%and%Which%..............................................................................................................%23!
1.1.4%&%Exercises%.......................................................................................................................................%24!
1.2!L!Managing!Kali!Linux!Services!........................................................................................................!25!
1.2.1%&%Default%root%Password%.................................................................................................................%25!
1.2.2%&%SSH%Service%.................................................................................................................................%26!
1.2.3%&%HTTP%Service%...............................................................................................................................%26!
1.2.4%&%Exercises%.......................................................................................................................................%28!
1.3!L!The!Bash!Environment!.....................................................................................................................!29!
1.4!L!Intro!to!Bash!Scripting!.....................................................................................................................!29!
1.4.1%&%Practical%Bash%Usage%%Example%1%...............................................................................................%29!
1.4.2%&%Practical%Bash%Usage%%Example%2%...............................................................................................%33!
1.4.3%&%Exercises%.......................................................................................................................................%35!
PWK!

Copyright!!2014!Offensive!Security!Ltd.!All!rights!reserved.!

Page!3!of!361!

Penetration!Testing!with!Kali!Linux!
2. $!The!Essential!Tools!.............................................................................................................!36
2.1!L!Netcat!.................................................................................................................................................!36!
2.1.1%&%Connecting%to%a%TCP/UDP%Port%..................................................................................................%36!
2.1.2%&%Listening%on%a%TCP/UDP%Port%....................................................................................................%38!
2.1.3%&%Transferring%Files%with%Netcat%....................................................................................................%40!
2.1.4%&%Remote%Administration%with%Netcat%............................................................................................%42!
2.1.5%&%Exercises%.......................................................................................................................................%48!
2.2!L!Ncat!.....................................................................................................................................................!48!
2.2.1%&%Exercises%.......................................................................................................................................%50!
2.3!L!Wireshark!...........................................................................................................................................!51!
2.3.1%&%Wireshark%Basics%..........................................................................................................................%51!
2.3.2%&%Making%Sense%of%Network%Dumps%...............................................................................................%53!
2.3.3%&%Capture%and%Display%Filters%........................................................................................................%54!
2.3.4%&%Following%TCP%Streams%...............................................................................................................%55!
2.3.5%&%Exercises%.......................................................................................................................................%56!
2.4!L!Tcpdump!............................................................................................................................................!57!
2.4.1%&%Filtering%Traffic%............................................................................................................................%57!
2.4.2%&%Advanced%Header%Filtering%..........................................................................................................%59!
2.4.3%&%Exercises%.......................................................................................................................................%61!

3. $!Passive!Information!Gathering!........................................................................................!62
A!Note!From!the!Author!..........................................................................................................................!62!
3.1!L!Open!Web!Information!Gathering!.................................................................................................!64!
3.1.1%&%Google%...........................................................................................................................................%64!
3.1.2%&%Google%Hacking%............................................................................................................................%69!
3.1.3%&%Exercises%.......................................................................................................................................%72!
3.2!L!Email!Harvesting!..............................................................................................................................!73!

PWK!

Copyright!!2014!Offensive!Security!Ltd.!All!rights!reserved.!

Page!4!of!361!

Penetration!Testing!with!Kali!Linux!
3.2.1%&%Exercise%........................................................................................................................................%73!
3.3!L!Additional!Resources!.......................................................................................................................!74!
3.3.1%&%Netcraft%........................................................................................................................................%74!
3.3.2%&%Whois%Enumeration%.....................................................................................................................%76!
3.3.3%&%Exercise%........................................................................................................................................%78!
3.4!L!ReconLng!............................................................................................................................................!79!

4. $!Active!Information!Gathering!..........................................................................................!82
4.1!L!DNS!Enumeration!............................................................................................................................!82!
4.1.1%&%Interacting%with%a%DNS%Server%....................................................................................................%82!
4.1.2%&%Automating%Lookups%....................................................................................................................%83!
4.1.3%&%Forward%Lookup%Brute%Force%.......................................................................................................%83!
4.1.4%&%Reverse%Lookup%Brute%Force%.........................................................................................................%84!
4.1.5%&%DNS%Zone%Transfers%....................................................................................................................%85!
4.1.6%&%Relevant%Tools%in%Kali%Linux%.......................................................................................................%89!
4.1.7%&%Exercises%.......................................................................................................................................%92!
4.2!L!Port!Scanning!....................................................................................................................................!93!
A%Note%From%the%Author%.........................................................................................................................%93!
4.2.1%&%TCP%CONNECT%/%SYN%Scanning%..............................................................................................%93!
4.2.2%&%UDP%Scanning%.............................................................................................................................%95!
4.2.3%&%Common%Port%Scanning%Pitfalls%..................................................................................................%96!
4.2.4%&%Port%Scanning%with%Nmap%...........................................................................................................%97!
4.2.5%&%OS%Fingerprinting%.....................................................................................................................%102!
4.2.6%&%Banner%Grabbing/Service%Enumeration%....................................................................................%103!
4.2.7%&%Nmap%Scripting%Engine%(NSE)%.................................................................................................%104!
4.2.8%&%Exercises%.....................................................................................................................................%105!
4.3!L!SMB!Enumeration!...........................................................................................................................!106!
4.3.1%&%Scanning%for%the%NetBIOS%Service%............................................................................................%106!
PWK!

Copyright!!2014!Offensive!Security!Ltd.!All!rights!reserved.!

Page!5!of!361!

Penetration!Testing!with!Kali!Linux!
4.3.2%&%Null%Session%Enumeration.%........................................................................................................%107!
4.3.3%&%Nmap%SMB%NSE%Scripts%...........................................................................................................%110!
4.3.4%&%Exercises%.....................................................................................................................................%112!
4.4!L!SMTP!Enumeration!........................................................................................................................!113!
4.4.1%&%Exercise%......................................................................................................................................%114!
4.5!L!SNMP!Enumeration!.......................................................................................................................!115!
A%Note%From%the%Author%.......................................................................................................................%115!
4.5.1%&%MIB%Tree%....................................................................................................................................%116!
4.5.2%&%Scanning%for%SNMP%..................................................................................................................%117!
4.5.3%&%Windows%SNMP%Enumeration%Example%..................................................................................%118!
4.5.4%&%Exercises%.....................................................................................................................................%118!

5. $!Vulnerability!Scanning!....................................................................................................!119
5.1!L!Vulnerability!Scanning!with!Nmap!.............................................................................................!119!
5.2!L!The!OpenVAS!Vulnerability!Scanner!..........................................................................................!124!
5.2.1%&%OpenVAS%Initial%Setup%..............................................................................................................%124!
5.2.2%&%Exercises%.....................................................................................................................................%131!

6. $!Buffer!Overflows!...............................................................................................................!132
6.1!L!Fuzzing!.............................................................................................................................................!133!
6.1.1%&%Vulnerability%History%.................................................................................................................%133!
6.1.2%&%A%Word%About%DEP%and%ASLR%.................................................................................................%133!
6.1.3%&%Interacting%with%the%POP3%Protocol%..........................................................................................%134!
6.1.4%&%Exercises%.....................................................................................................................................%137!

7. $!Win32!Buffer!Overflow!Exploitation!............................................................................!138
7.1!L!Replicating!the!Crash!.....................................................................................................................!138!
7.2!L!Controlling!EIP!...............................................................................................................................!138!
7.2.1%&%Binary%Tree%Analysis%.................................................................................................................%139!
PWK!

Copyright!!2014!Offensive!Security!Ltd.!All!rights!reserved.!

Page!6!of!361!

Penetration!Testing!with!Kali!Linux!
7.2.2%&%Sending%a%Unique%String%...........................................................................................................%139!
7.2.3%&%Exercises%.....................................................................................................................................%142!
7.3!L!Locating!Space!for!Your!Shellcode!..............................................................................................!142!
7.4!L!Checking!for!Bad!Characters!........................................................................................................!144!
7.4.1%&%Exercises%.....................................................................................................................................%146!
7.5!L!Redirecting!the!Execution!Flow!....................................................................................................!147!
7.5.1%&%Finding%a%Return%Address%.........................................................................................................%147!
7.5.2%&%Exercises%.....................................................................................................................................%151!
7.6!L!Generating!Shellcode!with!Metasploit!........................................................................................!152!
7.7!L!Getting!a!Shell!.................................................................................................................................!155!
7.7.1%&%Exercises%.....................................................................................................................................%157!
7.8!L!Improving!the!Exploit!....................................................................................................................!158!
7.8.1%&%Exercises%.....................................................................................................................................%158!

8. $!Linux!Buffer!Overflow!Exploitation!.............................................................................!159
8.1!L!Setting!Up!the!Environment!.........................................................................................................!159!
8.2!L!Crashing!Crossfire!..........................................................................................................................!160!
8.2.1%&%Exercise%......................................................................................................................................%161!
8.3!L!Controlling!EIP!...............................................................................................................................!162!
8.4!L!Finding!Space!for!Our!Shellcode!..................................................................................................!163!
8.5!L!Improving!Exploit!Reliability!.......................................................................................................!164!
8.6!L!Discovering!Bad!Characters!..........................................................................................................!165!
8.6.1%&%Exercises%.....................................................................................................................................%165!
8.7!L!Finding!a!Return!Address!.............................................................................................................!166!
8.8!L!Getting!a!Shell!.................................................................................................................................!168!
8.8.1%&%Exercise%......................................................................................................................................%170!

9. $!Working!with!Exploits!.....................................................................................................!171
PWK!

Copyright!!2014!Offensive!Security!Ltd.!All!rights!reserved.!

Page!7!of!361!

Penetration!Testing!with!Kali!Linux!
9.1!L!Searching!for!Exploits!....................................................................................................................!173!
9.1.1%&%Finding%Exploits%in%Kali%Linux%..................................................................................................%173!
9.1.2%&%Finding%Exploits%on%the%Web%.....................................................................................................%173!
9.2!L!Customizing!and!Fixing!Exploits!.................................................................................................!176!
9.2.1%&%Setting%Up%a%Development%Environment%..................................................................................%176!
9.2.2%&%Dealing%with%Various%Exploit%Code%Languages%.........................................................................%176!
9.2.3%&%Exercises%.....................................................................................................................................%180!

10. $!File!Transfers!....................................................................................................................!181
10.1!L!A!Word!About!Anti!Virus!Software!..........................................................................................!181!
10.2!L!File!Transfer!Methods!..................................................................................................................!182!
10.2.1%&%The%Non&Interactive%Shell%........................................................................................................%182!
10.2.2%&%Uploading%Files%........................................................................................................................%183!
10.2.3%&%Exercises%...................................................................................................................................%191!

11. $!Privilege!Escalation!.........................................................................................................!192
11.1!L!Privilege!Escalation!Exploits!.......................................................................................................!192!
11.1.1%&%Local%Privilege%Escalation%Exploit%in%Linux%Example%.............................................................%192!
11.1.2%&%Local%Privilege%Escalation%Exploit%in%Windows%Example%........................................................%194!
11.2!L!Configuration!Issues!....................................................................................................................!197!
11.2.1%&%Incorrect%File%and%Service%Permissions%....................................................................................%197!
11.2.2%&%Think%Like%a%Network%Administrator%......................................................................................%199!
11.2.3%&%Exercises%...................................................................................................................................%199!

12. $!Client!Side!Attacks!.........................................................................................................!200
12.1!L!Know!Your!Target!........................................................................................................................!200!
12.1.1%&%Passive%Client%Information%Gathering%.....................................................................................%201!
12.1.2%&%Active%Client%Information%Gathering%......................................................................................%201!
12.1.3%&%Social%Engineering%and%Client%Side%Attacks%............................................................................%202!
PWK!

Copyright!!2014!Offensive!Security!Ltd.!All!rights!reserved.!

Page!8!of!361!