part0010

After a brief explanation of installation of the Kali Linux and a detailed overview of various types of tools that are present in the Kali operating system in this chapter, we will go through some practical scenarios with the help of Tools present in kali that will help us understand the basics of hacking in detail.

How hacking should be done?

There is no particular hacker guideline that can teach you hacking with perfection. But there is always a famous procedure that good hackers follow subconsciously for better results.

Hacking is like cooking. You need to get ready with all the ingredients (i.e. programs) and know in detail about the properties of that ingredients (or programs) and use them together to produce a culinary material. What if the food doesn't taste good? That is if you are unable to get better results after all the hacking process? There is only one way you can do i.e.; to try again. There are five important areas you need to learn in detail to master hacking.

1) Information Gathering

2) Automatic Vulnerability Scanning

5) Sniffing and wireless attacks

Information-gathering is always considered a pivotal job hacker should do before attacking a target. It roughly sums up that by using information gathering tools we can acquire a lot of information about the target hosts, which can help us create exploits that would help us create a backdoor for further exploitation. We can even use tons of publicly available information about the target to get a good idea of what strategy we should use to make this attack successful.

scanning Vulnerability Scanner is a program that automatically finds and discovers security vulnerabilities in computers, network applications, web applications and software. It detects the target system through the network, generates data to the target system, and matches the feedback data with the built-in vulnerability signature database to enumerate the security vulnerabilities existing on the target system. Vulnerability scanning is an indispensable means to ensure system and network security. In the face of Internet intrusion, if users can detect security vulnerabilities through network scanning as soon as possible according to the specific application environment, and timely take appropriate measures to repair, it can effectively prevent the occurrence of intrusion events. Because the work is relatively boring, we can implement it with some convenient tools, such as Nessus and OpenVAS.

is an important way to gain control of the system. The user finds a vulnerable vulnerability from the target system and then uses the vulnerability to obtain permissions to control the target system. In order to facilitate the user's practice, this chapter will introduce Metasploitable 2 released by Metasploit. Users can use it as a Linux operating system for practice. This chapter will use the vulnerabilities on the Metasploitable system to introduce various penetration attacks, such as MySQL database, PostgreSQL database and Tomcat service. Privilege escalation is to maximize the minimum privilege a user has. Often, the users we gain access to may have the lowest permissions. However, if you want to perform a penetration attack, you may need the administrator account permissions, so you need to increase the permissions. Permission elevation can be achieved by using fake tokens, local privilege escalation, and social engineering.

A password attack is to recover the password plaintext without knowing the key. Password attacks are an important part of all penetration testing. If you are a penetration tester and don't understand passwords and password cracking, it's hard to imagine. So, no matter what you do or how far our technical capabilities are, passwords still seem to be the most common way to protect data and restrict access to the system. This chapter describes various password attack methods, such as password online attacks, router password attacks, and creating password dictionaries.

This is where people use wireless network tools along with a network adapter to capture packets and crack the password or acquire sensitive information from the target. Sniffing tools like Wireshark are famous and can be used for a lot of attacks and finding out the packets. First of all, we will go through the information gathering process where we will scan open ports with the help of a famous reconnaissance tool called Nmap.

Information gathering is an important pre-attack phase where the hackers collect a lot of information that is available in public about the target he is going to attack. Many hackers use social engineering techniques to get a solid bunch of information about the target and the technology it is using along with the operating system and version it uses. Every hacker uses a different set of methodologies to create good information about the host before targeting. There are three important phases in information gathering as explained below

2) Social engineering techniques are crazy because you can just psychologically trick an employee or the target you are chasing with a simple thing like phishing email to create a backdoor via your exploit. All great hackers rely on social engineering instead of doing things in a more complex way.

3) Port Scanning If you are curious to know about what a port scan is associated with follow the next few paragraphs carefully. There are various services provided by the server, such as publishing a home page and sending and receiving e-mails. Services that perform network communication include a window called "port" for communication, which is managed by numbers. For example, well-known services are basically pre-assigned port numbers, such as 80 for HTTP services that publish their home pages on the Internet and 587 for sending emails. The act of investigating from the outside (attacker point of view) that what kind of port the server is opening is called "port scan".

Port scanning is the process of sending specific data from the outside and examining the corresponding responses in order to investigate the running services on servers connected to the network. By analyzing the response obtained, you can identify the version of the service running on the server, the OS, etc. There were several tools like Nmap and Zenmap do port scanning.

Nmap is a Command interface tool whereas Zenmap is a graphic interface tool. Both use the same techniques and are free of cost. Try to use your computer while reading this book, After all, it is a known fact that you can learn hacking or programming by doing them but not just by reading.

Nmap is one of the famous hacking tools and is widely known for its popularity among penetration testers. People often mistake that Nmap is only popular for its information gathering abilities but often doesn't understand that Nmap can also be used as a vulnerability detector that can be automated. It can be used in various operating systems that are open source and in Windows. Nmap is a powerful tool that can be used for port discovery, host discovery, service discovery, detection of operating system and its version. Nmap can be used in both command line and with graphical user interface (GUI). But remember that good hackers use the Command line.

Nmap is programmed in a way such that it can perform scanning using different technologies like TCP and FTP protocol scans. All these scans are prone to their strengths and weaknesses and hackers can understand it vividly when they are trying to attack hosts with Nmap. In hacking terminology, we call the target technically as the target host. When using Nmap we need to first understand the complexity of target to decide which scan to use either simple easy scan or a complex scan that would take a lot more time. We need to polish our skills to use some very complex and intuitive techniques to get past from intrusion detection systems to get good results. Below are some strategies that will help you appreciate various operations Nmap can perform:

# nmap www.hackingtools.com

# nmap 192.232.2.1/24

#nmap 192.232.2.1 192.232.2.4

#nmap 192.232.2.1-100 (This in precise scans every host that is in between the IP addresses 192.232.2.1 and 192.232.2.100)

5) Nmap has an option where you can store all the Ip addresses you have in a text file that is in .txt format and place in the same directory of Nmap so that it can scan every IP address present in the text file without manually entering each one of them.

#nmap -iL sampleip.txt

#nmap -sL 192.232.2.1/24

#nmap 192.232.2.1/24 -exclude 192.232.2.4

And if you want to exclude more than one IP, you can include all of them in a text file so that they can be excluded while doing the subnet scan as shown below.

#nmap 192.232.2.1/24 -exclude excludeIp.txt

Before learning about the scanning procedures Nmap offers to let us know about scanning ports on a specific host. You can scan individual ports in a host using the following command.

#nmap -p78,56,23 192.232.2.1 Scanning technology in Nmap There are different types of scanning strategies that Nmap follows to do the work. In this section, we will describe these procedures in detail along with few commands that will give you a good overview.

This is a typical scan that Nmap uses if nothing is specified by the hacker to the software. In this scan usually, Nmap will not give a full handshake to the target system. It will just send an SYN packet to the target host, which will then check for any open ports, but not creating any sessions that may be used after logging. This is one of the greatest strengths of this scanning strategy. To use this scan the hacking tool should be given root access otherwise it will show an error. Below we give the command line for this scan.

( TCP connect) If the sS scan is not used due to the reason that it is not feasible for the current attack situation people normally use sT scan as their next savior. It gives three handshakes with open ports and calls a method called connect () which makes the software find TCP ports. sT scan when preferred can also be used to find UDP ports although people use it rarely. Below is the command for -sT scan:

This scanning is also in the penetration-testing checklist after the importance of -sS scan. There is no need to send SYN packets like in TCP scan because this will just find UDP ports that are open. When the hackers start using the scan A UDP packet reaches the target host and waits for a positive response. If at all a response is received an open port is found. If it sends an error message with an Echo command then the port is closed.

Below is the command line for -sU scan hacking

@ kali #nmap -sU 292.232.2.1

4) sF scan ( FIN scan)

This is a special type of scan that is used because some targets may have installed intrusion detection systems and firewalls that stop SYN packets that are sent using a TCP scan. For this sole reason, Fin scan is used if there is any extra detection scan happening on the other side. Fin scan does not save any log information to be detected so there is a great chance of the Fin packet to find out few open ports by sneaking into the target systems. Here is the command for -sF scan

hacking@kali #nmap -sF 292.232.2.1

5) sP scan ( Ping scan)

Ping is a famous network protocol method that checks whether a host is live or not by trying to connect to the target host. Ping scanning in Nmap also is used for the same purpose and is not used to check open ports. Ping scan asks for root access to start a scan. If you are not ready to provide the administrative privileges you can just use the connect method to start a ping sweep from Nmap. Here is the command for -sP scan hacking @ kali #nmap -sP 292.232.2.1

6) sV scan ( version detection scan) A version detection scan is one of the obsessive usages of Nmap for hackers. To attack a target system, you need to know about the technology and operating system the host is using so you create your exploits and backdoor strategies to break into the system. However, unlike TCP scans version detection scan takes a lot of time because when we start a sV scan in the background TCP scan gets started and searches for the open ports. After the hunt for open ports gets finished sV scan automatically analyzes them and determines the information about the target host. Due to this complex procedure, it may take a lot of time. Here is the command for -sV scan hacking @ kali #nmap -sV 292.232.2.1

7) sL scan ( Idle scan) This is one of the craziest features of Nmap because it just acts like a proxy server while doing attacks. When using an idle scan you can send packets using another host Ip. This anonymity can help hackers to stay in the dark if something goes wrong or severe. Protecting himself from the investigation is what every hacker strives for especially in these modern times. Here is the command for -sL scan hacking @ kali #nmap -sL 292.432.2.6 292.432.2.1

Nmap can detect the Device type of the host that is (router, workgroup, etc.), running operating system, operating system details i.e. version and network distance (approximate distance between the target and the attacker). While using Nmap always use a ping scan only when necessary because some firewalls in the target hosts can detect that an attack is going to happen and will block the attacker's addresses to make any connection. By using the below command you are saying to the software that doesn't ping the remote host:

hacking @ kali # nmap -O -PN 292.428.5.6/ 12

Using the-PN parameter can bypass the Ping Command, but it does not affect the discovery of the host system. NMAP operating system detection is based on open and closed ports. If Os scan cannot detect at least one open or closed port, it will return the following error. The error code is below: Warning: we cannot find any open or closed ports to get information on the target system It is difficult to accurately detect the remote operating system with NMAP, so we need to use NMAP's guess function, osscan-guess operation guesses which operating system type is closest to the target.

#nmap -O -osscan -guess 192.232.2.1

By using the following commands and strategies, you can research a lot of information about the target point and can use that information to create backdoors and exploit the system. The exploitation of the system using Metasploit will be explained in further chapters but only after a description of Nessus an automatic vulnerability assessment tool that finds vulnerabilities automatically otherwise which you need to find manually by boring procedures. Before going to talk about Nessus let us have a simple exercise. Please try to do this exercise for a better understanding of the Information Gathering.

Start Kali Linux terminal and enter into Nmap using the commands. Find the subnet masks for www.nmap.com and find the operating system and version that it uses. Complete different scans and create a detailed report on all the available ports.

First of all, let us learn in detail about what vulnerability means along with examples of a few vulnerabilities.

Vulnerability is a defect in the host system that lets hackers create backdoors to enter into the system by creating an exploit for the vulnerability. For example, Ransomware has used a vulnerability in windows to exploit hundreds of systems worldwide. Web applications also are prone to vulnerabilities. XSS vulnerability, CSRF detection and others are declared high-risk vulnerabilities by OWSAP, which determines the severity of vulnerabilities.

What is Automatic Vulnerability Scanning?

Vulnerabilities can be easily found out with manual testing after the coding. However, it is so boring and time-consuming that many avoid it. For this purpose, certain automated scanners are made to scan the system and detect any if coincided from the database that they have. Software's like Nessus and Burp suite make this automatic scanning effective and are prone to get good results if done well.

Nessus is said to be an automatic scanning tool that has a wide database with well-known vulnerabilities, which the tool will use to scan the target and give results for the attacker. For Penetration Tester, Nessus is one of the essential tools. A summary of Nessus typically includes thousands of up-to-date vulnerabilities, a variety of scanning options, and an easy-to-use graphical interface and effective reporting. Nessus is loved because it has several characteristics.

To provide a complete computer vulnerability scanning service and update its vulnerability database at any time; different from the traditional vulnerability scanning software Nessus can analyze and scan the vulnerability of the system at the same time, and its efficiency can be adjusted according to the resources of the system. If the host is configured with more resources (such as faster CPU speed or increased memory size), its performance can be improved because of the abundance of resources; it can define its own plug-in; NASL (Nessus Attack Scripting Language) is a Language issued by Tenable, security Test Options for Writing Nessus; full support for SSL (Secure Socket Layer). Nessus is preinstalled in the Kali Linux and can be open from the menu or by using a search box. It has a GUI and can be easily understood. On Linux, the Nessus tool is installed by default in the / opt / Nessus directory. 1.4 Nessus is enabled and accessed using the browser. For example, if your Ip is 192.232.2.1, the browser enters the https protocol under https://192.232.2.1:8834. First, we need to register a login and password to use Nessus. You can do that by going to the Nessus official website.

Creating a Basic Scan in Nessus

Step 1: Usually when we want to Scan a host or website, click My Scans in the Nessus menu and then click on New Scan, which creates a New Scan. We can select Web Application Tests if we are scanning a website; if we are scanning a host, we need to select Advanced Scan.

Step 2: Then into the following page, we enter the desired name in the Name of the SCAN. We write a description along with the target's Ip address and click save. After that, you can go to Myscans page and click on start scanning which will initiate the process.

Step 3: When the scan is complete, there will be a scanned structure, with five levels of vulnerability, the highest Critical and the lowest info. We can click through to see the details of each vulnerability description information, through the analysis of vulnerabilities and can better strengthen our system. It can be used for multiple purposes like Information Gathering, Communication and Backdoor creation. It is called Netcat and also famously known as the swiss army knife of the Kali Linux tools. It comes pre-installed with Kali Linux.

Netcat is the Swiss army knife of network hacking tools, which can read and write data over the network through TCP and UDP. By combining and redirecting with other tools, you can use it in a variety of ways in your scripts. Netcat does many amazing things that hackers often ask for. Netcat works basically on a principle that helps to transfer data between two systems that is server and client. If you have been successful in establishing two servers there is no stopping to doing crazy things. You can set up a chat communication in command line and also can stream video. There are innumerable advantages to a netcat server. We will further discuss in detail about them.

How to start netcat? When you are in the Linux Terminal enter nc like below and click enter. This will start the netcat tool.

1) Netcat for Port Scanning Beginners always get confused with the term port scanning due to its popularity in penetration testers. If we want to explain about port scanning in layman terms it is a process of trying to find open ports that are vulnerable via tools for hope to find a vulnerability or backdoor which can be used for exploitation. Here is the command to do port scanning using netcat utility.

2) Using Netcat to start a chat server Imagine yourself in a restricted location like in workspace where you can't use messaging services. netcat can solve you that problem by creating a chat server that can be used to converse with other systems in the Network. You can then create a server that will act as a chat system to whomever you want to communicate within the network.

Client $ nc 192.232.2.1 2343

3) File Transfer A lot of hackers when attacking in premises of a network are required to exchanges files between two computers or devices. Normally people use File transfer protocol to transfer files between hosts. But when you are in a private network that doesn't allow you to install additional software Netcat is your safe bet to transfer files. You can send for example an .avi file from X to Y system by making either one of them as a client and other as the server.

$nc -l 6870 < example.avi

$nc -n 292.232.2.1 6870 > example.avi

$nc -l 6870 > example.txt

$cat tutorial.avi | nc -l 2343

Looking at the following examples you might have understood how useful Netcat is. There are several tens of experiments that you can do with Netcat in such a way that can help you increase your hacking skills. In this chapter, we have dealt in detail about the hacking tools like Nmap, Nessus and Netcat along with explaining potential examples that can give you good clarity over things that happen in the background.