Offensive security penetration testing with kali linux pdf download

This could be very handy, as deleted files could contain information of interest for both the forensics and pentesting realm. I then deleted the files: Using the Module The module requires that you have an open session to the target that you want to check.

Now, say we only wanted to recover the txt files. But what if we wanted to recover pdf files? Lastly, the files can also be recovered by the ID number not shown. Recovery File Module Wrap-Up The module seems to work really well on data drives, but not so well on drives where there are a lot of files to recover, like on the main drive of a single drive system.

I ran this on a Windows 7 boot drive on a VM that I have used a lot and it literally took hours to run. Here is a network packet capture of the module running against a drive with a lot of deleted files: But then again, how many people actually record and analyze their data traffic?

It was lightning fast and worked very well. Though we covered some of the basics of getting around and using the shell, we only touched on a fraction of its capabilities. Hopefully you can see why getting a Meterpreter shell gives you a whole lot more functionality than just getting a straight remote access shell. Grabbing video and sound may seem to be a bit theatrical, but social engineers could use information they glean.

Sound is interesting too. A social engineer could learn a lot about the target facility by being able to have a live microphone inside the building. But we can also use Meterpreter to bypass Windows UAC protection and automate pulling user password hashes and even plain text password.

We will talk about all of these features in upcoming chapters. When a hacker attacks a target one of the normal stages they perform is information gathering. They want to learn as much about your network, their target, as they can, to make their lives easier. Maltego is a very popular tool one that is covered quite a bit in security books and training seminars. As it already has a lot of coverage, I figured we would look at some of the other tools included in Kali. In this chapter we will look at one of the newer tools, Recon-NG and a couple other tools that come with Kali.

Recon-NG The Recon-NG Framework is a powerful tool that allows you to perform automated information gathering and network reconnaissance. Think of it as Metasploit for information collection.

Recon-NG automates a lot of the steps that are taken in the initial process of a penetration test. It has numerous features that allow you to collect user information for social engineering attacks, and network information for network mapping and much more. You can automatically hit numerous websites to gather passive information on your target and even actively probe the target itself for data.

Anyone who is familiar with Metasploit will feel right at home as the interface was made to have the same look and feel. The command use and functions are very similar.

Basically you can use Recon- NG to gather info on your target, and then attack it with Metasploit. While some directly probe and can even attack the system you are interested in. One tactic used to passively probe network structure is to use the Google search engine to enumerate site sub-domains.

Then remove sub-domains -inurl that you find , so other subdomains will appear. This can take a while to do by hand and can require a lot of typing if the target has a large number of sub-domains. Recon-NG will do this for you automatically and record what it finds in a database. This one only requires the target domain. Within seconds, several of the sub-domains are listed. All the data collected by Recon-NG is placed in a database.

You can create a report to view the data collected. Recon-NG Wrap up Sub-domain enumeration is only one module you can run, there are many others to choose from. Using these you can get specific information from the corresponding sites about your targets. For example you can search Twitter for tweets from your target or even check Shodan for open systems. I have just briefly touched on some of the capabilities of Recon-NG.

It is really an impressive tool that is well worth checking into. Dmitry Dmitry is a nice little tool for quickly finding out information about a site. Just run Dmitry from the menu or command line. Netdiscover Netdiscover is another neat tool included in Kali. It too can be run from the command prompt or from the menu system. Zenmap Zenmap is basically a graphical version of the ever popular nmap command. If you are not familiar with nmap, then Zenmap is a great place to start.

Like the previous commands, Zenmap can be started from the menu or command line. Once started, you will see the following screen: Just fill in the target IP address and choose what type of scan you want to perform from the Profile drop down box.

Zenmap will show you what the resulting nmap command switches are in the command box. We saw how it was created to mimic Metasploit so users who are familiar with it could pick up Recon-NG fairly quickly. We also covered a couple other tools used in Host identification, reconnaissance and information gathering. Shodan allows you to find computers on the web by searching for them by keyword.

For example, you can search for all the Microsoft IIS 7. The trick to using Shodan effectively is to know the right keywords. But once you know these magic keys, in seconds you can search the world for these devices.

Or by using filter commands you can refine your search to certain devices and areas. It can also allow them to find possible rogue or unauthorized devices that have been added to the company network.

In this section we will briefly discuss why scanning your network space with Shodan is a good idea. We will then look at how we can do these searches from the web interface, Shodanhq. Why scan your network with Shodan? There are a large number of seemingly important systems that should never be publicly viewable on the Internet.

All can be found easily with just a couple keyword searches. But that is not all. Sadly, in this new high tech world, computer systems are not the only things that can be found online. Sure you can find large industrial HVAC environmental and building temperature controls completely open and unsecured. But you can also find other non-common devices like aquariums with an online control interface and unbelievably, even remote controlled doors: Often the online device has security, but it comes with it turned off from the manufacturer, and all the user needs to do is turn it on or assign a password.

The company owner may not have even been the one directly to put one of these devices online. There have been a couple reports of internet enabled building controls from major companies found online over the years.

The building contractor, obviously not understanding internet security, left them completely open or with default credentials. Searching for open systems using Shodan has become very popular. And once interesting systems are found on Shodan, the keyword searches are usually shared amongst friends or publicly posted on the internet. Granted many are just surfing Shodan to grab screenshots of ridiculous things that people put on the web, but it is also a tool that those with nefarious purposes could also use.

Shodan Website To use Shodan, simply point your web browser to Shodanhq. You can click on any IP address to surf directly to the device found. On the left side of the screen, Shodan also shows you how many of the total devices are from a certain country or location. You can click on any of them to zero in your search, or you could use keyword filters directly in the search to fine tune the results. Filter Guide Using Filter commands you can quickly narrow down your searches to very specific things.

You could enter something like the line below: This quickly and easily sorts through the millions of servers out there and returns the ones that match the query. Server title information. You can search for other servers that contain the identical title text by putting the information into the title command.

Designates the server country location, again search-able by using the country command. The hostname search term can be used to search for servers by domain names. Body text area. Any text entered into Shodan without a filter will be assumed to be a body text search and will look for servers that have the requested information in the body text area.

To use these commands or to get more than one page of results, you need to sign up for a free Shodan Account. You can scan the entire Internet or your entire domain looking for title keywords. For instance if you wanted to find all the servers running Apache server version 2. If cameras were not allowed on your network you could quickly check for that. Title:camera hostname:YourCompany. Say you were creating a network map and wanted to search for Linux servers located near Damascus, Syria: geo Shodan Searches with Metasploit Shodan search capabilities have been added to the Metasploit Framework.

You just need to sign up from a free Shodan user account and get an API key from their website. Using an API key allows you to automate Shodan searches. To find systems with Metasploit, you simply use it like any other exploit: 1. Create a free account on Shodanhq. After a few seconds, you will receive some statistics on your search keyword: And then you will see actual returns: If you want to use filter keywords, or get more than one page of responses, you will have to purchase an unlocked API key.

Conclusion In this section we learned about the computer search engine Shodan. We learned that there are thousands if not millions of unsecured or under secured systems that can be found quickly and easily on Shodan. We then learned how to search Shodan using keywords and filters, and finally we learned how to search Shodan from within Kali using Metasploit. It is critical that companies know what systems that they have publicly available on the web.

Shodan is a quick and easy way to find these devices. I highly recommend security teams and even small business and home owners scan their systems to see what systems they have publicly available on the web. Metasploitable 2 is a purposefully vulnerable Linux distribution. What this means is that it has known bugs and vulnerabilities built in on purpose. It is a training platform made to be used with Metasploit to practice and hone your computer security skills in a legal environment.

The resources above cover a lot of information on installing and using Metasploitable 2 so I will not spend a lot of time on this topic. But we will go through a couple of the exploits using Kali just to see how things work. Just download the file, unzip it and open it with VMWare Player. A link to the video can found in the Resources section above.

And they put it right on the login screen! Logging in is pretty anti-climactic. You basically just end up at a text based terminal prompt: But we are not here to use the system from the keyboard; the goal is to try to get into the system remotely from our Kali system.

If we can determine open ports and service program versions, then we may be able to exploit a vulnerability in the service and compromise the machine. The first thing to do is to run an nmap scan and see what services are installed. We see several of the normal ports are open in the image above. There are also a lot of services running at higher ports; one in particular is an Unreal Internet Relay Chat IRC program: Usually in tutorials they cover going after the main port services first.

But I recommend looking at services sitting at higher ports. What is more likely to be patched and up to date, common core services or a secondary service that was installed and one time and possibly forgotten about? Our next step is to do a search for vulnerabilities for that software release. But why use Google when we can search with Metasploit?

This is great news, as the exploits are ranked according to the probability of success and stability. This backdoor was present in the Unreal3. A Meterpreter shell would be better than a command shell, and give us more options, but for now we will just use the generic reverse shell. This will drop us right into a terminal shell with the target when the exploit is finished.

You are actually sitting in a terminal shell with the target machine! The Root user is the highest level user that you can be on a Linux machine. It worked! All the standard Linux commands work with our shell that we have.

Conclusion In this chapter we learned how to use nmap to find open ports on a test target system. We also learned how to find out what services are running on those ports. We then found out how to find and use an exploit against a vulnerable service. Next we will take a quick look at some of the scanners built into Metasploit that helps us find and exploit specific services. Chapter 8 — Metasploitable - Part Two: Scanners Introduction In the last chapter we looked at scanning the system with Nmap to look for open ports and services.

This time we will take a look at some of the built in auxiliary scanners that come with Metasploit. Running our nmap scan produced a huge amount of open ports for us to pick and choose from. These scanners let us search and recover service information from a single computer or an entire network!

For this tutorial we again will be using our Kali system as the testing platform and the purposefully vulnerable Metasploitable 2 virtual machine as our target system.

For this tutorial we will narrow our attention on the common ports that we found open. Notice the command we set for the remote host is plural, RHOSTS, we can put in a whole range of systems here enabling us to scan an entire network quickly and easily to find ssh servers.

I will leave this exercise up to you. Using Additional Scanners Some scanners return different information than others. But others can reveal some more interesting information.

If we use a username and password, it will try to log in to the service. Notice that this is unlike the others we have covered so far; on the Metasploitable machine it does not return a version number, it performs a banner grab. But sometimes you can find some very interesting information by using it.

Are you kidding me? If we run the ID command, we can see that this user which is the main user is a member of multiple groups: We might be able to use this information to exploit further services. Sounds kind of unbelievable that a company would include legit login credentials on a service login page, but believe it or not, it happens in real life more than you would believe. Scanning a Range of Addresses What is interesting too is that with these scanner programs we have different options that we can set.

But what if we wanted to scan the entire network for systems that are running Samba? Instead of just scanning a single host, you can scan all clients on the This makes things much easier if you are just scanning for certain services running on a network. I set the threads command too. If you are scanning a local LAN, you can bump this up to to make it go faster, or up to 50 if testing a remote network. This will give us a little more practice in running exploits and get us used to finding and exploiting vulnerable services.

Conclusion In this section we learned how to use some of the built in scanners to quickly scan for specific services. Some professional pentesters no longer rely on nmap as the main tool in finding services. Many go for a quick kill by looking for specific vulnerabilities commonly available before turning to nmap.

Scanning for specific services that have a tendency to be vulnerable can be a quick way into a network. We looked at several of the core service scanners and learned how they function.

Shockingly, we were able to obtain clear text passwords from the telnet service. Once we get a set of credentials, we could use the auxiliary scanners in Metasploit to further exploit the network. Just plug those credentials into one of the scanners and sweep the entire network to see what other systems that they would work on. It would be a good idea for you to take some time and look through them to see what they can do. Many people think that if they are running an Anti-Virus and a firewall, that they are generally safe from hacker attacks.

But the truth is far from that. One part of penetration testing is getting past that pesky anti-virus. Veil is one way that we can accomplish this. Many Anti-Virus programs work by pattern or signature matching.

If a program looks like malware that it has been programed to look for , it catches it. If the malicious file has a signature that AV has not seen before, many will dutifully say that the file is clean and not a threat. If you can change or mask the signature of malware, or a remote shell in this case, then most likely AV will allow it to run and the attacker gets a remote connection to the system.

Veil, a new payload generator created by security expert and Blackhat USA class instructor Chris Truncer, does just that. It takes a standard Metasploit payload and through a Metasploit like program allows you to create multiple payloads that most likely will bypass anti-virus. We will just choose the default, msfvenom.

This means that their computer will connect back to us. Next Veil will ask for the IP address of the host machine that you are using. Enter the IP address of your Kali machine and press enter. Then enter the Local port that you will be using. I chose to use port 7. And that is it! Veil will then generate our shellcode with the options that we chose. Now we need to give our created file a name. If you know they like cute puppies, then our chosen file name is perfect.

Whatever you think would be the best. Veil now has all that it needs and creates our booby-trapped file. Just take the created. When it is run, it will try to connect out to our machine. We will now need to start a handler listener to accept the connection. Getting a Remote Shell To create the remote handler, we will be using Metasploit. Start the Metasploit Framework from the menu or terminal mfsconsole. They must match exactly. Metasploit will then start the handler and wait for a connection: Now we just need the victim to run the file that we sent them.

On the Windows 7 machine, if the file is executed, we will see this on our Kali system: A reverse shell session! Unfortunately many times your network security depends on your users and what they allow to run. Instruct your users to never run any programs or open any files that they get in an unsolicited e-mail.

Blocking certain file types from entering or leaving your network is also a good idea. And finally, using a Network Security Monitoring system will help track down what happened and what was compromised if the worst does happen. User Access Control UAC seemed to be a nuisance in the previous Windows version, and many companies just turned it off.

Well UAC works very well in Windows 7, and using it on even the lowest security setting prevents many attacks that worked in Windows XP. But there is a UAC bypass module in Meterpreter that will allow us to bypass this restriction and get system level, if the user account we compromise is an administrator.

In this section we will learn how to escalate our privileges from an administrator level user to system level by bypassing UAC and creating a new session.

UAC Bypass In this tutorial we will start with an active Meterpreter session with a Windows 7 system and a user that has administrator level rights. First we want to background the session. Now we need to use the bypassuac exploit: 3. Go ahead and set it to our active session, session one in this case, by using the set command: 5. And the final part shows the actual hashes from the system: Using the hashes to access a system or other systems on the network is covered in the Password Attack Chapter.

Conclusion In this short section we saw how to escalate a user that has Administrator privileges to the super user System level account. We were able to do this by running a Meterpreter module that allowed us to bypass the windows User Access Control security feature.

Once we have system level access we can do anything that we want to do. We demonstrated this by dumping the password hashes from the security database.

The UAC bypass was possible because the user account we had access to was an administrator level account. It is imperative that users always be given a non-administrator level account.

The security repercussions to exceptions to this rule should be seriously considered. Chapter 11 - Packet Captures and Man-in-the- Middle Attacks Introduction Another technique that may be advantageous to us is to monitor or capture network traffic on a remote machine. Think of it like a wiretap. As a wiretap records everything a person says on their telephone, a packet capture records everything your computer says on the network wire. This could include account names, passwords, etc.

In this section we will look at viewing network packets using two very different processes. For the first one we will use a Man-in-the-Middle attack on a system on a local network involving the commands arpspoof, urlsniff and Driftnet. Using these commands we can view what website a target is on and display every graphic that the target is viewing. Secondly, we will cover running a packet capture on a remote machine through a Metasploit session.

We will then view the captured information for artifacts in Wireshark and Xplico. In both cases we will use a Windows 7 computer as the target system. A MitM attack in essence places our Kali system in between the target and the router.

This way, we see all of the traffic coming from and going to the target system. All traffic from the target system headed to the internet is re-routed first to our machine, which then captures it and forwards is to the network.

All information coming from the internet headed to the target machine is routed through our system first, again so we can review it, and then forwarded to the target system. So we tell the Target machine that we are the internet router and tell the router that we are the target system.

Now we need to run the arpspoof command. Reversing did not seem to work on a VMWare host, but I was able to capture all the traffic by just using the one way command above Arpspoof should then start sending out the modified MAC addresses.

Maximize it to make things easier to see. Now return to the target computer system and start surfing the web. You should start to see images appearing on your Kali system. So, on the target system they would see these images: And on your remote Kali machine you should see this: All the images from the page! Part Two Remote Packet Capture in Metasploit Okay that was all well and good if we are on the same local network as the target system, but what if the target system is remote?

We will start with an active session that we obtained through an exploit. As you can see below we are connected to session 1 and have a Meterpreter shell to the target, a Windows 7 system in this case.

I had to go to the Windows 7 system and manually disable UAC to get this to work right. Even if it is set to the lowest level, it is still better than being completely off! Now, just go to the Windows 7 target system and do some surfing.

Every location you surf to and every network packet you send will be recorded on the Kali system. And that is it. Wireshark Okay, we have our packet capture, so what do we do with it? Wireshark is a great packet capture and analyzer program that has a ton of features and capabilities. We will just cover viewing a packet capture in Wireshark very briefly.

And you will see the stream content as shown below: As you can see we have a complete capture of an FTP login and file download. Wireshark is great for analyzing network communications, and you can do a lot with it, but it is a bit advanced for a new user and might be hard to use until you become familiar with it.

The program, Xplico, lists all the information from the packet capture in an easy to read menu. It also allows us to view any images or documents. Xplico Xplico has been added to the Kali repositories, but it may not be installed on your system yet.

It is a web based interface, so to start it you need both the Apache Web Server and Xplico server started. If Xplico is not listed you will need to install it. Now click on the session name. The Main Session desktop appears Next they went to Google and then the Dlink support website looking for support information on a Dir router. Even If no network, account information or passwords were recovered with Xplico, you can use the Web tab to gather information that could be used in a social engineering type attack.

For example, I noticed several of the surfed sites were NHL sites. I could possibly recover his favorite team from his surfing habits and again use this in a Social Engineering attack. Conclusion In the first part of this section we learned how to use the Man-in-the-Middle attack program Arpspoof, along with Urlsnark and Driftnet to view what websites a targeted local system was viewing. In the second part, we learned how to turn an exploited system into a remote packet sniffer using Meterpreter.

We then analyzed the captured traffic in Xplico. Hopefully this chapter demonstrated why it is important to secure your network. If your ARP table is not protected, it makes it easy for an attacker on the local lan to perform a MitM attack and view all the traffic of a target system.

It has been a long time since I have played with BeEF, about three years in fact, but after going through a great Web Application and XSS security class, I figured it was time to brush it off again. I was very pleased to find that a ton of new features called commands have been added to BeEF since I last used it, dramatically increasing its functionality.

Granted many attacks in BeEF no longer seem to work against Windows 7 using the latest browsers, but it appears that Windows XP systems are still very vulnerable to many of the browser attacks, even when using the latest browsers. Well, maybe no complete control, but it does give us the power to really muck with it.

As soon as the visitor simply visits the page, the hook is set. Notice that the user does not have to run anything or mouse over anything for the attack to work. Just visiting the page triggers the attack. You can grab the HTML of the webpage that the victim is on: And then change any links on the page in real-time, without the user ever knowing, to point to wherever you want the victim to go. You can also send custom Javascript, or even tie it in with Metasploit to attempt to get a remote shell.

As you can see, an attacker having control over the browser can be very bad. Conclusion BeEF can be a very interesting to play with and fairly easy to use once you get the hang of it. The attacks are color coded as to the chance that they might work. You may want to try them anyways, as I have noticed that some coded as not working well seemed to work okay on occasions.

I also noticed that newer browsers seemed to stop some of the attacks, but XP was still pretty open as to what would work against it. I tried these exact same attacks against a Windows 7 system using the latest Firefox browser and nothing was displayed: A hook was created, but only lasted for about a second or two before it was dropped.

The best mitigation against this type of attack seems to be to use the latest Windows OS and browser versions. If you can, update or replace your Windows XP systems, especially if they are used online. The base security in Windows 7 and 8 is much better than Windows XP.

Social Engineering is, in effect, hacking humans. Hackers who are experts in Social Engineering will trick you into helping them or giving them access to your secured systems or areas by pretending to be someone else, someone in need, or even someone in a position of authority. As you approach the door, a deliveryman with his arms full of boxes is also arriving at the door.

What do you do? Without thinking twice, most would open the door for the poor overburdened man and let him in. You just let him in. He says that he is performing system upgrades and needs access to your system.

You ask if you should shut it down, and he responds that he just needs to check a few things first. You get up and head for the cafeteria. And just gave him access to your system. One day you get a package in the mail from a company that you just signed a major deal with.

It was the largest deal of your career and was in all the local city newspapers and on all the TV stations. You open it up to find one of the latest tablets along with a thank you note from the company thanking you for the business agreement.

The company never sent you a tablet and you just gave an enterprising social engineer a system connected to your Executive network. They are installing some new software and need you to install some new drivers. They include the software package as an attachment and give you full directions to install it. Which you do. They may take advantage of local customs, etiquettes, play off of human sympathy or just try to intimidate an employee to get what they want.

Or they could hit social media sites pretending to be from a company that you do business with or pretending to be a head hunter employment agency looking for new talent. These are just a few examples of how a social engineer might try to gain access to or procure information about a target network. There really is no limit to the ways that a talented social engineer might try to twist, deceive or threaten their way onto your network.

Social Engineering Defense With that being said, it is imperative to train your employees to be on the lookout for these types of attacks. Have policies in place to deal with service calls, software updates, and gifts from outside companies. You can teach, instruct and even leave reminder messages and posters, but employees may still not follow corporate policy.

That is why when it comes to social engineering attacks, it is a good idea to manually test to see if your company is truly prepared. Why spend days, weeks or even months trying to penetrate layers of network security when you can just trick a user into running a file that allows you full access to their machine and bypasses anti-virus, firewalls and many intrusion detection systems?

This is most commonly used in phishing attacks today, craft an e-mail, or create a fake website that tricks users into running a malicious file that creates a backdoor into their system. But as a security expert, how could you test this against your network?

Would such an attack work, and how could you defend against it? More recently several non-social engineering tools have been also added to SET making it a very robust attack tool. In this chapter we will take a look at some of the tools included with SET and two of the attack options, both PowerShell based attacks. Mass Emailer One way a Social Engineer will attack a network is to send out a flood of e-mails to company addresses and see who will respond or run the malicious attachment you sent with it.

SET comes with a Mass Emailer tool. Enter a target e-mail address: 5. Next choose to use a Gmail account or another server. For the test we will use a fake gmail account. Next SET asks for the password of your Gmail account. Next, enter an e-mail subject line. In actual defense practice this could just be a test webpage that records the IP address of those who were tricked to surf to the page.

That way as a security team we know who in our organization needs to be better educated on the risks of malicious e-mails. SET will then send out the e-mail. But what if we could make a fake site that offered up a booby trapped script.

And if the user allows the script to run, creates a remote shell with the user? We will use SET to create a fictitious website that will offer up a booby-trapped Java app.

And if user allows the app to run, we get a full remote session to the system. From the main SET menu: 1. Notice the other options available. Post a Review To post a review, please sign in or sign up. You can write a book review and share your experiences. Other readers will always be interested in your opinion of the books you've read.

Whether you've loved the book or not, if you give your honest and detailed thoughts then people will find new books that are right for them. Martin's Publishing Group. Our Sunday Visitor. Paul Thigpen. Course Info. Who is the course for? Infosec professionals transitioning into penetration testing Pentesters seeking an industry-leading certification Security professionals Network administrators Other technology professionals.

Thanks offsectraining for the fantastic course. Never give up, never surrender, and always try harder. Final destination worth every hour spent. Those long nights, dozens of miscellaneous articles, months of an actual practice - all of this made this experience unique.

Come exam time, pass or fail, I view that as a win. I will never forget what this training gave to me. Try harder, try Offsec's training. Course Details.