Hi friends
welcome to the third part of tutorial:
Lets run through a quick example and fire up Dradis to create our project structure. When you first launch Dradis you will be greeted with an initialization screen. Give the server a password and select the option to create a new project.
Once you login with no username and the server password you will be dropped into the Dradis framework console. From there we will implement our penetration testing methodology and plan by adding branches and notes. Since we have a lot to cover I will leave it up to the reader to research more on Dradis.
Within a few minutes we have mapped out our project tasks, Rules of Engagement, objectives, and remaining methodology steps.
Dradis is a great tool, but don’t expect it to be a full-fledged project management suite. If you need more firepower don’t forget that Kali has a number of pre-installed applications such as Ruby and MySQL. With this in mind you’re a few steps away from setting up Redmine to add resource planning and Gantt charts to your Kali instance.
Now that we have our project planning and documentation mechanism in place we can move on to the next phase of the penetration testing methodology and that's discovery.
The screenshot shows TheHarvester options and some example usage. In the next example we'll run TheHarvester against our target domain querying Bing. We also want to ensure we limit our return results to 100. The command and its output would look something like:
With these options selected TheHarvester will query Bing for our domain looking for email addresses as well as additional linked domains. The -n -t options tells TheHarvester to perform reverse DNS lookups on the IP range identified for the domain queried as well as expand the search for our domain across all top level domains. For example, if out domain was nbc.com it would attempt for find domains such as nbc.ca, nbc.biz, etc.
TheHarvester can pull together a significant amount of information that we can use during the scanning phase of Discovery, but in this case we decide to utilize some additional tools to further our Information Gathering efforts prior to moving on to scanning.
At this point we decide that we want to interrogate DNS a bit more with the information gathered from TheHarvester. Because of its features we have choose to run our domains through Fierce. Fierce can initiate DNS zone transfer attempts as well perform bruteforce lookups against DNS. While TheHarvester can perform DNS bruteforcing as well, Fierce contains added functionality and more granular options such as controlling the number of threads used for execution. Here are the Fierce options along with the output from our target domain. Please note that the output here may not be ideal given our test domain that we are using for this example.
With this information in hand we can now import the output from the tools into Dradis and move on to scanning, enumerating services, and vulnerability identification.
Once we have the completed Information Gathering we need to start enumerating discovered networks and services. Kali again saves the day by giving us all the tools we need in one location. While in the normal course if our engagements we would turn to nmap, we wanted to cover a couple other lesser-known scanners starting with fping and hping3.
So using our case study we now have discovered hosts within out domain we will utilize fping to identify systems on our target network.
Based on the output of fping we know that ICMP is enabled and that we were able to enumerate our target network. Now we select one of our hosts and perform a SYN scan with hping3.
Using our list of services we can run nmap against the open ports to identify operating system and service versions.
Next we are going to leverage nmap's vulnerability scanner to check for SMB vulnerabilities on this host. First, let's quickly look at nmap's scripting parameters.
If you are interested you can take a look at the scripts supplied with nmap. On Kali you can find them in /usr/share/nmap/scripts. After doing a bit of searching we come across smb-check-vulns.
After looking at nmap's documentation we find that this script can be used to identify vulnerability conditions with SMB. We also learn that we need to supply an unsafe flag to get it to fully run our scan, with consequences in mind and more importantly permission to impact system availability we run our scan.
We have come to the end of this phase of Discovery. We now have enough information to begin the attack phase of our penetration test against our target environment.
We have come to the end of this phase of Discovery. We now have enough information to begin the attack phase of our penetration test against our target environment.
Metasploit is very powerful and could be used for various phases within our methodology. That being said Kali provides many options that can be leveraged to meet our testing objectives. In this particular case Metasploit provides a perfect vehicle to exploit this particular vulnerability.
Prior to launching Metasploit we need to startup the Postgres database and the Metasploit server component. These are not configured to startup on boot by default in Kali.
Next, we launch Metasploit console with the msfconsole command. After doing an initial search we discover that Metasploit does have an exploit for MS08-067. We configure the exploit with the bind shell Meterpreter payload to make us work a bit harder for our objectives. Once all the options are configured we run the exploit using the exploit command.
Success! We have exploited our vulnerability and have gained access to our system.
After confirming that we are running under the SYSTEM. We decide that we should dump hashes in order to help with attacks against other systems.
Once we have the hashes we can launch John on our Kali system to crack the administrator password. On many networks the administrator account password will be the same across all systems or groups of systems so this will come in handy as we continue to exploit our target network.
We decide to leverage Windows tftp.exe client to upload our tool-set. We first need to start the tftp daemon on our Kali instance. In order to do this we ran:
Once our tftp server started we downloaded sbd.exe as well as create an administrator account, so we can get back into our target in the future.
Next, we launch our backdoor using sbd.exe. Sbd is very similar to Netcat however it allows us to encrypt our data channel with a shared secret.
We then connect with the sdb client on our Kali machine.
Using this backdoor we can repeat our Discovery process to identify additional hosts or networks and vulnerabilities. We can also use this access to pivot and launch attacks until our objectives are met.
Some tools provide self-documenting features. Take Metasploit for instance. It provides a database that captures output from various tools as you progress through your penetration test. In addition, Meterpreter has the screenshot feature that allows us to take a screen capture of the victim's desktop. Here is a screenshot from our previously compromised host.
Once this data is input or imported into Dradis we can output reports in HTML and Word documents. The screen shot below should give you the idea.
While we did not cover every tool on the distribution nor demonstrate all mapped tools in our example we hope this brief introduction will help you formulate a plan of attack when using Kali for penetration testing
welcome to the third part of tutorial:
Planning
We begin in the planning phase of our methodology. If you are working on a larger engagement and need a collaborative solution then Dradis is the tool of choice. It provides capabilities for centralized documentation, team collaboration, and most importantly the ability to import information from our various tools within Kali. There are two versions of Dradis: a community version and a commercial version. As you can guess the version on Kali is the community version.Lets run through a quick example and fire up Dradis to create our project structure. When you first launch Dradis you will be greeted with an initialization screen. Give the server a password and select the option to create a new project.
Once you login with no username and the server password you will be dropped into the Dradis framework console. From there we will implement our penetration testing methodology and plan by adding branches and notes. Since we have a lot to cover I will leave it up to the reader to research more on Dradis.
Within a few minutes we have mapped out our project tasks, Rules of Engagement, objectives, and remaining methodology steps.
Dradis is a great tool, but don’t expect it to be a full-fledged project management suite. If you need more firepower don’t forget that Kali has a number of pre-installed applications such as Ruby and MySQL. With this in mind you’re a few steps away from setting up Redmine to add resource planning and Gantt charts to your Kali instance.
Now that we have our project planning and documentation mechanism in place we can move on to the next phase of the penetration testing methodology and that's discovery.
Discovery
We decide to kick-off the Discovery phase by running TheHarvester. TheHarvester is written by Christian and allows us to collect information about a target organization from a variety of sources including Google, Facebook, LinkedIn, spoke, etc. Let’s take a look at the TheHarvester a bit closer.The screenshot shows TheHarvester options and some example usage. In the next example we'll run TheHarvester against our target domain querying Bing. We also want to ensure we limit our return results to 100. The command and its output would look something like:
With these options selected TheHarvester will query Bing for our domain looking for email addresses as well as additional linked domains. The -n -t options tells TheHarvester to perform reverse DNS lookups on the IP range identified for the domain queried as well as expand the search for our domain across all top level domains. For example, if out domain was nbc.com it would attempt for find domains such as nbc.ca, nbc.biz, etc.
TheHarvester can pull together a significant amount of information that we can use during the scanning phase of Discovery, but in this case we decide to utilize some additional tools to further our Information Gathering efforts prior to moving on to scanning.
At this point we decide that we want to interrogate DNS a bit more with the information gathered from TheHarvester. Because of its features we have choose to run our domains through Fierce. Fierce can initiate DNS zone transfer attempts as well perform bruteforce lookups against DNS. While TheHarvester can perform DNS bruteforcing as well, Fierce contains added functionality and more granular options such as controlling the number of threads used for execution. Here are the Fierce options along with the output from our target domain. Please note that the output here may not be ideal given our test domain that we are using for this example.
With this information in hand we can now import the output from the tools into Dradis and move on to scanning, enumerating services, and vulnerability identification.
Once we have the completed Information Gathering we need to start enumerating discovered networks and services. Kali again saves the day by giving us all the tools we need in one location. While in the normal course if our engagements we would turn to nmap, we wanted to cover a couple other lesser-known scanners starting with fping and hping3.
So using our case study we now have discovered hosts within out domain we will utilize fping to identify systems on our target network.
Based on the output of fping we know that ICMP is enabled and that we were able to enumerate our target network. Now we select one of our hosts and perform a SYN scan with hping3.
Using our list of services we can run nmap against the open ports to identify operating system and service versions.
Next we are going to leverage nmap's vulnerability scanner to check for SMB vulnerabilities on this host. First, let's quickly look at nmap's scripting parameters.
If you are interested you can take a look at the scripts supplied with nmap. On Kali you can find them in /usr/share/nmap/scripts. After doing a bit of searching we come across smb-check-vulns.
After looking at nmap's documentation we find that this script can be used to identify vulnerability conditions with SMB. We also learn that we need to supply an unsafe flag to get it to fully run our scan, with consequences in mind and more importantly permission to impact system availability we run our scan.
We have come to the end of this phase of Discovery. We now have enough information to begin the attack phase of our penetration test against our target environment.
We have come to the end of this phase of Discovery. We now have enough information to begin the attack phase of our penetration test against our target environment.
Attack
Gaining Access
Now that we have identified several vulnerabilities as well as the likelihood of exploitation we decide to try and exploit the MS08-067 vulnerability identified with our nmap scan. We leverage the Metasploit framework to begin our initial attack vector.Metasploit is very powerful and could be used for various phases within our methodology. That being said Kali provides many options that can be leveraged to meet our testing objectives. In this particular case Metasploit provides a perfect vehicle to exploit this particular vulnerability.
Prior to launching Metasploit we need to startup the Postgres database and the Metasploit server component. These are not configured to startup on boot by default in Kali.
Next, we launch Metasploit console with the msfconsole command. After doing an initial search we discover that Metasploit does have an exploit for MS08-067. We configure the exploit with the bind shell Meterpreter payload to make us work a bit harder for our objectives. Once all the options are configured we run the exploit using the exploit command.
Success! We have exploited our vulnerability and have gained access to our system.
System Browsing
Now we'd like to validate our access as well as upload additional tools to gather information and launch further attacks.After confirming that we are running under the SYSTEM. We decide that we should dump hashes in order to help with attacks against other systems.
Once we have the hashes we can launch John on our Kali system to crack the administrator password. On many networks the administrator account password will be the same across all systems or groups of systems so this will come in handy as we continue to exploit our target network.
Installing Additional Tools
Once we dump hashes we decide to upload some additional tools to pivot and launch attacks from our compromised host. While we could download our tool-kits using Meterpreter we wanted to demonstrate a couple of additional ways to upload tools to our exploited host. In order to continue we drop into a shell.We decide to leverage Windows tftp.exe client to upload our tool-set. We first need to start the tftp daemon on our Kali instance. In order to do this we ran:
Once our tftp server started we downloaded sbd.exe as well as create an administrator account, so we can get back into our target in the future.
Next, we launch our backdoor using sbd.exe. Sbd is very similar to Netcat however it allows us to encrypt our data channel with a shared secret.
We then connect with the sdb client on our Kali machine.
Using this backdoor we can repeat our Discovery process to identify additional hosts or networks and vulnerabilities. We can also use this access to pivot and launch attacks until our objectives are met.
Reporting
Documentation is critical to the success of the penetration test. This can be performed through screen-shots or tool output. Since we are using Dradis we ensure that we output all tools to text or XML files as well as take screen-shots where tool output is less efficient.Some tools provide self-documenting features. Take Metasploit for instance. It provides a database that captures output from various tools as you progress through your penetration test. In addition, Meterpreter has the screenshot feature that allows us to take a screen capture of the victim's desktop. Here is a screenshot from our previously compromised host.
Once this data is input or imported into Dradis we can output reports in HTML and Word documents. The screen shot below should give you the idea.
Conclusion
Kali is a valuable resource when performing penetration testing. Sometimes the tools can seem a bit overwhelming. Leveraging a methodology such as NIST 800-115 will bring some consistency and continuity to your penetration tests.While we did not cover every tool on the distribution nor demonstrate all mapped tools in our example we hope this brief introduction will help you formulate a plan of attack when using Kali for penetration testing
check my link
ReplyDeletewww.junaidmugloo.blogspot.com
check my link
ReplyDeletewww.junaidmugloo.blogspot.com
EASY SPY” this works bad and complicated for me, confused until requested the services of a private investigator, whose service where very affordable, I’d recommended ALEXGHACKLORD to you. He is a reliable, tested and legitimate IT expert who specialize in infiltrating any systems or network operation known and unknown. Write to : ALEXGHACKLORD@ Gmail . com for any hacking services.
ReplyDeleteHe specializes in the following services :
*Spy on Cheating Partners
*Identification of Cheating Partner or Employee, Mole in a system.
*Keeping Tabs on Employees or Doing Online Background Checks
*Gaining Full Access To Any Mobile Device, Whatsapp, Email,Gps, Snapchat,instagram,facebook,kik,hangout,viber And Any Other Social Media Accounts
*Accessing University Portals or Any Website
*Hack into Bank, Company and Security Agents Websites
*Hack Bank Accounts, Credit card, BTC top up, BTC investment & Mining, ETH Investment etc.
Contact : ALEXGHACKLORD@Gmail. com
REPLY
I am announcing this amazing testimonial on this blog, about united hacking company how the Blank ATM Card experience changed my whole life.the blank Atm Programmed Card and cash money directly in any ATM Machine around you. There is no risk of being caught, because the card has been programmed in such a way that it´s not traceable,so luckily i read about the blank ATM card exercise and how it has made people become rich. I contacted the email address i attached to the testimonial of some beneficiaries and here i am today, all thanks to united Tech Hackers Team Incorporation world wide for helping me with a blank ATM Card. Now all my financial worries are over. All you need to do is send a message to the email address provided: unitedblankatmhackcard@gmail.com
ReplyDeleteMy wife was putting up some
ReplyDeleteattitude and acting
strange,and we have been
married for eight years,I
explained my problems to my
friend and he recommended
brillianthackers800@gmail.com
,I sent him a mail explaining
my situation to him and he
helped me hack into her
phone,Walt sent me a WhatsApp
conversation between my wife
and her concubine which she
told him everything about me
and our marriage and he also
recorded a call conversation
between she and her concubine
talking about how they were
going to kill me and take my
money and properties,I took
this to court and I won the
case,they were locked up in
prison all thanks to Walt who
saved my life through his
hacking experience,every
dollar I spent on this job
was worth it,message him and
he will help you with your
problems.
+1(224)2140835(WHATSAPP)