Learning how to master Kali gives you the freedom to create Kali Linux Recipes like the Kali ISO of Doom, or the Kali Evil AP. You'll be able to build optimized. For the purpose of the CC-BY-SA license, Kali Linux Revealed is an . Command Line Basics: Browsing the Directory Tree and Managing Files. This tutorial gives a complete understanding on Kali Linux and explains how to use it in practice. Audience. This tutorial has been are familiar with the basic concepts of any Linux operating system. Copyright & Disclaimer .. pdf-parser.
|Language:||English, Spanish, French|
|Distribution:||Free* [*Registration needed]|
Basic Security Testing with Kali Linux Cover design and photo provided by Moriah Again, simply “set FILES pdf” and run the exploit again: As last time the. Kali Linux – Assuring Security by Penetration Testing. Master Kali Linux can be installed in a machine as an Operating This tutorial gives a complete Kali L. This book is a complete unofficial documentation of all the tools in Kali Linux. The author(s) are not held liable for any mistakes done by the.
We then learned how to search Shodan using keywords and filters, and finally we learned how to search Shodan from within Kali using Metasploit.
It is critical that companies know what systems that they have publicly available on the web. Shodan is a quick and easy way to find these devices. I highly recommend security teams and even small business and home owners scan their systems to see what systems they have publicly available on the web.
Metasploitable 2 is a purposefully vulnerable Linux distribution. What this means is that it has known bugs and vulnerabilities built in on purpose. It is a training platform made to be used with Metasploit to practice and hone your computer security skills in a legal environment. The resources above cover a lot of information on installing and using Metasploitable 2 so I will not spend a lot of time on this topic.
But we will go through a couple of the exploits using Kali just to see how things work. Just download the file, unzip it and open it with VMWare Player. A link to the video can found in the Resources section above.
Once Metasploitable boots up you will come to the main login screen: To login, enter the name and password shown on the menu: And they put it right on the login screen! Logging in is pretty anti-climactic. You basically just end up at a text based terminal prompt: But we are not here to use the system from the keyboard; the goal is to try to get into the system remotely from our Kali system.
If we can determine open ports and service program versions, then we may be able to exploit a vulnerability in the service and compromise the machine. The first thing to do is to run an nmap scan and see what services are installed.
This will show us the open ports and try to enumerate what services are running: In a few minutes you will see a screen that looks like this: For each port, we see the port number, service type and even an attempt at the service software version.
We see several of the normal ports are open in the image above. Usually in tutorials they cover going after the main port services first. But I recommend looking at services sitting at higher ports. What is more likely to be patched and up to date, common core services or a secondary service that was installed and one time and possibly forgotten about? Our next step is to do a search for vulnerabilities for that software release.
But why use Google when we can search with Metasploit? Running this search returns: An Unreal 3. This is great news, as the exploits are ranked according to the probability of success and stability. If you remember from our introduction to Metasploit, there are several steps to exploiting a vulnerability: Doing so we find the following: This backdoor was present in the Unreal3. All that is needed is the remote host address: Unfortunately they are all command shells. A Meterpreter shell would be better than a command shell, and give us more options, but for now we will just use the generic reverse shell.
This will drop us right into a terminal shell with the target when the exploit is finished. Now, just type: Notice it says that a session is opened, but then it just gives you a blinking cursor.
You are actually sitting in a terminal shell with the target machine! The Root user is the highest level user that you can be on a Linux machine. It worked! All the standard Linux commands work with our shell that we have. For instance we can display the password file: We would have to crack the password file to get the actual passwords; we will take a look at this in the Password Attacks Chapter.
Conclusion In this chapter we learned how to use nmap to find open ports on a test target system. We also learned how to find out what services are running on those ports. We then found out how to find and use an exploit against a vulnerable service. Next we will take a quick look at some of the scanners built into Metasploit that helps us find and exploit specific services.
Chapter 8 — Metasploitable - Part Two: Scanners Introduction In the last chapter we looked at scanning the system with Nmap to look for open ports and services. This time we will take a look at some of the built in auxiliary scanners that come with Metasploit.
Running our nmap scan produced a huge amount of open ports for us to pick and choose from. These scanners let us search and recover service information from a single computer or an entire network! For this tutorial we again will be using our Kali system as the testing platform and the purposefully vulnerable Metasploitable 2 virtual machine as our target system.
For this tutorial we will narrow our attention on the common ports that we found open. As a refresher here are the results from the nmap scan performed in the last chapter: Go ahead and search Metasploit for ssh scanners: Notice that several are available. We see that our target is indeed running an SSH server and we see the software version: Notice the command we set for the remote host is plural, RHOSTS, we can put in a whole range of systems here enabling us to scan an entire network quickly and easily to find ssh servers.
I will leave this exercise up to you. Using Additional Scanners Some scanners return different information than others. The scan reveals that MySQL 5. But others can reveal some more interesting information. If we use a username and password, it will try to log in to the service. Notice that this is unlike the others we have covered so far; on the Metasploitable machine it does not return a version number, it performs a banner grab.
But sometimes you can find some very interesting information by using it. Now, when we type exploit we see this: Just looks like a bunch of text with no hint as to what level of software is running. But if we look closer, we can see something else: Are you kidding me? And we are in!
If we run the ID command, we can see that this user which is the main user is a member of multiple groups: We might be able to use this information to exploit further services.
Sounds kind of unbelievable that a company would include legit login credentials on a service login page, but believe it or not, it happens in real life more than you would believe. Scanning a Range of Addresses What is interesting too is that with these scanner programs we have different options that we can set. But what if we wanted to scan the entire network for systems that are running Samba? Instead of just scanning a single host, you can scan all clients on the Notice now it scanned all hosts on the network and found the Samba running on our Metasploitable 2 machine at This makes things much easier if you are just scanning for certain services running on a network.
I set the threads command too. If you are scanning a local LAN, you can bump this up to to make it go faster, or up to 50 if testing a remote network. This will give us a little more practice in running exploits and get us used to finding and exploiting vulnerable services.
So, all we need to do is just use the exploit, set the RHOST value to our target Metasploitable system and run the exploit: Conclusion In this section we learned how to use some of the built in scanners to quickly scan for specific services. Some professional pentesters no longer rely on nmap as the main tool in finding services. Many go for a quick kill by looking for specific vulnerabilities commonly available before turning to nmap.
Scanning for specific services that have a tendency to be vulnerable can be a quick way into a network. We looked at several of the core service scanners and learned how they function.
Shockingly, we were able to obtain clear text passwords from the telnet service. Once we get a set of credentials, we could use the auxiliary scanners in Metasploit to further exploit the network. Just plug those credentials into one of the scanners and sweep the entire network to see what other systems that they would work on. It would be a good idea for you to take some time and look through them to see what they can do.
Many people think that if they are running an Anti-Virus and a firewall, that they are generally safe from hacker attacks. But the truth is far from that. One part of penetration testing is getting past that pesky anti-virus. Veil is one way that we can accomplish this. Many Anti-Virus programs work by pattern or signature matching.
If a program looks like malware that it has been programed to look for , it catches it. If the malicious file has a signature that AV has not seen before, many will dutifully say that the file is clean and not a threat. If you can change or mask the signature of malware, or a remote shell in this case, then most likely AV will allow it to run and the attacker gets a remote connection to the system.
Veil, a new payload generator created by security expert and Blackhat USA class instructor Chris Truncer, does just that. It takes a standard Metasploit payload and through a Metasploit like program allows you to create multiple payloads that most likely will bypass anti-virus. And this will bring you to the main menu: This will select the payload and present us with the following screen: We will just choose the default, msfvenom.
This means that their computer will connect back to us. Next Veil will ask for the IP address of the host machine that you are using. Enter the IP address of your Kali machine and press enter. Then enter the Local port that you will be using. I chose to use port And that is it! Veil will then generate our shellcode with the options that we chose.
Now we need to give our created file a name. If you know they like cute puppies, then our chosen file name is perfect. Whatever you think would be the best.
Veil now has all that it needs and creates our booby-trapped file. Just take the created. When it is run, it will try to connect out to our machine. We will now need to start a handler listener to accept the connection. Getting a Remote Shell To create the remote handler, we will be using Metasploit.
Start the Metasploit Framework from the menu or terminal mfsconsole. Be sure to put in the IP address for your machine and the port that you entered into Veil. They must match exactly.
Metasploit will then start the handler and wait for a connection: Now we just need the victim to run the file that we sent them. On the Windows 7 machine, if the file is executed, we will see this on our Kali system: A reverse shell session! Conclusion This should help prove that you cannot trust in your Firewall and Anti-Virus alone to protect you from online threats. Unfortunately many times your network security depends on your users and what they allow to run.
Instruct your users to never run any programs or open any files that they get in an unsolicited e-mail. Blocking certain file types from entering or leaving your network is also a good idea. And finally, using a Network Security Monitoring system will help track down what happened and what was compromised if the worst does happen.
User Access Control UAC seemed to be a nuisance in the previous Windows version, and many companies just turned it off. Well UAC works very well in Windows 7, and using it on even the lowest security setting prevents many attacks that worked in Windows XP. But there is a UAC bypass module in Meterpreter that will allow us to bypass this restriction and get system level, if the user account we compromise is an administrator.
In this section we will learn how to escalate our privileges from an administrator level user to system level by bypassing UAC and creating a new session.
UAC Bypass In this tutorial we will start with an active Meterpreter session with a Windows 7 system and a user that has administrator level rights. First we want to background the session. Now we need to use the bypassuac exploit: Go ahead and set it to our active session, session one in this case, by using the set command: Excellent, you can see that the user was in fact a member of the administrators group, the UAC Bypass worked, and a new session is created.
The first part of the hashdump display above shows the three regular system users: Alice, Bob and George and displays their logon password hint that they set when they created their password. And the final part shows the actual hashes from the system: Using the hashes to access a system or other systems on the network is covered in the Password Attack Chapter.
Conclusion In this short section we saw how to escalate a user that has Administrator privileges to the super user System level account. We were able to do this by running a Meterpreter module that allowed us to bypass the windows User Access Control security feature. Once we have system level access we can do anything that we want to do.
We demonstrated this by dumping the password hashes from the security database. The UAC bypass was possible because the user account we had access to was an administrator level account. It is imperative that users always be given a non-administrator level account. The security repercussions to exceptions to this rule should be seriously considered. Chapter 11 - Packet Captures and Man-in-the- Middle Attacks Introduction Another technique that may be advantageous to us is to monitor or capture network traffic on a remote machine.
Think of it like a wiretap. As a wiretap records everything a person says on their telephone, a packet capture records everything your computer says on the network wire.
This could include account names, passwords, etc. In this section we will look at viewing network packets using two very different processes. For the first one we will use a Man-in-the-Middle attack on a system on a local network involving the commands arpspoof, urlsniff and Driftnet. Using these commands we can view what website a target is on and display every graphic that the target is viewing. Secondly, we will cover running a packet capture on a remote machine through a Metasploit session.
We will then view the captured information for artifacts in Wireshark and Xplico. In both cases we will use a Windows 7 computer as the target system. A MitM attack in essence places our Kali system in between the target and the router.
This way, we see all of the traffic coming from and going to the target system. All traffic from the target system headed to the internet is re-routed first to our machine, which then captures it and forwards is to the network.
All information coming from the internet headed to the target machine is routed through our system first, again so we can review it, and then forwarded to the target system. So we tell the Target machine that we are the internet router and tell the router that we are the target system. But first we need to turn on IP forwarding by running the following command: Now we need to run the arpspoof command. To do so, we need to provide the network interface -i , the target system -t and the router address as below: Reversing did not seem to work on a VMWare host, but I was able to capture all the traffic by just using the one way command above Arpspoof should then start sending out the modified MAC addresses.
When the user surfs the web, you will see all of the URL traffic: This allows us to see all the website addresses that the user visits on our Kali system! A driftnet window should open up on your Kali website. Maximize it to make things easier to see. Now return to the target computer system and start surfing the web.
You should start to see images appearing on your Kali system. So, on the target system they would see these images: And on your remote Kali machine you should see this: All the images from the page! Part Two Remote Packet Capture in Metasploit Okay that was all well and good if we are on the same local network as the target system, but what if the target system is remote? We will start with an active session that we obtained through an exploit. As you can see below we are connected to session 1 and have a Meterpreter shell to the target, a Windows 7 system in this case.
When things go bad: Case in point, when trying to run packetrecorder -li on one Windows 7 system I got the error below: I had to go to the Windows 7 system and manually disable UAC to get this to work right. Even if it is set to the lowest level, it is still better than being completely off! Running the command, we see that the remote target in this case has 5 network interfaces: We will go ahead and run the attack against interface 2, the Qualcomm WiFi adapter.
Now, just go to the Windows 7 target system and do some surfing. Every location you surf to and every network packet you send will be recorded on the Kali system. And that is it. Wireshark Okay, we have our packet capture, so what do we do with it? Wireshark is a great packet capture and analyzer program that has a ton of features and capabilities. We will just cover viewing a packet capture in Wireshark very briefly. If the user connected to any unencrypted FTP sessions, like is shown above, you will be able to see the entire session.
And you will see the stream content as shown below: As you can see we have a complete capture of an FTP login and file download. Wireshark is great for analyzing network communications, and you can do a lot with it, but it is a bit advanced for a new user and might be hard to use until you become familiar with it. The program, Xplico, lists all the information from the packet capture in an easy to read menu. It also allows us to view any images or documents. Xplico Xplico has been added to the Kali repositories, but it may not be installed on your system yet.
It is a web based interface, so to start it you need both the Apache Web Server and Xplico server started. If Xplico is not listed you will need to install it. To install, run the following command: Now we just need to start the services.
Once Xplico is started, you access it via a web interface. Now click on the session name. The Main Session desktop appears The file will then be uploaded into Xplico and decoded. After a few seconds to minutes depending on the size of your Pcap file you will see the results as below: Now if we click on sites under the Web menu we will see a list of the websites that the target visited: Next they went to Google and then the Dlink support website looking for support information on a Dir router.
Even If no network, account information or passwords were recovered with Xplico, you can use the Web tab to gather information that could be used in a social engineering type attack. For example, I noticed several of the surfed sites were NHL sites.
I can search the data stream for specific terms, in this case, NHL: Or view the images: Obviously the user is a Hockey fan. I could possibly recover his favorite team from his surfing habits and again use this in a Social Engineering attack. Conclusion In the first part of this section we learned how to use the Man-in-the-Middle attack program Arpspoof, along with Urlsnark and Driftnet to view what websites a targeted local system was viewing.
In the second part, we learned how to turn an exploited system into a remote packet sniffer using Meterpreter. We then analyzed the captured traffic in Xplico. Hopefully this chapter demonstrated why it is important to secure your network. If your ARP table is not protected, it makes it easy for an attacker on the local lan to perform a MitM attack and view all the traffic of a target system. It has been a long time since I have played with BeEF, about three years in fact, but after going through a great Web Application and XSS security class, I figured it was time to brush it off again.
I was very pleased to find that a ton of new features called commands have been added to BeEF since I last used it, dramatically increasing its functionality. Granted many attacks in BeEF no longer seem to work against Windows 7 using the latest browsers, but it appears that Windows XP systems are still very vulnerable to many of the browser attacks, even when using the latest browsers.
In Kali, just open a terminal and type: This starts the BeEF server and shows you the web address to open the graphical user interface and a couple sample pages that you can use to hook browsers: You will now be greeted with the main BeEF control panel: Or this if we are using Chrome: The page shows some delicious looking beef, and nothing really seems awry. Well, maybe no complete control, but it does give us the power to really muck with it.
As soon as the visitor simply visits the page, the hook is set. Notice that the user does not have to run anything or mouse over anything for the attack to work. Just visiting the page triggers the attack. When machines are hooked, they show up in the BeEF control panel: Now that we have the system listed in the control panel, we simply click on the system we want to attack and then pick from the numerous attacks listed in the commands section: Oh no! The username: We could also try to grab credit card numbers with this site looking attack: BeEF can do much more than just send pop-ups.
As you can see, an attacker having control over the browser can be very bad. Conclusion BeEF can be a very interesting to play with and fairly easy to use once you get the hang of it. The attacks are color coded as to the chance that they might work.
You may want to try them anyways, as I have noticed that some coded as not working well seemed to work okay on occasions. I also noticed that newer browsers seemed to stop some of the attacks, but XP was still pretty open as to what would work against it.
I tried these exact same attacks against a Windows 7 system using the latest Firefox browser and nothing was displayed: A hook was created, but only lasted for about a second or two before it was dropped.
The best mitigation against this type of attack seems to be to use the latest Windows OS and browser versions. If you can, update or replace your Windows XP systems, especially if they are used online. The base security in Windows 7 and 8 is much better than Windows XP. Social Engineering is, in effect, hacking humans. Hackers who are experts in Social Engineering will trick you into helping them or giving them access to your secured systems or areas by pretending to be someone else, someone in need, or even someone in a position of authority.
As you approach the door, a deliveryman with his arms full of boxes is also arriving at the door. What do you do? Without thinking twice, most would open the door for the poor overburdened man and let him in.
You just let him in. He says that he is performing system upgrades and needs access to your system. You ask if you should shut it down, and he responds that he just needs to check a few things first. You get up and head for the cafeteria. And just gave him access to your system. One day you get a package in the mail from a company that you just signed a major deal with. It was the largest deal of your career and was in all the local city newspapers and on all the TV stations.
You open it up to find one of the latest tablets along with a thank you note from the company thanking you for the business agreement. The company never sent you a tablet and you just gave an enterprising social engineer a system connected to your Executive network. They are installing some new software and need you to install some new drivers. They include the software package as an attachment and give you full directions to install it.
Which you do. They may take advantage of local customs, etiquettes, play off of human sympathy or just try to intimidate an employee to get what they want. Or they could hit social media sites pretending to be from a company that you do business with or pretending to be a head hunter employment agency looking for new talent.
These are just a few examples of how a social engineer might try to gain access to or procure information about a target network.
There really is no limit to the ways that a talented social engineer might try to twist, deceive or threaten their way onto your network.
Social Engineering Defense With that being said, it is imperative to train your employees to be on the lookout for these types of attacks. Have policies in place to deal with service calls, software updates, and gifts from outside companies. You can teach, instruct and even leave reminder messages and posters, but employees may still not follow corporate policy. That is why when it comes to social engineering attacks, it is a good idea to manually test to see if your company is truly prepared.
Why spend days, weeks or even months trying to penetrate layers of network security when you can just trick a user into running a file that allows you full access to their machine and bypasses anti-virus, firewalls and many intrusion detection systems? This is most commonly used in phishing attacks today, craft an e-mail, or create a fake website that tricks users into running a malicious file that creates a backdoor into their system.
But as a security expert, how could you test this against your network? Would such an attack work, and how could you defend against it? More recently several non-social engineering tools have been also added to SET making it a very robust attack tool.
In this chapter we will take a look at some of the tools included with SET and two of the attack options, both PowerShell based attacks. Mass Emailer One way a Social Engineer will attack a network is to send out a flood of e-mails to company addresses and see who will respond or run the malicious attachment you sent with it.
SET comes with a Mass Emailer tool. You then have a choice to send a single e-mail or multiple. Enter a target e-mail address: Next choose to use a Gmail account or another server. For the test we will use a fake gmail account. So I picked option 1: Next SET asks for the password of your Gmail account. Next, enter an e-mail subject line. In actual defense practice this could just be a test webpage that records the IP address of those who were tricked to surf to the page.
That way as a security team we know who in our organization needs to be better educated on the risks of malicious e-mails.
SET will then send out the e-mail. But what if we could make a fake site that offered up a booby trapped script. And if the user allows the script to run, creates a remote shell with the user?
We will use SET to create a fictitious website that will offer up a booby-trapped Java app. And if user allows the app to run, we get a full remote session to the system.
From the main SET menu: Notice the other options available. This will create a Java app that has a backdoor shell. There are several alternative attack options available here. The Metasploit Browser Exploit attacks the client system with Metasploit browser exploits. The Credential Harvester attack is pretty slick as it clones an existing website like Facebook and then stores any credentials that are entered into it.
TabNabbing works great if the client has a lot of browser windows open, it waits a certain time then switches one of the tabs to a page that SET creates. The Web-Jacking attack uses iFrame replacements to make a malicious link look legit.
And finally, the Multi-Attack combines several of the above attacks. Notice the other social media options available. Now SET is all ready to go and does several things.
It creates and encrypts the PowerShell injection code, creates the website, loads Metasploit and starts up a listening service looking for people to connect. When done, your screen will look like this: Oh look, the website wants to run a Java applet. How re-assuring, it must be okay to run. As you can see in the figure below: Social Engineering Toolkit: Another Social Engineering attempt is to trick a user into running a file that we send them.
If we can trick the target into running the shellcode, or run it ourselves, we get a remote connection to the box. We will also set up SET to look for these incoming connections. Usually the default port, is good enough. Finally SET asks if you want to create the listener service, so when the victim runs the code, SET will be all set to accept the remote connection.
SET now creates the exploit code and if you chose to start the listener, kicks off the listener service in Metasploit and waits for an incoming connection: Now we just need to get the exploit code to the victim system. Leave the SET window open and open an additional terminal shell. If a Windows system runs the code, a remote session will open up to our Kali machine. For this example, I will just copy the code and paste it into a Windows 7 command prompt: Once you hit enter, a full remote shell session is created on the Kali SET machine: Though most users will not copy and paste a text file to a command prompt and then execute it, this works great for penetration testers who might be able to gain access to a remote command prompt and want to use a full Meterpreter shell.
Also, there are several tutorials on the web explaining how to take the resultant SET Powershell text file and convert it into an executable. Basically you turn the text file into a batch file, and then use a. I leave this exercise up to the reader. Conclusion PowerShell is available on almost every Windows box these days, and many anti-virus programs do not detect these types of attacks making them very powerful.
Most likely, you would need to be tricked into running the code for the attack to be successful. So as always, be very careful opening files and links from e-mails and social media messages. Also be very wary of shortened links, especially used on Twitter. Recently I saw a shortened link on Twitter that when unshrunk was a four line command to a malware server! For a complete overview of the SCCM attack, see: The Social Engineering Toolkit is truly a robust and feature rich tool for any corporate security testing team.
We will use a program called Subterfuge to create a fake webserver that will automatically attack any browser that tries to connect to us. This will simulate one way that hackers can gain access to a target machine by having them visit a malicious website. If one or more of the attacks succeed, we will usually get a full remote command shell to the client system. Subterfuge was one of the programs removed from the Backtrack platform. It was present in Backtrack 5 but removed in the switch to Kali, most likely as there are other programs in Kali that do similar things.
From reading the online forums, it sounds like Subterfuge could possibly be added back in at some time. Download Subterfuge http: Go ahead and save it in the root. Now extract the file with the tar —xvf command. Now change to the Subterfuge directory and run the install with Python: The graphical install interface will show up. Now go ahead and run Subterfuge: Now you are given a screen showing that the server is up and running: Now open Iceweasel and surf to You are greeted with the main Subterfuge interface: Notice there is a place to display usernames and passwords, a Modules and Settings menu and a Start button.
There are several different attacks we can perform all found under the Modules menu. We can modify how Subterfuge functions with the Settings menu, and Start initiates some of the attacks. In it, Subterfuge starts a rogue server and will load in a ton of different client side browser attacks and use them against any client that tries to connect.
We will be greeted with the Plugin Settings. Subterfuge automatically opens a shell window and starts loading Metasploit. The Metasploit Exploits are loaded and prepared: After a while you will see a screen that says: Found 64 exploits - What this means is that Subterfuge is armed with 64 different exploits to attempt when someone connects to our Kali system.
To see if any of them worked, we can run the sessions command: As you can see the exploits were able to open three active remote sessions! And it worked. As you can see above I also typed shell to open a remote command prompt.
Conclusion In this section we used Subterfuge to perform an automated browser attack. When the client connects, Metasploit tried numerous client attacks against our victim and in the end was able to create three fully functional remote shell connections. In real life you would most likely have to social engineer you target and convince them to visit the Subterfuge site either via e-mail link or a phone conversation.
This is just one of the things that Subterfuge can do. You can also perform several other attacks including Man-in-The-Middle type attacks. Take some time and play with the different options to see what you can do. That is a huge number of Windows XP systems that are still being used in business critical positions. Computers do not just store passwords in plain text, but store them in an encrypted form.
There are several different ways that computers encrypt their passwords. One of the most secure ways includes Salting the password. Basically this means to use a number or Salt and incorporate that into the hashing process to ensure that no two passwords are ever the same. So all you need to do is take the hash and compare it to known hashes and if you get a match, you have the password! This is a very old and outdated way to store password hashes. This hashing process was created for systems before Windows NT.
Basically on a system using LM hashes, any password that is 14 characters or less is converted into all uppercase, and then broken into two 7 character passwords. Each half is then encrypted and combined to form the final hash. Again there is no salt used, so basically if you can get the LM hashes from a system, all you need to do is a look up table comparison to other known hashes and you can get the actual password.
A typical Windows hash looks something like this: Cracking LM passwords Online There are several websites that will allow you to input a Windows LM hash and it will return the password used if it is in its lookup table. They offer an online demo of their technology that cracks many LM passwords in mere seconds. How about this one: That took only 4 seconds and that is a decent password. And Finally: But, I believe that with cracking speeds increasing, relying on passwords alone may no longer be a good security measure.
Many companies and government facilities are moving away from using just passwords alone to using dual authentication methods.
Biometrics and smartcards are really becoming popular in secure facilities. Not sure what Kind of Hash you have? There are several different types of hashes.
Sometimes you might be able to retrieve a password hash, but might not be able to determine what type it is. Hash ID will identify the type of hash that you provide it.
Simply run Hash ID and input the Hash. The program will check it and return the most likely type of hash that you have along with least likely types. From the Kali Menu: Looking up Hashes in Kali Looking up hashes manually online is interesting, but it would be better just to do it from within Kali.
Not sure what is going on there, but it had no problem with MD5 hashes. The password is encrypted in some way and the resulting encrypted hash is recorded.
If the LM hash cannot be found in one of the online databases, then a cracking program is needed. You can turn off LM hashing, but security researchers have found that many networked systems and programs still use them even when turned off!
And as I mentioned, the LM hash can be turned off or just use passwords longer than 14 characters. But what a lot of people have asked me is how much longer would it take to access the user account, if only the NTLM hash was available? This is a great question, and the answer is, if certain circumstances are met and a certain technique is used, it could take the same amount of time. Let me explain, if you can retrieve the LM or NT hashes from a computer, you do not need to crack them.
There is really no need. Sometimes you can simply take the hash as-is and use it as a token to access the system. That should give you some idea how long this attack has been used. Though some of these attacks no longer work on updated systems. AV and patched Windows systems are catching some of the mechanisms used and blocking them. But if UAC is disabled, as we will see later in this section, it could still work.
But it is still worth a look at some of the Pash the Hash techniques. Passing the Hash with Psexec Probably one of the standby methods of passing the hash for years has been the psexec command.
In this tutorial we will start with having an active remote session through Meterpreter. This is done simply by running the Bypass UAC module discussed earlier in the book, but I will show the steps here: It also dropped us automatically into session 2.
This will list the password hints and more importantly, the password hashes: As you can see we have the hashes for all of the users. We will use the SMB Psexc module to do this. Okay we have the target system IP address set, and we have the user Alice selected. We just need to set the SMB password. This is where the magic starts. Paste in the entire hash as shown above. And the results? On an updated Windows 7 system with the UAC set to any level other than off, nothing happens!
You get an Access Denied error message and no connection: But on a system that has UAC turned completely off, it is a different story: This is what happens in real life sometimes when testing security. What seems to be an opening just may not work. So you back up and try something else. In this case we were not able to get a shell with UAC enabled, but got it without problem with a system with UAC disabled.
PTH was fairly recently added to Kali and can be opened from the menu: You can use the commands to do some pretty interesting things. We are not going to cover the command, but many of them may look similar to Windows users.
Just use the help switch --help and you will get a help list of command options and uses: Though it is a bit beyond the scope of this book, the author of Pass the Hash Toolkit has some great write-ups on his site, including one on how to use the Pass the Hash WMIS command and Powershell to get a remote shell.
And it works very well as you can see a remote session was created with the user Alice and password hash that was provided: Defending against Pass the Hash Attacks So what can be done to prevent these types of attacks? During testing I found that using the built in Windows firewall with the Windows 7 machine was a hindrance. The utility that many complained about in Windows Vista and turned off! Next, one would wonder about just using Kerberos authentication.
From what I saw, there seems to be no sure fire way to force Kerberos across the board. Chapter 18 — Mimikatz Plain Text Passwords Introduction In this section we will look at recovering remote passwords in plain text.
You read that right, plain text! I am not going to pretend that I understand exactly how he does what he does, but this master programmer has found that Windows stores passwords in plain text!
And he has found out how, with his programming wizardry, to pull them out. Mimikatz has been available as a stand-alone program for a while now, and has been added into the Metasploit Framework as a loadable Meterpreter module, making recovering passwords once you have a remote session incredibly easy. And did I mention the passwords are in plain text? See the Chapter on Bypassing UAC to see how to go from an administrator level to system level account.
We need to load in the mimikatz module, there is a 32 and 64 bit module, choose accordingly. For this section we will be using the 32 bit. The help is pretty self-explanatory; basically type the corresponding command for the creds that you want to recover. Using these commands you can recover user passwords from multiple system sources - Windows Login passwords, MS Live passwords, terminal server passwords, etc.
But for now we are just interested in passwords. Recovering Hashes and Plain Text Passwords 1. And there you go - a list of the password hashes. It would be nice just to get the password in plain text. Well, if the user has logged into the system, you can. If you look at our user Ralf, you will see his password in plain text! As Benjamin explained to me one day, many Win8 systems tag a MS Live e-mail account to their login credentials.
With Mimikatz you can get both their login password and their e-mail password with one command. Conclusion In this section we showed how to recover plain text passwords from a remote system.
As you can see trusting in using complex passwords alone as a security measure is not always fool proof. If an attacker is able to get access to your system, they could possibly obtain your password in plain text.
Chapter 19 — Mimikatz and Utilman Introduction For ages the security field mantra has been, if you have physical access, you have total access.
And in many cases this is true. I performed onsite server and workstation support throughout upstate New York and Northern Pennsylvania for about 20 years and have seen companies do some really silly things when it comes to physical security.
I have been in and out of hundreds of facilities, allowed to roam around completely unsupervised. At one datacenter that I showed up to repair a server; none of the admins could be found and the network manager was off site. Not one of them answered their pages or cell phone calls. So the receptionist did the only logical thing, she ushered me into their server room and left me there, completely unsupervised for about an hour until someone showed up… One time I saw a major company prop their secure server room door open with cabling boxes and leave it unsupervised while they took their hour lunch.
I have a friend who is a retired Special Forces operator, and he told me once that if you are armed with a tie and a clipboard, no one will stop you. And he was right. Out of my 20 years of doing onsite server and IT support involving banks, government facilities, research centers and large corporations, once inside the building, I was stopped and asked for ID only three times! Physical security is very important. Utilman Login Bypass Okay this technique is really old, and not technically an attack.
It originated from an old Microsoft Technet Active Directory support forum message. The Utilman bypass works by manipulating a helpful windows function that is available at the login prompt. It allows a system level command session to open without using credentials. I have friends who support large networks that tell me that they still use this technique for legitimate purposes. For example when older corporate stand-alone systems need to be backed up and re- purposed and no one can remember the system password, they will use this technique.
To perform this procedure you need a Kali Linux boot disk. For this example I used a Windows 7 Pro system. Ye have been warned. After a while the Kali Desktop will appear. Open this and your Windows File system will show up: If the hard drive is not encrypted, you have complete access to the Windows file system at this point 3. What we are going to do now is to rename the original Utilman.
You should now have two utilman files, a utilman. We keep the Utilman. The Android framework is Alliance product and released under the Apache very extensive as it has a layered approach. It has license. The power of Android platform lies in the five layers, the kernel and low-level tools, the na- thousands of apps running on it, backed by a strong tive libraries, the android runtime with Dalvik virtual and active open source developer community.
The present kernel is 3. Table 1. The biggest ap- jsp? Table 01 provides a list of widely used open markets, but 14 Soc. Android Architecture, taken from wiki www. Offensive Security the creators of Backtrack Linux It is important to understand the difference be- have a new catchy tag line the quitter you become, tween Unlocking the Bootloader and rooting mo- the more you are able to hear, with this Zen man- bile devices.
Unlocking the Bootloader provides tra the focus is stealth. Kali Linux was created for the user with the option to change the stock oper- stealth and attack, this amazing distribution is an ating system on the mobile device.
However, root- advanced and more versatile version of Backtrack ing is the process of modifying or altering the de- ever created. This distribution is geared towards fault operating system shipped with the device to professional penetration testers and security audi- gain complete control over it.
Kali has gone beyond any live cd distro and This means that the limitations of carriers and moved into the category of a full-fledged operat- various manufacturers put on the device is eas- ing system. It has moved to a solid base of Debi- ily bypassed, extended functionality is accessed an modules and is completely File Hierarchy Sys- without any problems, custom modules and up- tem FHS compliant. All directories appear under grades can be added without any limitations.
Now the user can execute any tool from anywhere in the file-system, irrespective of its installed location. The second advantage of Kali is its support for ARM hardware and ability to boot- strap the installation directly from the repositories. Kali operating system has over three hundred penetration testing tools and wireless device sup- port. Its kernel is highly patched and network services are disabled by default making it more secure.
Kali is not just for network security profes- sionals, beginners can also start learning about cyber security using this distribution.
Whether you are pentesting wireless, exposing server vulner- Figure 2. Unlock Bootloader abilities, performing a web application based ex- ploit, learning, or doing social engineering, Kali is the one-stop-shop for all security needs. Kali is free and now ported on Android based smartphone to be taken anywhere. These tools are all categorised in fif- teen different categories for various purposes. HTC provides instructions on their website to unlock the Bootloader for HTC One X, but by performing this operation, the user voids all warranty on the device.
Once the device gets connected successfully to the PC, login to the HTCDev web- site with the registered user name and password.