Pentesting with Kali Linux

Authors: Mikhail Zolotukhin and Timo Hämäläinen

1. Introduction

In this tutorial, we get familiar with several Kali Linux tools and run few penetration tests against our local network and web server. We assume that you have already created and configured virtual network environment as it is described in the previous tutorial. The remainder of this tutorial is organized as follows. Several preliminary tasks are presented in Section 2. Various Kali tools are presented in Section 3. Assignments are listed in Section 4. Section 5 concludes the tutorial.

Some of the basic assignments in this document are based on the results of the tests carried out during the tutotrial, therefore it makes sense to save outputs of the commands exectued during the tutorial as they may be required for answering the questions later! This will be true for some of the future assignments of the course as well, therefore please always check the assignments first before starting with the tutorial.

This tutorial (including assignments) takes on average 6.91 hours to complete.

2. Preliminary questions

• Explain the meaning of the following terms in relation to network security: penetration test, vulnerability, exploit, malware and payload.
• What do you know about the following types of cyber attacks: denial-of-service, port scanning, SQL injection, password brute-forcing and social engineering?

3. Kali tools

In this section, several Kali applications designed for pentesting are briefly overviewed. It makes sense to check the basic assignment at the end of this document at this point, as you will be asked about the pentesting results. In other words, it is recommended to save results of the tests carried out during the tutorial somewhere in order to be able to answer the assignment questions later.

3.1 Nmap

Nmap (network mapper) is the most popular security scanner used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyzes the responses.

To scan first 1000 ports on the webserv virtual machine 192.168.11.2, type in the terminal of Kali (symbol "$" is not part of the commands below):

$ nmap 192.168.11.2

You can also specify ports you would like to check by adding parameter ”-p”:

$ nmap 192.168.11.2 -p21,22,80,443,1194

To scan entire subnet 192.168.11.0/24, you can use Nmap scan as follows:

$ sudo nmap -sS 192.168.11.0/24

To perform OS detection, run nmap with parameter "-O" (capital o). For example run it against the gateway:

$ sudo nmap -O 192.168.12.1

and the web server:

$ sudo nmap -O 192.168.11.2 

Surprisingly, nmap cannot guess OS of the server.

Let's perform service detection. For this purpose, run nmap with parameter "-A" against the web server:

$ nmap -A 192.168.11.2

As a result, you will find much more information about the host and its SSH and HTTP services, which will indicate that the host is Ubuntu.

Finally, you can check for known vulnerabilities by running nmap as follows:

$ nmap --script vuln 192.168.11.2

which should not be able to find any vulnerabilities if you use the latest version of Ubuntu.

3.2 Metasploit and Armitage

Metasploit framework is a tool for developing and executing exploit code against a remote target machine. You can start metasploit by typing in the terminal:

$ msfconsole

For example, metasploit offers a port scanning function which goes by the name auxiliary scanner. To execute this scan type in msfconsole

use auxiliary/scanner/portscan/tcp

Type

show options

to see the available options. You can reduce the number of ports scanned by typing

set ports 1-500

You have to specify a target IP to scan. Let us assume you want to scan webserv machine. For this purpose, type

set RHOSTS 192.168.11.2

Finally, type

run

The scan will start and after some time it will show you which TCP ports are open and potentially vulnerable to an attack. If the scan is successful and you find some vulnerable ports on the target machine, the next step is to figure out which exploits work on the OS you are attacking. In our case, it is Linux. Get out of auxiliary scanner and type in msfconsole

search exploit/linux

The process of running exploits is described in more details in one of the next tutorials. At this point, just exit from msfconsole by typing:

exit

Armitage is a graphical cyber attack management tool for the Metasploit project that visualizes targets and recommends exploits. You can install it on Kali machine by typing

$ sudo apt update

$ sudo apt install armitage -y

After that, you can start Armitage by using the following commands:

$ sudo service postgresql start

$ sudo msfdb init

$ armitage

In the "Connect..." window appeared, just click "Connect" and then "Yes" when it asks to start Metasploit RPC server.

Once Armitage has started, go to "Hosts -> Nmap Scan -> Quick Scan (OS detect)", type what IP address or subnet you would like to scan (e.g. 192.168.11.2) and click OK.

Once the scan has been completed use "Attacks -> Find Attacks" to find and run exploits suggested for your target. If any potential attacks have been found, they would appear in menu "Attacks" when you right-click on one of the hosts found with the scan. At this point, just close Armitage and move to the next section.

3.3 Hydra

A password cracking "method" when all possible combinations are checked against encrypted data until the right key is found is called a brute-force attack. Brute-force attacks are extremely costly from a resource and time perspective because the attacker is exploiting vulnerabilities in the encryption by taking advantage of key length and simplicity of the key. A password is often based on dictionary words meaning the total space an attacker would have to test would be all words in a matching dictionary making the guessing scope significantly smaller than a password using random characters. One well-known tool for performing brute-force and dictionary attacks is Hydra. This tool uses the brute-force attack method to test against a variety of different protocols.

Unfortunately Hydra installed on the latest version of Kali is bugged, purge it:

$ sudo apt purge hydra

We have to compile another one by ourselves. First install libssh-dev library:

$ sudo apt install libssh-dev

Download Hydra release 9.2 or 9.3 from here:

https://github.com/vanhauser-thc/thc-hydra/releases

For example:

$ wget https://github.com/vanhauser-thc/thc-hydra/archive/refs/tags/v9.2.zip

or

$ wget https://github.com/vanhauser-thc/thc-hydra/archive/refs/tags/v9.3.zip

Then unzip:

$ unzip v9.2.zip

or

$ unzip v9.3.zip

Change directory to thc-hydra:

$ cd thc-hydra-<version number here>

and do the installation:

$ ./configure

$ make

$ sudo make install

Get back to the main working directory:

$ cd ..

Check that Hydra version is 9.2 or 9.3:

$ hydra -h

Download a simple password list:

$ wget http://student:Ties327_2023@users.jyu.fi/%7Emizolotu/teaching/files/password.lst

Let's first crack the password of our web server SSH account. For this purpose, type in terminal:

$ hydra -l webserv -P password.lst ssh://192.168.11.2 -I -V

Here "webserv" is the username of your web server account, "-I" tells Hydra to ignore results obtained previously, and "-V" is used for more detailed output.

Some students forget or miss installing LibSSH in some of the previous commands and as a result the SSH server brute-forcing will not start. If this is your case, you need to make sure that LibSSH is installed:

$ sudo apt install libssh-dev -y

Then reinstall Hydra as follows:

$ cd thc-hydra-<version number here>

$ make clean

$ ./configure

$ make

$ sudo make install

and get back to the main working directory:

$ cd ..

To apply Hydra to the bank Oceanic web page, we need to carry out a bit of reconnaissance. Open Firefox (it is in the left top corner) and browse to the bank Oceanic login page:

https://192.168.11.2/accounts

Accept the risk. In the browser's menu navigate to "More tools -> Web Developer Tools -> Network". Input username "alice" and some random password, e.g. "123", into the login form and click "Login". As you can notice, there are now several lines have appeared in the developer console at the bottom, one for each file sent and/or received. The first line should correspond to file "loginproc.php" and have method "POST". This is the first bit of information we need.

Next, select this first file by clicking it once and at the right side of the console select "Headers". Scroll a bit down and in "Request Headers" find header with your PHP session ID which looks similar to the following:

Cookie: PHPSESSID=fnhjjptjrrq1kq6rgedoma9n7q  

The session id value will obviously be different in your case. Copy this entire line to somewhere as we will need it later. If cookie contains other parameters, copy them too.

After that, click "Request" and check the request payload, which should look as follows if you toggle "Raw":

username=alice&password=123&Submit=Login

Next, select the second file in the list which should be "index.php" and in the right menu select "Response". Here we need to find some words which would indicate that the login attempt was unsuccessful. Let's for example use the following phrase which can be found in that payload:

Please login to your bank account

which is just an educated guess as it would be strange to receive this message in the case of a successful login.

Finally, we can carry out the attack with Hydra:

$ hydra -l alice -P password.lst 192.168.11.2 http-post-form "/accounts/loginproc.php:
username=^USER^&password=^PASS^&Submit=Login:Please login to your bank account:H=
Cookie: PHPSESSID=fnhjjptjrrq1kq6rgedoma9n7q" -I -V 

In the command above, substitute Cookie with the one you retrieved from the session earlier.

Here we use "http-post-form", because the method for the loginproc.php request was POST, an alternative would be "http-get-form". Directives "username=^USER^" and "password=^PASS^" tell Hydra to use respectively username specified with "-l", i.e. "alice", and a password from the password list specified with "-P", i.e. "password.lst". Phrase "Please login to your bank account" is needed to indicate a failed login attempt, i.e. if the webpage returned by the server after a login attempt contains this phrase, it indicates that the credentials are invalid. Parameter "H" is used to specify headers which in our case include only cookies. In fact, using PHPSESSID is not mandatory in this case, but it will be essential for the attack in the assignment.

3.4 Sqlmap

SQL injection is a code injection technique, used to attack data-driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). Sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Let's perform SQL injection attack against our bank website login page "192.168.11.2/accounts/loginproc.php". First, again you will need to obtain PHP session id. Then run in the terminal:

$ sqlmap -u http://192.168.11.2/accounts/loginproc.php --data="username=alice&password=123&
Submit=Login" --cookie="PHPSESSID=i7aj9dkiafgtcseigblm2mlfia" --flush-session

where substitute PHP session id with the one you retrieved. Here flag "-u" is used to specify url, "--data" is used to specify data pattern, "--cookie" is to specify cookie, and "--flush-session" is to avoid using sessions stored for the current target.

Answer all the questions that pop up during the test with "y". You can check more information about HTTP errors at https://www.sqlinjection.net/http-errors/. Once the test has finished, carefully check the output and find the vulnerable parameter and payload to exploit the vulnerability.

3.5 Nping

Nping is an open source tool for network packet generation, response analysis and response time measurement. Nping can generate network packets for a wide range of protocols, allowing users to have full control over protocol headers. While Nping can be used as a simple ping utility to detect active hosts, it can also be used as a raw packet generator for network stack stress testing, ARP poisoning, denial-of-service attacks, route tracing, etc.

To start a DoS attack against our web server (192.168.11.2) with Nping, run in the Kali terminal:

$ nping --tcp-connect --rate=1000000 --count 1000000 192.168.11.2

where "--tcp-connect" sets unprivileged TCP connect probe mode, "--rate" is the number of packets per second to send and "--count" is the number of rounds.

3.6 Slowhttptest

In order to test more advanced denial-of-service attacks, install Slowhttptest:

$ sudo apt install slowhttptest

With the help of Slowhttptest, you can perform Slowloris which is the type of DoS when the attacker initiates lots of connections with the server and tries to hold them open as long as possible by periodically sending subsequent HTTP headers, adding to-but never completing-the requests. As a result, our web server keeps these connections open, filling its maximum concurrent connection pool, eventually denying additional connection attempts from clients. To perform this type of attack against your web server, type in the terminal:

$ slowhttptest -c 1000 -H -i 10 -r 200 -t GET -u https://192.168.11.2/accounts/
index.php -x 24 -p 3

where "-c 1000" is the number of connections, "-H" signalizes that slowloris mode is used, "-i 10" is the interval between sending headers, "-r 200" is data rate, "-t GET" is the HTTP method to use, "-u https://192.168.11.2/accounts/index.php" is the attack target, "-x 24" is the maximal length of a header and "-p 3" is the timeout to wait for HTTP response on probe connection, after which server is considered inaccessible.

3.7 Blackeye

Blackeye is a tool scripted in the shell to perform phishing assault inside and outside LAN joined with ngrok. It can be utilized in social-engineering-related pen-testing occupations. Clone blackeye git repository:

$ git clone https://github.com/An0nUD4Y/blackeye

If you have problems when clonning the repo using this command, you can always visit Github in the browser using the link given, i.e. "https://github.com/An0nUD4Y/blackeye", download the repo by clicking "Code -> Download ZIP", and then extract the archive downloaded.

After that, navigate to the directory:

$ cd blackeye

and start the tool:

$ ./blackeye.sh

Type "1" to choose Instagram. Once you see "Waiting victim open the link ...", test the attack by opening the browser on kali-VM and navigating to:

http://localhost:3333

Input some username and password and click "Log in". In terminal, stop blackeye if it is still running, and retrieve the credentials with:

$ cat sites/instagram/saved.usernames.txt 

The command above assumes you are still in the blackeye directory.

4. Assignment (5p.)

4.1 Preliminary

Complete the test based on the preliminary questions (1 point).

4.2 Basic

Using kali-VM, perform all the tests presented in the tutorial. Complete the test below based on the results obtained (1 point).

Find information on the Internet what countermeasures can be employed against the attacks performed in this tutorial? Select one attack for each countermeasure listed (1 point).

4.3 Advanced

Perform brute-force attack with Hydra against damn vulnerable web application (DVWA) installed on the websev-VM. For this purpose, on kali-VM, browse to

http://192.168.11.2/dvwa/

and login using username "admin" and password "password". In the menu on the left panel, select "Brute Force". Attack this web page by using Hydra to crack passwords for the following users:

• gordonb
• pablo
• smithy
• 1337

Follow the approach demonstrated in the tutorial, i.e. use web developer tools to extract url, HTTP method, cookie, request payload data, and some phrase which would indicate an unsuccessful login attempt. You can also try using Burpsuite for this purpose, it comes preinstalled on kali, if not - you can install it with apt.

In the textbox below, write the command used for the attack against one of the users, e.g. pablo (0.5 points).

Did you manage to crack all the passwords? If Hydra outputs several "correct" passwords for the same account, you are doing something wrong!

Enter the correct passwords to the corresponding fields below (0.5 points).

Similarly, in the main menu of DVWA click on "SQL Injection". Use Sqlmap to attack this page and dump the entire table with all the users' credentials and personal information. Please do not use "--all" flag, theoretically it is correct, but practically not really: it prints too much. There is a better option.

In the textbox below, type the Sqlmap command used for the attack (0.5 points).

Enter the information discovered about the DVWA users (0.5 points).

4.4 General comments and feedback

Let us know how many hours in total have you spent on this assignment (just type the number into the box):

On a scale from 1 to 10, estimate how interesting and difficult was the tutorial:

You can also give us some general feedback:

5. Conclusion

Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. Kali Linux provides users with easy access to a comprehensive and large collection of security-related tools ranging from port scanners to password crackers. In this tutorial, several Kali applications designed for pentesting are briefly overviewed.

More information on the topic can be found at:

• Simple penetration testing tutorial (video)
• How Nmap really works (video)
• SQL injection examples
• More SQL injection examples
• Types of DoS attacks
• Impact of the slow HTTP DOS attacks on the cloud environment
• Phishing attacks are scary (video)