yazik.info Tutorials Kali Linux Complete Tutorial Pdf


Sunday, August 25, 2019

Blog Categories. Kali Linux Dojo (7); Kali Linux News (40); Kali Linux Releases ( 20); Kali Linux Tutorials (16); Penetration Testing (7). Kali Linux. Revealed. Mastering the Penetration Testing. Distribution For the purpose of the CC-BY-SA license, Kali Linux Revealed is an Adaptation of the. This tutorial gives a complete understanding on Kali Linux and explains how to use it in practice. Audience completing this tutorial, you will find yourself at a moderate level of expertise from where you can take yourself to the .. pdf-parser .

Kali Linux Complete Tutorial Pdf

Language:English, Spanish, French
Published (Last):22.07.2015
ePub File Size:24.80 MB
PDF File Size:11.10 MB
Distribution:Free* [*Register to download]
Uploaded by: VANCE

Kali Linux Wireless Penetration Testing Beginner's Guide. Kali Linux can be installed in a machine as an Operating This tutorial gives a complete Kali L. This book is a complete unofficial documentation of all the tools in Kali Linux. The author(s) are not held liable for any mistakes done by the. Basic Security Testing with Kali Linux Cover design and photo provided by . Any errors, mistakes, or tutorial goofs in this book are solely mine and should not . Metasploit gives you a complete framework, or playground for security testing.

There are a large number of seemingly important systems that should never be publicly viewable on the Internet. All can be found easily with just a couple keyword searches. But that is not all. Sadly, in this new high tech world, computer systems are not the only things that can be found online. Sure you can find large industrial HVAC environmental and building temperature controls completely open and unsecured.

But you can also find other non-common devices like aquariums with an online control interface and unbelievably, even remote controlled doors: Often the online device has security, but it comes with it turned off from the manufacturer, and all the user needs to do is turn it on or assign a password. And many times when a password is used, it is left to the factory default password easily found or a simple password easily cracked.

The company owner may not have even been the one directly to put one of these devices online. There have been a couple reports of internet enabled building controls from major companies found online over the years. The building contractor, obviously not understanding internet security, left them completely open or with default credentials. Searching for open systems using Shodan has become very popular. And once interesting systems are found on Shodan, the keyword searches are usually shared amongst friends or publicly posted on the internet.

Granted many are just surfing Shodan to grab screenshots of ridiculous things that people put on the web, but it is also a tool that those with nefarious purposes could also use. Shodan Website To use Shodan, simply point your web browser to Shodanhq. Then all you need to do is enter your keyword to use and click, search just as you would on any search engine. Shodan returns links to about two million Cisco routers worldwide. You can click on any IP address to surf directly to the device found.

On the left side of the screen, Shodan also shows you how many of the total devices are from a certain country or location. You can click on any of them to zero in your search, or you could use keyword filters directly in the search to fine tune the results. Filter Guide Using Filter commands you can quickly narrow down your searches to very specific things. You could enter something like the line below: This quickly and easily sorts through the millions of servers out there and returns the ones that match the query.

Here is a sample search return: Server title information. You can search for other servers that contain the identical title text by putting the information into the title command.

Designates the server country location, again search-able by using the country command. The hostname search term can be used to search for servers by domain names. Body text area. Any text entered into Shodan without a filter will be assumed to be a body text search and will look for servers that have the requested information in the body text area.

To use these commands or to get more than one page of results, you need to sign up for a free Shodan Account. US city: Memphis Better yet, combine the two if the city you are looking for is located in more than one country. You can scan the entire Internet or your entire domain looking for title keywords. For instance if you wanted to find all the servers running Apache server version 2.

Just use a minus sign and the HTML error code: Boston Or you could do a quick security scan of your domain for old systems that need to be updated. FR Title searches work great too. If cameras were not allowed on your network you could quickly check for that. Say you were creating a network map and wanted to search for Linux servers located near Damascus, Syria: Other search terms you can use include: Search by port number. Search by Operating System.

Search for servers using dates. Shodan Searches with Metasploit Shodan search capabilities have been added to the Metasploit Framework. You just need to sign up from a free Shodan user account and get an API key from their website. Using an API key allows you to automate Shodan searches.

To find systems with Metasploit, you simply use it like any other exploit: Create a free account on Shodanhq. Obtain an API key - http: Now set the Query field with the keyword you want to search for: After a few seconds, you will receive some statistics on your search keyword: And then you will see actual returns: If you want to use filter keywords, or get more than one page of responses, you will have to download an unlocked API key.

Conclusion In this section we learned about the computer search engine Shodan. We learned that there are thousands if not millions of unsecured or under secured systems that can be found quickly and easily on Shodan. We then learned how to search Shodan using keywords and filters, and finally we learned how to search Shodan from within Kali using Metasploit. It is critical that companies know what systems that they have publicly available on the web.

Shodan is a quick and easy way to find these devices. I highly recommend security teams and even small business and home owners scan their systems to see what systems they have publicly available on the web. Metasploitable 2 is a purposefully vulnerable Linux distribution. What this means is that it has known bugs and vulnerabilities built in on purpose. It is a training platform made to be used with Metasploit to practice and hone your computer security skills in a legal environment.

The resources above cover a lot of information on installing and using Metasploitable 2 so I will not spend a lot of time on this topic.

But we will go through a couple of the exploits using Kali just to see how things work. Just download the file, unzip it and open it with VMWare Player. A link to the video can found in the Resources section above. Once Metasploitable boots up you will come to the main login screen: To login, enter the name and password shown on the menu: And they put it right on the login screen! Logging in is pretty anti-climactic. You basically just end up at a text based terminal prompt: But we are not here to use the system from the keyboard; the goal is to try to get into the system remotely from our Kali system.

If we can determine open ports and service program versions, then we may be able to exploit a vulnerability in the service and compromise the machine. The first thing to do is to run an nmap scan and see what services are installed. This will show us the open ports and try to enumerate what services are running: In a few minutes you will see a screen that looks like this: For each port, we see the port number, service type and even an attempt at the service software version.

We see several of the normal ports are open in the image above. Usually in tutorials they cover going after the main port services first. But I recommend looking at services sitting at higher ports. What is more likely to be patched and up to date, common core services or a secondary service that was installed and one time and possibly forgotten about?

Our next step is to do a search for vulnerabilities for that software release. But why use Google when we can search with Metasploit? Running this search returns: An Unreal 3.

This is great news, as the exploits are ranked according to the probability of success and stability. If you remember from our introduction to Metasploit, there are several steps to exploiting a vulnerability: Doing so we find the following: This backdoor was present in the Unreal3. All that is needed is the remote host address: Unfortunately they are all command shells. A Meterpreter shell would be better than a command shell, and give us more options, but for now we will just use the generic reverse shell.

This will drop us right into a terminal shell with the target when the exploit is finished. Now, just type: Notice it says that a session is opened, but then it just gives you a blinking cursor. You are actually sitting in a terminal shell with the target machine!

The Root user is the highest level user that you can be on a Linux machine. It worked! All the standard Linux commands work with our shell that we have. For instance we can display the password file: We would have to crack the password file to get the actual passwords; we will take a look at this in the Password Attacks Chapter.

Conclusion In this chapter we learned how to use nmap to find open ports on a test target system.

We also learned how to find out what services are running on those ports. We then found out how to find and use an exploit against a vulnerable service. Next we will take a quick look at some of the scanners built into Metasploit that helps us find and exploit specific services.

Chapter 8 — Metasploitable - Part Two: Scanners Introduction In the last chapter we looked at scanning the system with Nmap to look for open ports and services.

This time we will take a look at some of the built in auxiliary scanners that come with Metasploit. Running our nmap scan produced a huge amount of open ports for us to pick and choose from. These scanners let us search and recover service information from a single computer or an entire network! For this tutorial we again will be using our Kali system as the testing platform and the purposefully vulnerable Metasploitable 2 virtual machine as our target system.

For this tutorial we will narrow our attention on the common ports that we found open. As a refresher here are the results from the nmap scan performed in the last chapter: Go ahead and search Metasploit for ssh scanners: Notice that several are available. We see that our target is indeed running an SSH server and we see the software version: Notice the command we set for the remote host is plural, RHOSTS, we can put in a whole range of systems here enabling us to scan an entire network quickly and easily to find ssh servers.

I will leave this exercise up to you. Using Additional Scanners Some scanners return different information than others. The scan reveals that MySQL 5. But others can reveal some more interesting information. If we use a username and password, it will try to log in to the service. Notice that this is unlike the others we have covered so far; on the Metasploitable machine it does not return a version number, it performs a banner grab.

But sometimes you can find some very interesting information by using it. Now, when we type exploit we see this: Just looks like a bunch of text with no hint as to what level of software is running. But if we look closer, we can see something else: Are you kidding me? And we are in! If we run the ID command, we can see that this user which is the main user is a member of multiple groups: We might be able to use this information to exploit further services. Sounds kind of unbelievable that a company would include legit login credentials on a service login page, but believe it or not, it happens in real life more than you would believe.

Scanning a Range of Addresses What is interesting too is that with these scanner programs we have different options that we can set. But what if we wanted to scan the entire network for systems that are running Samba? Instead of just scanning a single host, you can scan all clients on the Notice now it scanned all hosts on the network and found the Samba running on our Metasploitable 2 machine at This makes things much easier if you are just scanning for certain services running on a network.

I set the threads command too. If you are scanning a local LAN, you can bump this up to to make it go faster, or up to 50 if testing a remote network. This will give us a little more practice in running exploits and get us used to finding and exploiting vulnerable services. So, all we need to do is just use the exploit, set the RHOST value to our target Metasploitable system and run the exploit: Conclusion In this section we learned how to use some of the built in scanners to quickly scan for specific services.

Some professional pentesters no longer rely on nmap as the main tool in finding services. Many go for a quick kill by looking for specific vulnerabilities commonly available before turning to nmap. Scanning for specific services that have a tendency to be vulnerable can be a quick way into a network. We looked at several of the core service scanners and learned how they function. Shockingly, we were able to obtain clear text passwords from the telnet service.

Once we get a set of credentials, we could use the auxiliary scanners in Metasploit to further exploit the network. Just plug those credentials into one of the scanners and sweep the entire network to see what other systems that they would work on. It would be a good idea for you to take some time and look through them to see what they can do.

Many people think that if they are running an Anti-Virus and a firewall, that they are generally safe from hacker attacks. But the truth is far from that. One part of penetration testing is getting past that pesky anti-virus. Veil is one way that we can accomplish this. Many Anti-Virus programs work by pattern or signature matching.

If a program looks like malware that it has been programed to look for , it catches it. If the malicious file has a signature that AV has not seen before, many will dutifully say that the file is clean and not a threat. If you can change or mask the signature of malware, or a remote shell in this case, then most likely AV will allow it to run and the attacker gets a remote connection to the system. Veil, a new payload generator created by security expert and Blackhat USA class instructor Chris Truncer, does just that.


It takes a standard Metasploit payload and through a Metasploit like program allows you to create multiple payloads that most likely will bypass anti-virus.

And this will bring you to the main menu: This will select the payload and present us with the following screen: We will just choose the default, msfvenom. This means that their computer will connect back to us. Next Veil will ask for the IP address of the host machine that you are using. Enter the IP address of your Kali machine and press enter. Then enter the Local port that you will be using.

I chose to use port And that is it! Veil will then generate our shellcode with the options that we chose. Now we need to give our created file a name. If you know they like cute puppies, then our chosen file name is perfect. Whatever you think would be the best.

Veil now has all that it needs and creates our booby-trapped file. Just take the created. When it is run, it will try to connect out to our machine. We will now need to start a handler listener to accept the connection. Getting a Remote Shell To create the remote handler, we will be using Metasploit. Start the Metasploit Framework from the menu or terminal mfsconsole. Be sure to put in the IP address for your machine and the port that you entered into Veil.

They must match exactly. Metasploit will then start the handler and wait for a connection: Now we just need the victim to run the file that we sent them. On the Windows 7 machine, if the file is executed, we will see this on our Kali system: A reverse shell session! Conclusion This should help prove that you cannot trust in your Firewall and Anti-Virus alone to protect you from online threats.

Unfortunately many times your network security depends on your users and what they allow to run. Instruct your users to never run any programs or open any files that they get in an unsolicited e-mail. Blocking certain file types from entering or leaving your network is also a good idea. And finally, using a Network Security Monitoring system will help track down what happened and what was compromised if the worst does happen.

User Access Control UAC seemed to be a nuisance in the previous Windows version, and many companies just turned it off. Well UAC works very well in Windows 7, and using it on even the lowest security setting prevents many attacks that worked in Windows XP.

But there is a UAC bypass module in Meterpreter that will allow us to bypass this restriction and get system level, if the user account we compromise is an administrator.

In this section we will learn how to escalate our privileges from an administrator level user to system level by bypassing UAC and creating a new session.

UAC Bypass In this tutorial we will start with an active Meterpreter session with a Windows 7 system and a user that has administrator level rights. First we want to background the session. Now we need to use the bypassuac exploit: Go ahead and set it to our active session, session one in this case, by using the set command: Excellent, you can see that the user was in fact a member of the administrators group, the UAC Bypass worked, and a new session is created.

The first part of the hashdump display above shows the three regular system users: Alice, Bob and George and displays their logon password hint that they set when they created their password.

And the final part shows the actual hashes from the system: Using the hashes to access a system or other systems on the network is covered in the Password Attack Chapter. Conclusion In this short section we saw how to escalate a user that has Administrator privileges to the super user System level account. We were able to do this by running a Meterpreter module that allowed us to bypass the windows User Access Control security feature.

Once we have system level access we can do anything that we want to do. We demonstrated this by dumping the password hashes from the security database.

The UAC bypass was possible because the user account we had access to was an administrator level account.

It is imperative that users always be given a non-administrator level account. The security repercussions to exceptions to this rule should be seriously considered. Chapter 11 - Packet Captures and Man-in-the- Middle Attacks Introduction Another technique that may be advantageous to us is to monitor or capture network traffic on a remote machine. Think of it like a wiretap. As a wiretap records everything a person says on their telephone, a packet capture records everything your computer says on the network wire.

This could include account names, passwords, etc. In this section we will look at viewing network packets using two very different processes. For the first one we will use a Man-in-the-Middle attack on a system on a local network involving the commands arpspoof, urlsniff and Driftnet.

Using these commands we can view what website a target is on and display every graphic that the target is viewing. Secondly, we will cover running a packet capture on a remote machine through a Metasploit session. We will then view the captured information for artifacts in Wireshark and Xplico. In both cases we will use a Windows 7 computer as the target system.

A MitM attack in essence places our Kali system in between the target and the router. This way, we see all of the traffic coming from and going to the target system. All traffic from the target system headed to the internet is re-routed first to our machine, which then captures it and forwards is to the network. All information coming from the internet headed to the target machine is routed through our system first, again so we can review it, and then forwarded to the target system.

So we tell the Target machine that we are the internet router and tell the router that we are the target system.

Kali Linux Hacking tutorials : Perfect guide to Beginners {}

But first we need to turn on IP forwarding by running the following command: Now we need to run the arpspoof command.

To do so, we need to provide the network interface -i , the target system -t and the router address as below: Reversing did not seem to work on a VMWare host, but I was able to capture all the traffic by just using the one way command above Arpspoof should then start sending out the modified MAC addresses.

When the user surfs the web, you will see all of the URL traffic: This allows us to see all the website addresses that the user visits on our Kali system! A driftnet window should open up on your Kali website. Maximize it to make things easier to see. Now return to the target computer system and start surfing the web. You should start to see images appearing on your Kali system. So, on the target system they would see these images: And on your remote Kali machine you should see this: All the images from the page!

Part Two Remote Packet Capture in Metasploit Okay that was all well and good if we are on the same local network as the target system, but what if the target system is remote?

We will start with an active session that we obtained through an exploit. As you can see below we are connected to session 1 and have a Meterpreter shell to the target, a Windows 7 system in this case. When things go bad: Case in point, when trying to run packetrecorder -li on one Windows 7 system I got the error below: I had to go to the Windows 7 system and manually disable UAC to get this to work right. Even if it is set to the lowest level, it is still better than being completely off!

Running the command, we see that the remote target in this case has 5 network interfaces: We will go ahead and run the attack against interface 2, the Qualcomm WiFi adapter. Now, just go to the Windows 7 target system and do some surfing.

Every location you surf to and every network packet you send will be recorded on the Kali system. And that is it. Wireshark Okay, we have our packet capture, so what do we do with it? Wireshark is a great packet capture and analyzer program that has a ton of features and capabilities. We will just cover viewing a packet capture in Wireshark very briefly. If the user connected to any unencrypted FTP sessions, like is shown above, you will be able to see the entire session.

And you will see the stream content as shown below: As you can see we have a complete capture of an FTP login and file download. Wireshark is great for analyzing network communications, and you can do a lot with it, but it is a bit advanced for a new user and might be hard to use until you become familiar with it. The program, Xplico, lists all the information from the packet capture in an easy to read menu.

It also allows us to view any images or documents. Xplico Xplico has been added to the Kali repositories, but it may not be installed on your system yet. It is a web based interface, so to start it you need both the Apache Web Server and Xplico server started. If Xplico is not listed you will need to install it.

To install, run the following command: Now we just need to start the services. Once Xplico is started, you access it via a web interface. Now click on the session name.

The Main Session desktop appears The file will then be uploaded into Xplico and decoded. After a few seconds to minutes depending on the size of your Pcap file you will see the results as below: Now if we click on sites under the Web menu we will see a list of the websites that the target visited: Next they went to Google and then the Dlink support website looking for support information on a Dir router.

Even If no network, account information or passwords were recovered with Xplico, you can use the Web tab to gather information that could be used in a social engineering type attack. For example, I noticed several of the surfed sites were NHL sites. I can search the data stream for specific terms, in this case, NHL: Or view the images: Obviously the user is a Hockey fan.

I could possibly recover his favorite team from his surfing habits and again use this in a Social Engineering attack. Conclusion In the first part of this section we learned how to use the Man-in-the-Middle attack program Arpspoof, along with Urlsnark and Driftnet to view what websites a targeted local system was viewing.

In the second part, we learned how to turn an exploited system into a remote packet sniffer using Meterpreter. We then analyzed the captured traffic in Xplico. Hopefully this chapter demonstrated why it is important to secure your network. If your ARP table is not protected, it makes it easy for an attacker on the local lan to perform a MitM attack and view all the traffic of a target system. It has been a long time since I have played with BeEF, about three years in fact, but after going through a great Web Application and XSS security class, I figured it was time to brush it off again.

I was very pleased to find that a ton of new features called commands have been added to BeEF since I last used it, dramatically increasing its functionality. Granted many attacks in BeEF no longer seem to work against Windows 7 using the latest browsers, but it appears that Windows XP systems are still very vulnerable to many of the browser attacks, even when using the latest browsers. In Kali, just open a terminal and type: This starts the BeEF server and shows you the web address to open the graphical user interface and a couple sample pages that you can use to hook browsers: You will now be greeted with the main BeEF control panel: Or this if we are using Chrome: The page shows some delicious looking beef, and nothing really seems awry.

Well, maybe no complete control, but it does give us the power to really muck with it. As soon as the visitor simply visits the page, the hook is set. Notice that the user does not have to run anything or mouse over anything for the attack to work. Just visiting the page triggers the attack. When machines are hooked, they show up in the BeEF control panel: Now that we have the system listed in the control panel, we simply click on the system we want to attack and then pick from the numerous attacks listed in the commands section: Oh no!

The username: We could also try to grab credit card numbers with this site looking attack: BeEF can do much more than just send pop-ups. You can grab the HTML of the webpage that the victim is on: And then change any links on the page in real-time, without the user ever knowing, to point to wherever you want the victim to go.

Here is a look at the webpage source after changing all the links on the page to point to the Dallas Cowboys website: You can also send custom Javascript, or even tie it in with Metasploit to attempt to get a remote shell. As you can see, an attacker having control over the browser can be very bad. Conclusion BeEF can be a very interesting to play with and fairly easy to use once you get the hang of it.

The attacks are color coded as to the chance that they might work. You may want to try them anyways, as I have noticed that some coded as not working well seemed to work okay on occasions. I also noticed that newer browsers seemed to stop some of the attacks, but XP was still pretty open as to what would work against it. I tried these exact same attacks against a Windows 7 system using the latest Firefox browser and nothing was displayed: A hook was created, but only lasted for about a second or two before it was dropped.

The best mitigation against this type of attack seems to be to use the latest Windows OS and browser versions. If you can, update or replace your Windows XP systems, especially if they are used online.

The base security in Windows 7 and 8 is much better than Windows XP. Social Engineering is, in effect, hacking humans. Hackers who are experts in Social Engineering will trick you into helping them or giving them access to your secured systems or areas by pretending to be someone else, someone in need, or even someone in a position of authority.

As you approach the door, a deliveryman with his arms full of boxes is also arriving at the door. What do you do? Without thinking twice, most would open the door for the poor overburdened man and let him in.

You just let him in. He says that he is performing system upgrades and needs access to your system. You ask if you should shut it down, and he responds that he just needs to check a few things first. You get up and head for the cafeteria. And just gave him access to your system.

One day you get a package in the mail from a company that you just signed a major deal with. It was the largest deal of your career and was in all the local city newspapers and on all the TV stations. You open it up to find one of the latest tablets along with a thank you note from the company thanking you for the business agreement. The company never sent you a tablet and you just gave an enterprising social engineer a system connected to your Executive network.

They are installing some new software and need you to install some new drivers. They include the software package as an attachment and give you full directions to install it. Which you do. They may take advantage of local customs, etiquettes, play off of human sympathy or just try to intimidate an employee to get what they want. These books are helpful if you get stuck at anything or if you wish to learn something new in kali Linux.

If we have missed out on any such helpful book to learn kali Linux from then, please let us know in the comments section. Sunday, April 14, About Contact Privacy Policy Advertise. Netflix Downloader. How to Whitelist Googleupdate. DMG Working Link. Basic to Advance. A-Z Introduction 1.

Top 10 Best Alternatives to Coke and Popcorn Hacks on Fire! Guides September 9, How to Avoid a Data Breach: Sponsor December 21, What's New.

Aditya Kashyap - April 13, 0. Mukesh Bhardwaj - April 10, 0. Mukesh Bhardwaj - April 9, 0. Aditya Kashyap - April 8, 0. Here are some hardware keyloggers Brute force attack: Another great way to hack passwords, Hacker just guess password length and characters used for the password. After that software combination all these factors and create so many words and try to apply as every word as a password. It is a time-consuming method. Wordlist attack: It is similar to above one but in these first hacker generates words and save these words to file using software like crunch.

Another software applies every word as a password. Encryption: Generally it is used for encrypting the password in the database.

Kali Linux Hacking tutorials : Perfect guide to Beginners {}

In the database, it is stored in encrypted format. Paytm use bit encryption mean if it will increase your password length which has 2 combinations for applying brute force attack. Ransomeware: It is a code program by Hacker which encrypts mean make them so nobody can open that data your whole Hard disk data then ask for some Money if you want to remover your data.

IP address: Ip stands for internet protocol. It is the address of our Device. To find your IP address type in google what is my IP. There are two types of Ip address. We connected through the internet by Public IP address.

It can be changed by Vpn or using the proxy. Vpn: VPN stands for virtual private network. VPN basically change your IP address. If you are using a Vpn and doing anything, nobody can know until VPN company does not expose you [ free VPN can if you doing something serious Ilegal].

No problem. It is a computer where files of a website are available.

Dos attack: it stands for Denial of service. Mainly used to make website down or unavailable. Fake traffic is sent to the web server. When data exceeds the limit of bandwidth, server crushes.

Here is server down website screenshot when the server is down. In dos attack, there is only one machine but it DDOS there is multiple fake devices as shown in the screenshot. There is only one way to protect DDOS attack. Hacker injects queries in the website database. Social engineering: It is not the hacking method. It is Hacking by the average person. Guessing password technique is known as social engineering. I am not expert in this, and it takes a lot of time.

Different for the different person so very time-consuming.Granted many are just surfing Shodan to grab screenshots of ridiculous things that people put on the web, but it is also a tool that those with nefarious purposes could also use. I was very pleased to find that a ton of new features called commands have been added to BeEF since I last used it, dramatically increasing its functionality.

They include the software package as an attachment and give you full directions to install it. This will create a Java app that has a backdoor shell.

Or to see exploit information for a particular program just use its name: We then found out how to find and use an exploit against a vulnerable service. As you can see above I also typed shell to open a remote command prompt. References 1.