A collections of FREE ebooks. Contribute to nairuzabulhul/E-Books development by creating an account on GitHub. Contribute to armadani/e-book development by creating an account on GitHub. my “ Intermediate Security Testing with Kali Linux 2 ” book). Metasploit is able to in the loot directory. We can open the nmap PDF file to verify that it worked.

Intermediate Security Testing With Kali Linux 2 Pdf

Language:English, German, Hindi
Genre:Science & Research
Published (Last):05.10.2015
ePub File Size:16.89 MB
PDF File Size:8.48 MB
Distribution:Free* [*Register to download]
Uploaded by: ANGELIC

Kali is the latest and greatest version of the ever popular Backtrack Linux The creators Basic Securi Mastering Kali Linux for Web Penetration Testing. Intermediate Security Testing with Kali Linux 2 - Daniel Dieterle DOWNLOAD PDF - MB. Share Embed Donate. Report this link. Intermediate Security Testing with Kali Linux 2 [Daniel W Dieterle] on site. com. *FREE* shipping on qualifying offers. With computer hacking attacks making.

Working through the book was engaging and fun. I followed along with the tutorials and the external download recommendations and continued tutorials, and enjoyed several exploits along the way. It really helped to solidify my understanding of some of the tools in Kali, and when to use which tool. According to site, the Basic book was published in May 0f , but the Intermediate book was published in November Meanwhile, I have a number of other security books in various digital formats:.

I thought it would be useful to convert them to be usable on the site. Not as straightforward as one would suspect, and not as straightforward as vendor and open forums would lead oine to believe. First, I copied all of them in their respective formats to the Documents folder on the site. Turns out, there are specific file types that are preferred by the site.

I think you will really enjoy it! Setting up our testing lab using virtual machines makes it very easy to learn offensive computer security testing using Kali. Virtual machines make it possible to run several operating systems on a single computer. That way we do not need a room full of computers to set up a lab environment.

We only need one machine powerful enough to run several Virtual Machine sessions at once. It had plenty of power to run all three of our lab operating systems at the same time with no problem at all. Though 64 bit versions of the virtual machines should work similar, I used the 32 bit Versions of Kali Linux and Windows 7. Some Kali tools will only run in a 32 bit environment. If you are using Windows as your Host system, I recommend using Windows 7 instead of I did run into some issues with using Windows 10 as a host.

Though I cover using VMware Player as the host software, you can use any Virtual Machine software that you want if you are more familiar with them. When the lab is complete, you should have a small test network that looks something like this: Because we will be dealing with vulnerable operating systems, make sure that you have a Firewall Router Preferably hardware between the Host system and the live internet.

The IP addresses listed are the ones that I used throughout the book.

I will show you how to set the IP addresses using Static settings. Download and install VMware Player https: Agree to the license agreement and choose where you want it to install it, the default is normally fine. It is always a good idea to verify the SHA1SUM with the downloaded image to verify you have a legitimate copy of the image. Unzip the file 6. Start the VMware Player. Surf to the extracted Kali.

It will now show up on the VMWare Player home screen Here you can view and change any settings for the VM: It is set to NAT by default.

NAT means that each Virtual machine will be created in a small NAT network shared amongst them and with the host; they can also reach out to the internet if needed.

Some people have reported problems using NAT and can only use Bridged, thus I used bridged for all of my virtual machines in this book. If you do use bridged, make sure to have a hardware firewall between your system and the internet. When prompted to install VMWare tools, select to install them later. When Kali boots up, you will come to the Login Screen: You will then be presented with the main Desktop: This allows the OS to work better with VMware, usually giving you more control over video options and enables cut and paste capability with the host.

And more importantly allows you to drag and drop files between the virtual machines which does come in handy. Installing Metasploitable 2 Metasploitable 2, the purposefully vulnerable Linux operating system that we will practice exploiting, is also available as a Virtual Ware VM.

Download Metasploitable 2 http: Unzip the File. It will now show up in the VMware Player Menu. Metasploitable 2 is now ready to use. You should now see the Metasploitable Desktop: Login with the credentials on the screen. Login name: By default it is set up as Dynamic. Then enter the desired IP address, netmask and Gateway as seen below: We now have our Metasploitable and Kali systems up.

You used to be able to download a day Windows 7 Enterprise Evaluation version directly from Microsoft, but it looks like most of the links now point to their Windows 8. Then just install Windows 7 as usual. When done, you will have a Windows 7 Virtual Machine: Edit the virtual machine settings and make sure that it too is using Bridged or NAT for networking.

And that is it; you should now have three virtual machines running in our mini-lab network. We then installed Kali Linux, Metasploitable 2 and Windows 7 as separate virtual machines on the host. We set them all up to use the same networking so that they can communicate to each other and out to the internet if needed.

We will use this setup throughout the rest of the book. Just as a reminder, if you set up your own virtual host and are using DHCP, the IP addresses of the systems may change when rebooted.

Resources VMware - http: For this book we will be using two separate versions of Mutillidae. Mutillidae in the Metasploitable 2 Virtual Machine 2. The Mutillidae on the Metasploitable VM is an older version 2. The recently released 2. The advantage of using Mutillidae on two different platforms is that we see how Website attacks interact differently with the underlying operating system.

The attack commands and capabilities will vary depending on what operating system the vulnerable web app is running on. Lastly, the Metasploitable 2 Mutillidae is much more responsive in a virtual environment. There are some Database changes that need to be made in the Metasploitable VM and we will need to install the new Mutillidae on Windows 7. Mutillidae Database Configuration Changes As of this writing, there is a database name error in the Metasploitable 2 version of Mutillidae.

The php. We need to edit this file sudo nano php. Then just save and exit. Now restart Apache, and reset the database: And that is it; Mutillidae in the Metasploitable VM is all set! Next, Download Mutillidae: Now open Internet Explorer and surf to http: You may need to reset the database by clicking on the reset link if there is a database error. Now restart your Windows 7 VM. Congratulations, Windows 7 Mutillidae is installed! Security and Hints Level One last note, Mutillidae comes with several security levels that you can use.

I highly recommend toggling the security level after you have learned a new attack and see how the increased security level affects your attack. None of the attacks should be possible in Security Level 5. Hints are also available; these can come in very handy, especially when you are learning new techniques.

Both the security and hints level can be changed by the corresponding Toggle item on the menu bar. This section will be divided into two parts: An overview of the new features.

A hands-on tutorial section New Features First we will look at some of the changes, new commands and capabilities in Metasploit. This automatically starts everything needed to run Metasploit.

The first time you start the Metasploit Framework in Kali 2 it automatically creates and configures the Metasploit databases. It then starts Metasploit: Starting Metasploit via Terminal Starting up Metasploit in Kali 2 via terminal is slightly different than in the earlier versions.

In a terminal window, type: In Metasploit, to verify Database is running type: This is a welcome blessing for those who use Metasploit frequently. Being new, Kali 2 does not yet support the commercial versions.

The other versions of Metasploit can be installed if you wish, but are not required for this book. For more information see: The command has been upgraded so you can now run the command against an entire range of hosts.

Though there does not seem to be many modules that support the command yet, it could be very useful in certain situations.

And these new Metasploit payloads are a huge help for testing using PowerShell: Before these were released, when you entered a PowerShell session with a remote host through Meterpreter sometimes you would not see PowerShell commands echoed back to you.

To bypass this you needed to take all of your PowerShell commands, encrypt them and pass them through the Meterpreter shell in a single command. But with the new Shells you can interact with PowerShell in real-time!

Intermediate Security Testing with Kali Linux 2 Released!

We will cover some of these in the PowerShell chapter. Transports - Changing Shells on the Fly Transports are a new way to change shells on the fly. Basically after you get a shell, you set up additional transports or shells that act as a level of fault tolerance and persistence.

Your choices for transport shells are: At the time of this writing this feature was still a work in progress, but this is definitely something to keep your eyes on.

Lester the Local Exploit Suggester This new module scans a system and suggests local exploits for a current session. This Metasploit module has been added but is not in the Kali Metasploit repository as of this writing. Module Information: Paranoid payloads are a new way to deliver payloads that contain unique ID numbers and are SSL certificate signed. Once the payload and listener pair is created, the listener will only allow that specific payload to connect.

Full instructions on implementing this can be found at: When a target system is exploited the payload is delivered in stages. With Stageless Meterpreter the payload is completely delivered all at once, making it much more streamlined. Here is a list of the new payloads and their locations: These can also be used with Msfvenom to make stageless standalone shells.

For more information: For the hands on section, we will use our Windows 7 VM as a target. We will also start with an existing Meterpreter shell to our Windows 7 VM. The problem is that the UAC security feature of Windows blocks attempts at running programs at an elevated security level. It seems that the Bypass UAC module usage has changed and many people are saying that it no longer works.

It does work, unless AV blocks it, it just works a little differently now. From here, enter: Mimikatz Extensions Author: Benjamin Delpy Website: Kiwi usage: The Kiwi extension is now loaded. Well, at least he is consistent. If we want to just grab user accounts and plain text passwords: This can create a Kerberos ticket that will grant a user Domain Administrator access that will last for 10 years!

Even if the domain admin password is changed the Golden Ticket should still work. Obviously this is a huge security concern for a company and as the ticket lasts for 10 years, securing it properly is of utmost importance. Because of the security concerns, I will only provide a quick overview of the process. For the domain SID: Next you will need the Password hash of the target user. Now you should have everything needed to create the ticket. LOCAL -u administrator -k dfe0d16aebe0cc0 -s S -t goldkey.

Finally use the key: You should now be able to access domain resources as the Domain Admin. Again this is a serious security concern to the entire domain and is not recommended. If you do make a Golden Ticket for an active domain highly discouraged secure it extremely well. Running Meterpreter Commands on Multiple Targets There are multiple Metasploit payloads that allow you to target multiple machines or an entire network.

But what if you wanted to perform commands on multiple sessions at once? In this section well will quickly cover several ways in which this can be done.

And these two examples: The second example will kill multiple sessions. According to the Rapid7 Github forum https: For example: Literally you can run any Windows command that you want. So keeping this in mind, what if we run the PowerShell command that we will cover in the PowerShell Exploitation chapter? We get this on all of our Windows sessions: This could have some interesting uses! Using Script Modules Metasploit comes with a couple build in scripts that you can use to automate running commands against open sessions.

This can be modified as needed to perform commands against multiple sessions: Simply enter the command that you want to run and enter the target session numbers. Switching Shells with Payload Inject What do you do if you have an active Shell, but want to change it to a different type of shell? For example, say that we have an active shell on a target system.

We can change these defaults to use a different process an elevated one if we prefer and any payload that we want. In this case, PID svchost. We will inject our payload into that process. When run we should get a new session: Notice in the screen above that a new PowerShell based session was automatically opened session 3 in this case. If we connect to this session we automatically drop into the PowerShell interface: And that is how you jump from one shell type to another using the Payload Inject module.

Conclusion In this chapter we looked at some of the new commands and features of Metasploit. We also learned how to use ByPassUac to escalate an administrator account to a system level account. Once we had a system level account, we then saw how the new Mimikatz features can be used to pull system information and display clear text passwords.

It is very important in a Windows environment to protect administrator level accounts. Only allow regular users privileged accounts in rare and limited occasions. And use Domain accounts only for administrative functions, at all other times use the lower user level account for normal tasks. Chapter 6 Msfvenom Shellcode is code that when run creates a remote shell back to the creator.

Malicious Windows shellcode is how many large corporations are getting exploited these days. A hacker booby-traps a file, sends it to a targeted company employee via e-mail with some work related file name and sometimes they run the file.

Once they do, the attacker gets remote access to their system. Shellcode can also be added to legitimate programs to create backdoored applications. Take an often used software utility or even a smartphone app and combine the shellcode into the program. When it is installed or run the hacker gets remote access or control of the system.

Another way shellcode is commonly used is to upload a shell to a vulnerable website. This can happen if the webserver contains software vulnerabilities or badly written code. If the attacker can access this file over the internet, it gives them the power to manipulate or control the webserver.

These utilities have been replaced by the Msfvenom utility. If you are used to the original commands, using msfvenom will not be a big change for you. Using Msfvenom We will create the shell code file using the msfvenom command and then copy the command to a Windows computer. We then need to setup our Kali system to look for incoming connections from the remote file. If everything works right, we will have a remote session with the target system. To create our shell file, we will need to pick a platform, payload and optionally an encoder.

Msfvenom also supports special features to help it bypass anti-virus and even add our shellcode to an existing file. Take a minute and look through the possible combinations. We will be creating shells from the command line, but also need a terminal running Meterpreter open to handle the incoming sessions.

It may help to keep two terminal windows open, side by side - one being a regular terminal that we can run the Msfvenom commands on and the other one running Meterpreter, something like this: For this example we will just get the target system to connect back to us with a remote DOS shell.

All we need to set for the payload is the call back IP address and port of our Kali system. We also want our shell to be a Windows executable. In real life an attacker would most likely use some sort of social engineering attack, like including the shellcode file in an official looking e-mail to get the victim to run it. For our purposes, you can just drag and drop the file between the Kali system and the Windows 7 VM.

A remote shell! Remote Metasploit Shell A remote DOS command shell is nice, but as we saw in my first book, we can do a lot more if we have a remote Meterpreter shell. We can use all of the built in tools and modules to exploit the machine and even use the system as a jumping point to attack deeper into the target network.

Creating a Meterpreter shell with msfvenom is almost identical to our first example. Just choose a Meterpreter payload instead of a shell.

See a Problem?

Just type: Copy the resultant file over to your Windows system. Execute the Windows file. Then on the Kali system we should see a session open and we will be at the Meterpreter prompt: It is used often by system administrators for network or workstation management but can also be used by those with malicious intentions.

Copy the resultant file to your Windows system. Set up Multi-Handler in Metasploit: Now execute the batch file on your Windows test system and you should get a remote session created in Metasploit: Linux Python Meterpreter Shell Okay we have seen a couple Windows shellcodes, what about one that will work against a Linux machine?

There are multiple Linux ones, but for this example we will just create a Python based shell. As soon as it executes, we get a full Meterpreter shell to our Kali system: As usual we set the IP address of the Kali system and the port we want to use.

This creates our PHP shellcode file. But we cannot use it quite yet. We will have to add these tags manually to get it to work correctly. Open the shellcode file in a text editor and add the tags as seen below: Now upload the evil PHP file to our vulnerable website. Again we will go over this in detail later but if you do want to follow along, simply copy the PHP file to your Windows 7 Mutillidae directory. Start a handler service for the PHP payload: Browse to the vulnerable website and execute the PHP command from the browser in Kali: And in Metasploit we see this: So by using a PHP based payload, we were able to gain a remote shell on a vulnerable webserver.

Changing the Shellcode Filetype Depending on the exploit, we can change the shellcode output to several different program languages. This could come in handy if we have an exploit for one environment but need to convert it to another. As you can see, changing the file type output modified the output shellcode. These are just examples. To get the code to work in the different languages, you might have to add additional code or manipulate them in some way to get the shellcode to execute properly.

This command has the following options: From within Metasploit on Kali, enter: And we have a shell! Getting your shellcode past that pesky Anti-Virus program is always a challenge.

This option allows you to choose different encoders to obfuscate the shellcode. I have spent a lot of time in the past with a retired military security expert playing with different encoders, and encoding passes. The AV would usually still detect it. Conclusion As you can see msfvenom is a very powerful tool to create shellcode.

Updated operating systems and patches can negate some shells, and of course anti-virus can block many well-known shells, even when they are run through multiple levels of encoding. Many times anti-virus programs are just looking for specific strings in the file.

Shell code programs can use PowerShell or other scripting languages which many AntiVirus products do not see as a threat. We will briefly look at bypassing Anti-Virus in a later chapter. In defending against these types of attacks, make sure your websites are secured against common web based attacks. Also be very vigilant against social engineering attacks that use phishing type schemes to trick your users into running shellcode files.

When you start to use Metasploit regularly you find that you are typing in the same commands over and over. Resource files save you a lot of time by storing the commands you enter regularly to a file.

You can also include Ruby scripting to do some amazing things.

Basic Security Testing with Kali Linux

We will look at these in a minute. If we view the file we can see all the commands that we typed: You can enter any repetitive commands that you want and save them as a resource file. This can save you a lot of time if you use Metasploit frequently for multiple tasks. Starting Resource Scripts from the Command Line You can also start resource commands from the command line.

There are two ways to do this. So, from our example above the command would be: And that is it; making Resource Files are really simple in Metasploit. But that is not all, we can increase their usefulness by incorporating Ruby scripting. Global Variables Global Variables are special variables in Metasploit that remain constant across your sessions. There are specific commands just for these settings: Viewing the file reveals that this resource script has a brief introduction and then the rest of the file is basically a Ruby script.

Everything in between these tags is the Ruby script. You can use Ruby programming in any resource file simply by entering the code between these tags as seen below: The powerful thing about using Ruby in resource files is the ability to call settings and variables from Metasploit and interact with the remote system.

Read through the Portscan file.

Now run the portscan. This return the results of the port scan revealing which ports are open, what services are running on those ports and OS detection: If we wanted to auto scan a target for more information than is provided with portscan. Take some time and look at the other resource files.

Some of these can be very handy at automating attacks by themselves. But they also demonstrate how you can use Ruby to add intelligence to your own Resource files.

Conclusion In this section we learned about resource files used in Metasploit. We saw how easy it is to create our own resource files and looked at the resource files that come with Metasploit. While you are going through this book, if you notice you are typing in the same commands over and over, try creating a RC script to save some time! Resources Database commands: We will also show that this module works against an optional Mac target.

Now enter: We will be attacking a Windows system, so we will use PowerShell. This starts a listener server that hosts our payload and then waits for an incoming connection.

All we need to do is run the generated PowerShell command on our target system.

On the Windows 7 system, open a command prompt and paste in and execute the PowerShell command: And after a few seconds you should see: A meterpreter session open! Python Web Delivery vs. We will basically do everything the same, except set the target type to Python. When it is run on the Metasploitable system: We get a shell: Works on Mac too! If you have a Mac system, the Python Web Delivery option should work also.

While still running Web Delivery module above just: This should open another session, this time to the Mac: And we are in! And we have a shell: And that is it; from one exploit module we can get remote shells with Windows, Linux or Mac. Close the terminal that you have open on the remote machine but leave the Web Delivery Meterpreter module running; we will use it again in a minute. When prompted go ahead and save the file: Now open the file and read through it.

This looks like a functional script, but the starting PHP tag is commented out is missing. Just as in the Msfvenom shell creation, all we would need to do is fix the PHP starting tag and add and ending tag.

Nothing seems to be happening, the connecting bar is just spinning, but if we look at Meterpreter we should see this: A shell opened to Kali system!

Okay, silly I know - Why in the world would we want a shell to ourselves? The point is that we grabbed the code generated by a Kali module and enabled it to function as a PHP webpage script. Just as in the MsfVenom section, if we could get that PHP script uploaded to a remote website, we could get remote access to it through a browser.

This section was a bit redundant to the Msfvenom PHP shell I know, but hopefully it helps to get you thinking outside the box a little. There are many different ways to use Metasploit!

Hopefully as you have seen, the Web Delivery module is very easy to use and works very well. When we look at using commands through Meterpreter later, the Web Delivery module is one way you can use to obtain the remote shells needed for the tutorials.

Intermediate Security Testing with Kali Linux 2 - Daniel Dieterle

This usually boils down to getting past Anti-Virus. Many Anti-Virus detectors are signature based — they look for a specific string or pattern in a malicious file. Chances are if you can find that string and change it, you might be able to bypass AV.

There is a program called Evade by securepla. You take each file and run them through an AV scanner. Then just analyze the section that was detected as malicious using a hex editor.

Change the string and you could be good to go. I will leave this as something for the readers to explore. Veil Evasion covered in my first book is also a good choice for bypassing Anti-Virus. It gives you multiple choices in payloads and was very good as bypassing AV, though in recent tests I have seen some of the payloads get flagged by AV. The latest version of Shellter 4. Updates in version 4. Shellter works by taking a legit Windows.

It then does a great job of modifying the file for AV bypass. The original Windows. Using Shellter Author: Kyriakos Economou Website: So we will need to install it with the apt-get command.

Top Authors

To install: We will need a Windows 32 bit program to use as a host. Copy plink. Next enter the IP address of your Kali system And then the port number to use I used Shellter will obfuscate the code and crunch for a while.

Then you should see: We will now have two plink. Copy our plink. If you compare the size of the backdoored exe to the original one you will notice that they are the exact same size.

Each time you run Shellter you should get a slightly different file as random code is inserted during the obfuscation process. I uploaded the file to Virustotal to scan it for malicious content: And it was not a mainstream AV normally found in large companies.

Conclusion In this short chapter we saw how easy it is to use Shellter to create a reverse shell. We also saw that Anti-Virus programs do not always catch malicious files. As a network administrator, never allow employees to use privileged accounts for everyday usage. A little user vigilance can go a long way at protecting your network! Post modules are extremely handy add-on Ruby scripts that can be run after you get a remote shell.

These mini-programs automate a lot of post exploitation processes making it very simple to manipulate a compromised system to recover data and even account credentials.

Next we cover in-depth ways to use Metasploit, by seeing the latest techniques to create backdoor shells and bypassing anti-virus. We also cover automating Metasploit, including scripting based attacks using both Railgun and PowerShell.

In the web application section we cover many of the tools and techniques used against websites. Over 30 tools are covered ranging from scanning to exploiting, including the ever popular BurpSuite. In the Attacking Smart Devices section we will see how to create virtual phones or tablets, getting remote shells on Android devices and how Wi-Fi and Man-in-The Middle attacks work against smart devices.

Lastly, the book has an entire section of using computer security tools for forensics, an Internet of Things section and an entire chapter devoted to defending your systems.

Dieterle has worked in the IT field for over 20 years. During this time he worked for a computer support company where he provided system and network support for hundreds of companies across Upstate New York and throughout Northern Pennsylvania.

He also worked in a Fortune corporate data center, briefly worked at an Ivy League school's computer support department and served as an executive at an electrical engineering company. For about the last 6 years Daniel has been completely focused on security as a computer security researcher and author. His articles have been published in international security magazines, and referenced by both technical entities and the media.

Daniel has assisted with numerous security training classes and technical training books mainly based on Backtrack and Kali Linux.And we get a shell: Updated operating systems and patches can negate some shells, and of course anti-virus can block many well-known shells, even when they are run through multiple levels of encoding.

Edit the virtual machine settings and make sure that it too is using Bridged or NAT for networking. When the command is entered, it will wait for a response from the Windows system to complete.

But if you wanted you could just scan a specific port, or ports on a server. Lester the Local Exploit Suggester This new module scans a system and suggests local exploits for a current session. So in essence as it took about a year and a half to write this book, all the information in it has been updated as of this month!

The command has been upgraded so you can now run the command against an entire range of hosts.