3. 3 | P a g e
Table of Contents
Introduction ............................................................................................................................................7
About the Author....................................................................................................................................7
A note from the Author ..........................................................................................................................7
Warning...................................................................................................................................................7
Chapter 1 – Ethical Hacking and Steps....................................................................................................9
What is ethical hacking? .....................................................................................................................9
What is the purpose of this book?......................................................................................................9
What are the responsibilities of an Ethical Hacker?...........................................................................9
What are the customer’s expectations?...........................................................................................10
What are the required skills of the hacker? .....................................................................................10
How to get prepared for the Preparation testing.............................................................................10
Chapter 2 - Reconnaissance (Information Gathering) ..........................................................................12
What is reconnaissance? ......................................................................................................................12
Popular reconnaissance tools on Kali ...............................................................................................12
Dmitry ...............................................................................................................................................12
Maltego.............................................................................................................................................14
What does Maltego do?...............................................................................................................14
What can Maltego do for me?.....................................................................................................15
Using Maltego ..............................................................................................................................15
How to use Maltego without using wizard?..............................................................................21
NMAP -- Network Mapper Security Scanner ....................................................................................25
Getting Started with NMAP.........................................................................................................26
Ping test on a host, IP range or network....................................................................................26
Ping and basic TCP scan test on a host or network ..................................................................27
TCP quick scan test with “NO PING” test...................................................................................29
Full TCP Scan ...............................................................................................................................29
Full UDP Scan...............................................................................................................................30
Scan specific TCP/UDP ports on a host .....................................................................................30
Traceroute by NMAP...................................................................................................................31
Excluding IP addresses from scan..............................................................................................32
Using a list of hosts......................................................................................................................32
SYN Stealth Scan..........................................................................................................................32
FIN, Null and Xmas Tree Scans [-sF, -sN, -sX]............................................................................34
4. 4 | P a g e
OS detection by NMAP ................................................................................................................35
Adjust Timing aggressiveness with NMAP scan .......................................................................37
Using NMAP Scripts.....................................................................................................................39
Some NMAP scripts examples ....................................................................................................42
DNS Brute with NMAP ................................................................................................................42
Finding virtual hosts on an IP address or host .........................................................................42
SMB Operating System discovery ..............................................................................................43
HTTP Enumeration......................................................................................................................44
Traceroute Geolocation ..............................................................................................................45
Whois-domain and whois-ip ......................................................................................................45
SMB Brute Force..........................................................................................................................47
Some other usage example of NMAP scripts:............................................................................47
NMAP Cheat Sheet.......................................................................................................................49
HPING3..............................................................................................................................................53
Sample Scans using hping3.........................................................................................................53
DoS attack using hping3..............................................................................................................54
Chapter 3 -- Vulnerability Analysis........................................................................................................55
What is Vulnerability Analysis?.........................................................................................................55
Popular Vulnerability Analysis tools on Kali......................................................................................55
Golismero..........................................................................................................................................55
Enable or disable plugins on Golismero....................................................................................59
OpenVAS -- Free Vulnerability Assessment Software.......................................................................61
Setting up OpenVAS on Kali Linux for the first time.................................................................61
W3af -- Web Application Attack and Audit Framework ...................................................................66
Using w3af in command line ......................................................................................................67
Set up additional options via command line interface.............................................................69
Nikto..................................................................................................................................................72
Vega ..................................................................................................................................................75
Using Vega as proxy server.........................................................................................................76
OWASP-ZAP.......................................................................................................................................78
Scanning Password protected web sites with ZAP...................................................................82
Burp Suite..........................................................................................................................................89
Burp Suite intercepting Proxy....................................................................................................89
Burp Spider..................................................................................................................................93
5. 5 | P a g e
Burp Web Vulnerability Scanner................................................................................................95
Burp Intruder...............................................................................................................................97
Bur Repeater..............................................................................................................................102
Burp Sequencer .........................................................................................................................106
Burp Decoder.............................................................................................................................106
Loading Raw Data......................................................................................................................107
Transformations........................................................................................................................107
SQLMAP ..........................................................................................................................................108
Chapter 4 – Penetration testing and attacks......................................................................................115
What is penetration testing? ..........................................................................................................115
Popular Penetration tools on Kali...................................................................................................115
John the Ripper...............................................................................................................................115
Wordlist mode...........................................................................................................................118
“Single crack" mode...................................................................................................................118
"Incremental" mode..................................................................................................................118
External mode............................................................................................................................119
Crunch – Password file maker.........................................................................................................120
Ncrack .............................................................................................................................................121
Ettercap – ARP poisoning and Man-In-The-Middle Attack.............................................................123
Using Xplico application to sniff the traffic .............................................................................132
DNS Spoofing with ettercap......................................................................................................134
DoS attack with ettercap...........................................................................................................135
Metasploit Framework....................................................................................................................137
Using NMAP within Metasploit Framework............................................................................140
Metasploit exploit Payloads and Options ................................................................................142
Metasploit exploit Payloads......................................................................................................143
Metasploit exploit Options........................................................................................................144
Example of a payload attack.....................................................................................................145
Metasploit auxiliary vs exploit .................................................................................................145
Active vs Passive exploits .........................................................................................................145
Metasploit Workspaces.............................................................................................................146
Vulnerability scanning with Metasploit...................................................................................146
Using MSFVENOM .....................................................................................................................148
Armitage..........................................................................................................................................152
6. 6 | P a g e
Running NMAP scans with Armitage.......................................................................................152
How to launch a specific exploit or auxiliary on a host in Armitage.....................................155
Hail Mary attack.........................................................................................................................156
Social Engineering Toolkit...............................................................................................................157
Updating the configuration of setoolkit...................................................................................158
Complex Spear phishing attack using SET (Social Engineering Toolkit)..............................159
Web Site attack vectors using SET...........................................................................................164
Harvesting credentials using SET and website cloning..........................................................167
Aircrack-ng......................................................................................................................................171
Finding WEP passwords using aircrack-ng.............................................................................171
Finding WPA2 passwords using aircrack-ng ..........................................................................174
Kismet .............................................................................................................................................175
Gathering information with Kismet.........................................................................................175
Post exploitation backdoors ...........................................................................................................177
Netcat (NC).................................................................................................................................177
Using Metasploit meterpreter with netcat..............................................................................178
Backdoor Factory ......................................................................................................................179
Chapter 5 – Reference of tools and terms on Kali..............................................................................183
Tools reference ...............................................................................................................................183
Glossary of terms............................................................................................................................183
7. 7 | P a g e
Introduction
In this book, you will be learning the basic techniques about how to hack and penetrate computer
networks, systems and applications.
This book covers a lot of top penetration tools which are available on Kali Linux and their operations.
It is expected the readers have minimum knowledge of computer networking, command utilities and
basic Linux administration to be able to understand and follow the guidance’s available on this book.
About the Author
Rassoul Ghaznavi-zadeh, the author, has been an IT security consultant since 1999. He started as a
network and security engineer and developed his knowledge around enterprise business, security
governance and also standards and frameworks like ISO, COBIT, HIPPA, SOC and PCI.
He has helped a lot of enterprise organizations to have a safe and secure environment by testing,
auditing and providing recommendations. He has also other security books around penetration and
enterprise security.
Rassoul holds multiple international certificates around security and architecting enterprise IT.
A note from the Author
This is my second book about penetration and Kali Linux. I tried to add more details and in-depth
explanation about how things work and what should be done in steps. I hope you find this book
useful and if I can help my bit to keep the technology industry safer and more secure.
For those who buy this book, I am available on LinkedIn for any follow up. Add me to your network
and ask any question you might have and I am more than happy to assist.
I’d like to present this book to my wife and daughter who have always been with me and helped
sparing some time to write this book.
Warning
The techniques you learn in this book are not meant to be used in any production environment for
abusiveness purposes. It is illegal to use these techniques without having a formal permission from
the management team in any organization.
The main purpose and aim is to keep the technology environment secure by doing these tests as an
Ethical hacker within a specified agreement with the customers.
Do not use these techniques without written authorization. It is illegal and it can put you in trouble.
9. 9 | P a g e
Chapter 1 – Ethical Hacking and Steps
What is ethical hacking?
Ethical hacking is a process of investigating vulnerabilities in an environment, analyse them and use
the information gathered to protect that environment from those vulnerabilities.
Ethical hacking requires a legal and mutual agreement between ethical hacker and the asset and
system owners with a defined and agreed scope of work.
Any act outside of the agreed scope of work is illegal and not considered as part of ethical hacking.
What is the purpose of this book?
The purpose of this book is to prepare the readers to be able to act and work as an ethical hacker.
The techniques on this book must not be used on any production network without having a formal
approval from the ultimate owners of the systems and assets.
Using these techniques without having an approval can be illegal and can cause serious damage to
others intellectual property and is a crime.
What are the responsibilities of an Ethical Hacker?
As an Ethical hacker you have a clear responsibly about how you use your knowledge and
techniques. It is also very important to understand what the expectations from an Ethical hacker are
and what you should consider when assessing the security of a customer’s organization.
Below are a couple of important things you must consider as an Ethical hacker:
Must use your knowledge and tools only for legal purposes
Only hack to identify security issues with the goal of defence
Always seek management approval before starting any test
Create a test plan with the exact parameters and goals of test and get the management
approval for that plan
Don’t forget, your job is to help strengthen network and nothing else!
10. 10 | P a g e
What are the customer’s expectations?
It is very important to understand the customer’s expectation before starting any work. As the
nature of this work (Ethical hacking) is high risk and requires a lot of attentions; if you don’t have a
clear understanding of their requirements and expectations, the end result might not be what they
want and your time and effort will be wasted. This could also have some legal implications as well if
you don’t follow the rules and address customer’s expectation.
Below are some important things you should note:
You should work with customer to define goals and expectations
Don’t surprise or embarrass them by the issues that you might find
Keep the results and information confidential all the time
Company usually owns the resultant data not you
Customers expect full disclosure on problems and fixes
What are the required skills of the hacker?
To be an Ethical hacker you should have extensive knowledge about a range of devices and systems.
Ideally you should have multiple years of experience in IT industry and be familiar with different
hardware, software and networking technologies.
Some of the important skills required to be an Ethical hacker are as below:
Should already be a security expert in other areas (perimeter security, etc.)
Should already have experience as network or systems administrator
Experience on wide variety of Operating Systems such as Windows, Linux, UNIX, etc.
Extensive knowledge of TCP/IP - Ports, Protocols, Layers
Common knowledge about security and vulnerabilities and how to correct them
Must be familiar with hacking tools and techniques (We will cover this in this book)
How to get prepared for the Preparation testing
Once you want to start a penetration project, there are number of things that you need to consider.
Remember, without following the proper steps, getting approvals and finalizing an agreement with
customer; using these techniques is illegal and against the law.
11. 11 | P a g e
Important things to consider before you start:
Get signed approval for all tests from the customer
You need to sign confidentiality agreement (NDA)
Get approval of collateral parties (ISPs)
Put together team and tools and get ready for the tests
Define goals (DoS, Penetration, etc.)
Set the ground rules (rules of engagement with the customer and team)
Set the schedule (non-work hours, weekends?)
Notify appropriate parties (Sys admin, Security department, Legal department, law
enforcement)