Thanos Stantzouris Industrial Engineer & Web Developer

Welcome back Duthcoders to another article about my passion, Hacking!

As you may know hacking is a skill acquired with many hours of practicing and studying! In order to become good at it you need to focus on learning a vast variety of technological topics, oh... and not only technological if i come to think of it.

What i am trying to say is that, ok! You want to become a master hacker, i get it. You ought to know the basics of programming languages like PHP, C, C++, Python and Assembly, if you dare. Also you have to know how technologies work FTP SSH what is a PORT, TCP, UDP and all
the following parade! If you have no idea of what i am talking about check out my previous article Get started with Hacking to get the basic idea.

The most well-known image of a hacker is the following : A teenager with a hoodie and bad intentions, of course, plotting the next big economical crisis hack while typing commands in a terminal of his/her laptop!
Let's agree with that image! Because it's 100% realistic...not. But that image raises a question. And that question is, What Operating System is he/her on?

The Answer : Probably Kali Linux! At least that's what Eliot is constantly using in Mr. Robot.

 

Elliot Alderson

 

What is Kali Linux?

Kali Linux is a Debian-derived Linux distribution designed fot digital forensics and penetration testing Professionals. It comes hand-in-hand with a plethora of penetration testing tools (600+), which easily cover all the phases of a penetration test :

  1. | Reconnaisance
  2. | Scanning
  3. | Gaining Access
  4. | Maintaining Access
  5. | Covering Tracks

That means that with Kali you can easily find tools about Anonymity, Information Gathering, Vulnerability Analysis, Database Assesment, Password Attack, Wireless Attack, Exploitation, Sniffing and Spoofing and Post Exploitation.

Some of the best pre-installed tools to get you started.

Since this is a simple introductory to the Kali Linux distro i will present to you some of the best pre-installed tools for a beginner hacker.

 

1. ProxyChains

ProxyChains can cover pretty much anything you want to do. For example, i want to use ProxyChains to cover NMAP
The command :

~$ proxychains nmap -sS -O scanme.nmap.org/24

This command launches a stealth SYN scan against each machine that is up to 256 IPs on the class C sized network where Scanme resides, and it gets cover by ProxyChains.

But before you use ProxyChains, you need to configure it first. ---> Configure ProxyChains Tutorial

 

2. WhoIs

WhoIs is a database managed by local internet registrars, it is a query and response protocol that is widely used for querying databases that store the registered users of an Internet resource, such as domain name ot an IP address block, but it is also used for a wider range of other personal information about the domain owner.

Here is a simple whois output for our website.

root@kali:~# whois duthcode.com
   Domain Name: DUTHCODE.COM
   Registry Domain ID: 2218163516_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.papaki.gr
   Registrar URL: http://www.papaki.gr
   Updated Date: 2019-01-11T19:42:46Z
   Creation Date: 2018-01-24T21:47:52Z
   Registry Expiry Date: 2020-01-24T21:47:52Z
   Registrar: Papaki Ltd
   Registrar IANA ID: 1727
   Registrar Abuse Contact Email: abuse@papaki.gr
   Registrar Abuse Contact Phone: +30 211-800-2275
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: clientUpdateProhibited https://icann.org/epp#clientUpdateProhibited
   Name Server: NS1.ADOPT-HOST.CLOUD
   Name Server: NS2.ADOPT-HOST.CLOUD
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/
.
.
.
.

 

3. NMAP

NMap (Network Mapper) is a free and open-source utility used for network discovery and security auditing.
NMAP is my personal favorite because it's Flexible, Portable, FREE, Powerful and very very very... very Famous, therefore you can find a plethora of different tutorials suiting your every need. Visit NMAP Official Page.

NMAP has also been featured in The Matrix!

Trinity using NMAP

Here we see Trinity doing an NMAP scan in order to find a vulnerable SSH Server inside the power grid's internal network.
See ran the following command :
 

nmap -v -sS -O 10.2.2.2

Command Explanation : 

  • -v : increase verbosity Level

  • -sS :  TCP Scan

  • -O : Enabling Operating System Detection 

You can easily get all the available nmap commands by running in your kali Terminal the following command

root@kali:~# nmap -h

Nmap 7.70 ( https://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
  Can pass hostnames, IP addresses, networks, etc.
  Ex: scanme.nmap.org, microsoft.com/24, 192.168.0.1; 10.0.0-255.1-254
  -iL <inputfilename>: Input from list of hosts/networks
  -iR <num hosts>: Choose random targets
  --exclude <host1[,host2][,host3],...>: Exclude hosts/networks
  --excludefile <exclude_file>: Exclude list from file
HOST DISCOVERY:
  -sL: List Scan - simply list targets to scan
  -sn: Ping Scan - disable port scan
  -Pn: Treat all hosts as online -- skip host discovery
  -PS/PA/PU/PY[portlist]: TCP SYN/ACK, UDP or SCTP discovery to given ports
  -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes
  -PO[protocol list]: IP Protocol Ping
  -n/-R: Never do DNS resolution/Always resolve [default: sometimes]
  --dns-servers <serv1[,serv2],...>: Specify custom DNS servers
  --system-dns: Use OS's DNS resolver
  --traceroute: Trace hop path to each host
SCAN TECHNIQUES:
  -sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
  -sU: UDP Scan
  -sN/sF/sX: TCP Null, FIN, and Xmas scans
  --scanflags <flags>: Customize TCP scan flags
  -sI <zombie host[:probeport]>: Idle scan
  -sY/sZ: SCTP INIT/COOKIE-ECHO scans
  -sO: IP protocol scan
  -b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
  -p <port ranges>: Only scan specified ports
    Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080,S:9
  --exclude-ports <port ranges>: Exclude the specified ports from scanning
  -F: Fast mode - Scan fewer ports than the default scan
  -r: Scan ports consecutively - don't randomize
  --top-ports <number>: Scan <number> most common ports
  --port-ratio <ratio>: Scan ports more common than <ratio>
SERVICE/VERSION DETECTION:
  -sV: Probe open ports to determine service/version info
  --version-intensity <level>: Set from 0 (light) to 9 (try all probes)
  --version-light: Limit to most likely probes (intensity 2)
  --version-all: Try every single probe (intensity 9)
  --version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
  -sC: equivalent to --script=default
  --script=<Lua scripts>: <Lua scripts> is a comma separated list of
           directories, script-files or script-categories
  --script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
  --script-args-file=filename: provide NSE script args in a file
  --script-trace: Show all data sent and received
  --script-updatedb: Update the script database.
  --script-help=<Lua scripts>: Show help about scripts.
           <Lua scripts> is a comma-separated list of script-files or
           script-categories.
OS DETECTION:
  -O: Enable OS detection
  --osscan-limit: Limit OS detection to promising targets
  --osscan-guess: Guess OS more aggressively
TIMING AND PERFORMANCE:
  Options which take <time> are in seconds, or append 'ms' (milliseconds),
  's' (seconds), 'm' (minutes), or 'h' (hours) to the value (e.g. 30m).
  -T<0-5>: Set timing template (higher is faster)
  --min-hostgroup/max-hostgroup <size>: Parallel host scan group sizes
  --min-parallelism/max-parallelism <numprobes>: Probe parallelization
  --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies
      probe round trip time.
  --max-retries <tries>: Caps number of port scan probe retransmissions.
  --host-timeout <time>: Give up on target after this long
  --scan-delay/--max-scan-delay <time>: Adjust delay between probes
  --min-rate <number>: Send packets no slower than <number> per second
  --max-rate <number>: Send packets no faster than <number> per second
FIREWALL/IDS EVASION AND SPOOFING:
  -f; --mtu <val>: fragment packets (optionally w/given MTU)
  -D <decoy1,decoy2[,ME],...>: Cloak a scan with decoys
  -S <IP_Address>: Spoof source address
  -e <iface>: Use specified interface
  -g/--source-port <portnum>: Use given port number
  --proxies <url1,[url2],...>: Relay connections through HTTP/SOCKS4 proxies
  --data <hex string>: Append a custom payload to sent packets
  --data-string <string>: Append a custom ASCII string to sent packets
  --data-length <num>: Append random data to sent packets
  --ip-options <options>: Send packets with specified ip options
  --ttl <val>: Set IP time-to-live field
  --spoof-mac <mac address/prefix/vendor name>: Spoof your MAC address
  --badsum: Send packets with a bogus TCP/UDP/SCTP checksum
OUTPUT:
  -oN/-oX/-oS/-oG <file>: Output scan in normal, XML, s|<rIpt kIddi3,
     and Grepable format, respectively, to the given filename.
  -oA <basename>: Output in the three major formats at once
  -v: Increase verbosity level (use -vv or more for greater effect)
  -d: Increase debugging level (use -dd or more for greater effect)
  --reason: Display the reason a port is in a particular state
  --open: Only show open (or possibly open) ports
  --packet-trace: Show all packets sent and received
  --iflist: Print host interfaces and routes (for debugging)
  --append-output: Append to rather than clobber specified output files
  --resume <filename>: Resume an aborted scan
  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
  --webxml: Reference stylesheet from Nmap.Org for more portable XML
  --no-stylesheet: Prevent associating of XSL stylesheet w/XML output
MISC:
  -6: Enable IPv6 scanning
  -A: Enable OS detection, version detection, script scanning, and traceroute
  --datadir <dirname>: Specify custom Nmap data file location
  --send-eth/--send-ip: Send using raw ethernet frames or IP packets
  --privileged: Assume that the user is fully privileged
  --unprivileged: Assume the user lacks raw socket privileges
  -V: Print version number
  -h: Print this help summary page.
EXAMPLES:
  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80
SEE THE MAN PAGE (https://nmap.org/book/man.html) FOR MORE OPTIONS AND EXAMPLES

 

3. HTTRACK

This tool i love. Httrack is a website cloner, from a penetration testing perspective, it is mainly used to create a fake website and use it for some phising purpose. But a tool never has only one use. Just to give you an idea, you could easily clone the website that pops up whenever you connect to free public coffee shop wifi and constract your own captive portal attack. Food for thought.

You can run httrack wizard by simply typing:

~$ httrack

You will then be prompted with a list of command suggestions to get you started using the tool.

 

4. THC Hydra

Hydra is the fastest network login cracker and it supports numerous attack protocols.
Basically when you need to brute force crack a remote authentication service, Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http(s), smb, several databases and much more. 

 

root@kali:~# hydra -h
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Syntax: hydra [[[-l LOGIN|-L FILE] [-p PASS|-P FILE]] | [-C FILE]] [-e nsr] [-o FILE] [-t TASKS] [-M FILE [-T TASKS]] [-w TIME] [-W TIME] [-f] [-s PORT] [-x MIN:MAX:CHARSET] [-SuvV46] [service://server[:PORT][/OPT]]

Options:
  -R        restore a previous aborted/crashed session
  -S        perform an SSL connect
  -s PORT   if the service is on a different default port, define it here
  -l LOGIN or -L FILE  login with LOGIN name, or load several logins from FILE
  -p PASS  or -P FILE  try password PASS, or load several passwords from FILE
  -x MIN:MAX:CHARSET  password bruteforce generation, type "-x -h" to get help
  -e nsr    try "n" null password, "s" login as pass and/or "r" reversed login
  -u        loop around users, not passwords (effective! implied with -x)
  -C FILE   colon separated "login:pass" format, instead of -L/-P options
  -M FILE   list of servers to be attacked in parallel, one entry per line
  -o FILE   write found login/password pairs to FILE instead of stdout
  -f / -F   exit when a login/pass pair is found (-M: -f per host, -F global)
  -t TASKS  run TASKS number of connects in parallel (per host, default: 16)
  -w / -W TIME  waittime for responses (32s) / between connects per thread
  -4 / -6   prefer IPv4 (default) or IPv6 addresses
  -v / -V / -d  verbose mode / show login+pass for each attempt / debug mode
  -U        service module usage details
  server    the target server (use either this OR the -M option)
  service   the service to crack (see below for supported protocols)
  OPT       some service modules support additional input (-U for module help)

Supported services: asterisk afp cisco cisco-enable cvs firebird ftp ftps http[s]-{head|get} http[s]-{get|post}-form http-proxy http-proxy-urlenum icq imap[s] irc ldap2[s] ldap3[-{cram|digest}md5][s] mssql mysql ncp nntp oracle-listener oracle-sid pcanywhere pcnfs pop3[s] postgres rdp rexec rlogin rsh s7-300 sip smb smtp[s] smtp-enum snmp socks5 ssh sshkey svn teamspeak telnet[s] vmauthd vnc xmpp

Hydra is a tool to guess/crack valid login/password pairs - usage only allowed
for legal purposes. This tool is licensed under AGPL v3.0.
The newest version is always available at http://www.thc.org/thc-hydra
These services were not compiled in: sapr3 oracle.

Use HYDRA_PROXY_HTTP or HYDRA_PROXY - and if needed HYDRA_PROXY_AUTH - environment for a proxy setup.
E.g.:  % export HYDRA_PROXY=socks5://127.0.0.1:9150 (or socks4:// or connect://)
       % export HYDRA_PROXY_HTTP=http://proxy:8080
       % export HYDRA_PROXY_AUTH=user:pass

Examples:
  hydra -l user -P passlist.txt ftp://192.168.0.1
  hydra -L userlist.txt -p defaultpw imap://192.168.0.1/PLAIN
  hydra -C defaults.txt -6 pop3s://[fe80::2c:31ff:fe12:ac11]:143/TLS:DIGEST-MD5

 

5. Aircrack-ng Suite

Aircrack-ng is a complete suite of tools to assess WiFi network security.

It focuses on different areas of WiFi security:

  • Monitoring: Packet capture and export of data to text files for further processing by third party tools.
  • Attacking: Replay attacks, deauthentication, fake access points and others via packet injection.
  • Testing: Checking WiFi cards and driver capabilities (capture and injection)
  • Cracking: WEP and WPA/WPA2 PSK.

All tools are command line which allows for heavy scripting. A lot of guis have taken advantage of this feature.
This Suite includes :

  • aircrack-ng | Cracks WEP keys using the FMS attack, PTW attack, and dictionary attacks and WPA/WPA2 PSK using dictionary attacks.
  • airdecap-ng | Decrypts WEP or WPA encrypted capture files with known key.
  • airmon-ng | Placing different cards in monitor mode.
  • aireplay-ng | Packet injector (Linux and Windows with CommView drivers).
  • airodump-ng | Packet sniffer: Places air traffic into pcap or IVS files and shows information about networks.
  • airtun-ng | Virtual tunnel interface creator.
  • packetforce-ng | Create encrypted packets for injection.
  • ivstools | Tools to merge and convert.
  • airbase-ng | Incorporates techniques for attacking client, as opposed to Access Points.
  • airdecloak-ng | Removes WEP cloaking from pcap files.
  • airolib-ng | Stores and manages ESSID and password lists and compute Pairwise Master Keys.
  • airserv-ng | Allows to access the wireless card from other computers.
  • buddy-ng | The helper server for easside-ng, run on a remote computer.
  • easside-ng | A tool for communicating to an access point, without the WEP key.
  • tkiptun-ng | WPA/TKIP attack.
  • wesside-ng | Automatic tool for recovering wep key.

 

6. Wireshark

Wireshark is a very popular, free and open-source network analyzer tool that is mostly used in network security auditing. Wireshark uses display filters for general packet filtering. It provides the ability to drill down and read the contents of each packet and is filtered to meet your specific needs.

  • Show only SMTP (port 25) and ICMP traffic:
    • port eq 25 or icmp
  • Show only traffic in the LAN (192.168.x.x), between workstations and servers, offline:
    • src==192.168.0.0/16 and ip.dist==192.168.0.0/16
  • TCP buffer full, Source is instructing Destination to stop sending data:
    • window_size == 0 && tcp.flags.reset !=1
  • Match HTTP requests where the last characters in the uri are the characters "lang=gr":
    • request.uri matches "lang=gr$"
  • Filter against particular IP:
    • addr == 104.193.19.59
  • Display POST request method, mostly containing user password:
    • request.method == "POST"

To run wireshark, just type  "wireshark" in the terminal. It will open up a graphical user interface. First, it will ask you to set the network interface that will be used.

7.Metasploit Framework

Metasploit is, without a doubt, the most used pen-testing framework. It is used to exploit vulnerabilities in daemons running on an open port, in simple words, it runs in the background. It is extremely powerful and is not easy too control. In many ways is a tool every hacker must master! Flexible, free and loaded with a shit ton of options, metasploit is undoubtedly the coolest offensive tool of this list! You can ask anyone. The answer will always be .... eehhh... Metasploit...

Before getting your hands dirty with this awesome tool you firt have to have an idea of these basic definitions :

  • What is a vulnerability?
  • What is an exploit?
  • What is a payload!!!?

Metasploit and all of its exploits are written in Ruby. Metasploit as four main interfaces:

  • MsfCli
  • MsdConsole
  • MsfGui
  • Armitage

I Won't be getting into much detail about Metasploit as i will make a dedicated article about it and how to use its basic functionalities.

To run metasploit in Kali Linux you just have to open a terminal and run
 

root@kali~# msfconsole

And you will be prompted with the following window! To have some fun for now type :

msf > banner

And your metasploit banner (little drawing) will change.

 

Metasploit Framework Banner

Just saying, the metasploit framework is really something else and it can really co-operate with other tools in a very cool way!

 

Ways of running Kali Linux on a System.

I know you loved it! And you can't wait to start playing around with this awesome operating system!
Well you are a lucky one because kali can be run in multiple ways!

  • In a Virtual Machine environment.(Recommended for Beginners)
  • With a Bootable Usb.(An essential tool for every Hacker out there)
  • Dual Boot partition alongside your main OS. (Not recommended for beginners)
  • As a Main OS. (I Haven't done this.. I wouldn't recommend it to anyone really)
  • On a Raspberry Pi (Do it if you have a raspberry pi, it's fun!)
  • On an Android Unrooted Phone.

I Will be doing a tutorial for the above ways of running Kali Linux on a System real soon! Stay Tuned!

 

 

Thanks a lot for taking the time to read this article! I hope you liked it and i really want for you to be excited! I know i am!
Always Think outside the box, always try new things, invent and share your ideas!!!

You can show your support by liking our Facebook Page ! Support our efforts on Ko-Fi ! And you can get in contact with us either by sending us a message on Facebook or via the e-mail on the footer of the Page!

Thanks again! Have a lovely day... Or night!