USA: +1(669)289-8683 
Sign in
Kali Linux
CIT425/L Info System Security (Lab Assignment 3)
Lab 3: Kali Linux (100 Points)
(Important note, the IPs used in the lab will not match your lab IP addresses.
The IPs used in this lab exercises are for example only.)
Exercise 1: Managing Kali Services
1.1 Find, Locate, and Which
There are a number of Linux utilities that can be used to locate files in a Linux installation with
three of the most common being find, locate, and which. All three of these utilities all have
similar functions, but work and return data in different ways. Prior to using the locate utility, we
must first use the updatedb command to build a local database of all files on the filesystem.
Once the database has been built, locate can be used to easily query this database when
looking for local files. Before running locate, you should always update the local database using
the updatedb command.
The which command searches through the directories that are defined in the $PATH
environment variable for a given filename. If a match is found, which returns the full
path to the file as shown below.
The find command is a more aggressive search tool than locate or which. Find is able to
recursively search any given path for various files.
1.1 – Exercises
1. Determine the location of the file plink.exe in Kali
2. Find and read the documentation for the dnsenum tool
1.2.1 – SSH Service
The Secure Shell (SSH)5 service is most commonly used to remotely access a computer, using a
secure, encrypted protocol. However, as we will see later on in the course, the SSH protocol has
some surprising and useful features, beyond providing terminal access. The SSH service is TCP-
Department of Computer Science
Fall 2023
based and listens by default on port 22. To start the SSH service in Kali, type the following
command into a Kali terminal.
We can verify that the SSH service is running and listening on TCP port 22 by using the
netstat command and piping the output into the grep command to search the output
for sshd.
If, like many users, you want to have the SSH service start automatically at boot time,
you need to enable it using the systemctl command as follows. The systemctl command
can be used to enable and disable most services within Kali Linux.
1.2.2 – HTTP Service
The HTTP service can come in handy during a penetration test, either for hosting a site,
or providing a platform for downloading files to a victim machine. The HTTP service is
TCP-based and listens by default on port 80. To start the HTTP service in Kali, type the
following command into a terminal.
As we did with the SSH service, we can verify that the HTTP service is running and
listening on TCP port 80 by using the netstat and grep commands once again.
To have the HTTP service start at boot time, much like with the SSH service, you need
Department of Computer Science
Fall 2023
to explicitly enable it with systemctl.
Most services in Kali Linux are operated in much the same way that the SSH and HTTP
daemons are managed, through their service or init scripts.
To get more granular control of these services, you can use tools such as rcconf or sysvrcconf, both designed to help simplify and manage the boot persistence of these
services.
1.2 – Exercises
1. If you are using the Kali VMware image, change the root password to something
secure.
2. Practice starting and stopping various Kali services.
3. Enable the SSH service to start on system boot.
1.3 – The Bash Environment
The GNU Bourne-Again SHell (Bash)6 provides a powerful environment to work in,
and a scripting engine that we can make use of to automate procedures using existing
Linux tools. Being able to quickly whip up a Bash script to automate a given task is an
essential requirement for any security professional. In this module, we will gently
introduce you to Bash scripting with a theoretical scenario.
1.3.1 – Intro to Bash Scripting
1.3.1.1 – Practical Bash Usage – Example 1
Imagine you are tasked with finding all of the subdomains listed on the cisco.com index
page, and then find their corresponding IP addresses. Doing this manually would be
frustrating, and time consuming. However, with some simple Bash commands, we can
turn this into an easy task. We start by downloading the cisco.com index page using the
wget command.
Department of Computer Science
Fall 2023
Quickly looking over this file, we see entries which contain the information we need,
such as the one shown below:
We start by using the grep command to extract all the lines in the file that contain the
string “href=”, indicating that this line contains a link.
The result is still a swamp of HTML, but notice that most of the lines have a similar
structure, and can be split conveniently using the “/” character as a delimiter. To
specifically extract domain names from the file, we can try using the cut command with
our delimiter at the 3rd field.
The output we get is far from optimal, and has probably missed quite a few links on the
way, but let’s continue. Our text now includes entries such as the following:
Next, we will clean up our list to include only domain names. Use grep to filter out all
the lines that contain a period, to get cleaner output.
Department of Computer Science
Fall 2023
Our output is almost clean, however we now have entries that look like the following.
We can clean these out by using the cut command again, at the first delimeter.
Now we have a nice clean list, but lots of duplicates. We can clean these out by using
the sort command, with the unique (-u) option.
An even cleaner way of doing this would be to involve a touch of regular expressions
into our command, redirecting the output into a text file, as shown below:
Now we have a nice, clean list of domain names linked from the front page of cisco.com. Our
next step will be to use the host command on each domain name in the text file
we created, in order to discover their corresponding IP address. We can use a Bash one liner
loop to do this for us:
The host command gives us all sorts of output, not all of it relevant. We want to extract
just the IP addresses from all of this information, so we pipe the output into grep,
Department of Computer Science
Fall 2023
looking for the text “has address,” then cut and sort the output.
1.3.1.2 – Practical Bash Usage – Example 2
We are given an Apache HTTP server log that contains evidence of an attack. Our task
is to use simple Bash commands to inspect the file and discover various pieces of
information, such as who the attackers were, and what exactly happened on the server.
We first use the head and wc commands to take a quick peek at the log file to
understand its structure.
Notice that the log file is grep friendly, and different fields such as, IP address,
timestamp, HTTP request, etc., all of which are separated by spaces. We begin by
searching through the =HTTP requests made to the server, for all the IP addresses
recorded in this log file. We will pipe the output of cat into the cut and sort commands.
This may give us a clue about the number of potential attackers we will need to deal
with.
Department of Computer Science
Fall 2023
We see that less than ten IP addresses were recorded in the log file, although this still
doesn’t tell us anything about the attackers. Next, we use uniq and sort to further refine
our output, and sort the data by the number of times each IP address accessed the
server.
A few IP addresses stand out, but we will focus on the address that has the highest
access frequency first. To display and count the resources that were being requested by
the IP address, the following command sequence can be used:
From this output, it seems that the IP address at 208.68.234.99 was accessing the /admin
directory exclusively. Let’s take a closer look at this:
Department of Computer Science
Fall 2023
It seems like 208.68.234.99 has been involved in an HTTP brute force attempt against
this web server. Furthermore, after about 1070 attempts, it seems like the brute force
attempt succeeded, as indicated by the HTTP 200 message.
Hopefully, the brief exercises above have given you an idea about some of the
possibilities that Bash has to offer. Learning to use the Bash environment effectively is
essential.
1.3 – Exercises
1. Research Bash loops and write a short script to perform a ping sweep of your
target IP range of 10.11.1.0/24.
2. Try to do the above exercise with a higher-level scripting language such as
Python, Perl, or Ruby.
3. What is the difference between directing output from a command to a file (>) and output
from a command as input to another command (|).
2. – The Essential Tools
As penetration testers, we often encounter situations which we don’t fully understand.
Two tools we use to uncover more information are Netcat and Wireshark.
2.1 – Netcat
Netcat7 is a versatile tool that has been dubbed the Hackers’ Swiss Army Knife and
exists as both Linux and Windows binaries. The simplest definition of Netcat is “a tool
that can read and write to TCP and UDP ports.” This dual functionality suggests that
Netcat runs in two modes: client and server. Let’s explore these options.
2.1.1 – Connecting to a TCP/UDP Port
Connecting to a TCP/UDP port can be useful in several situations:
• To check if a port is open or closed.
• To read a banner from the port.
• To connect to a network service manually.
Let’s begin by using netcat to check if TCP port 110 (the POP3 mail service) is open on
one of my lab machines.
Department of Computer Science
Fall 2023
The output above tells us several things. First, the TCP connection to IP 10.0.0.22 on port 110
succeeded, and netcat found the remote port open. Next, we can see that the server
responded to our connection by “talking back to us” and spitting out the server
welcome message, prompting us to log in, which is standard for POP3 services.
Regardless of the fact that our login attempt has failed, we have successfully managed
to converse with the POP3 service using netcat.
2.1.2 – Listening on a TCP/UDP Port
Listening on a TCP/UDP port using netcat is useful for network debugging client
applications, or otherwise receiving a TCP/UDP network connection. Let’s try
implementing a simple chat involving two machines, using netcat both as a client and
as a server. We’ll set up netcat to listen for incoming connections on TCP port 4444, on a
Windows machine (with IP address 10.0.0.22).
Once we have bound port 4444 on the Windows machine to Netcat, we can connect to
that port from the Linux machine to interact with it.
Our text is sent to the Windows machine over TCP port 4444 and we can continue the
“chat” from the Windows machine as shown below.
Department of Computer Science
Fall 2023
Although not a very useful example, this simple exercise demonstrates several
important features in netcat. Make sure you understand the following points in the
example above:
o Which machine acted as the netcat server?
o Which machine acted as the netcat client?
o On which machine was port 4444 actually opened?
o The command line syntax difference between the client and server.
2.1.3 – Transferring Files with Netcat
Netcat can also be used to transfer files, both text and binary, from one computer to
another. To send a file from the Linux machine to the Windows machine, we initiate a
setup that is similar to the previous chat example, with some slight differences. On the
Windows machine, we will set up a netcat listener on port 4444 and redirect any
incoming input into a file called incoming.exe.
On the Linux system, we will push the wget.exe file to the Windows machine through
TCP port 4444:
Department of Computer Science
Fall 2023
Notice that we haven’t received any feedback from netcat about our file upload
progress. In this case, since the file we are uploading is small, we can just wait for a few
seconds and then check whether it has been fully uploaded to the Windows machine,
by running the executable:
2.1.4 – Remote Administration with Netcat
One of the most useful features of netcat is its ability to do command redirection. Netcat
can take an executable file and redirect the input, output, and error messages to a
TCP/UDP port rather than the default console.
To further explain this, consider the cmd.exe executable. By redirecting the stdin,
stdout, and stderr to the network, you can bind cmd.exe to a local port. Anyone
connecting to this port will be presented with a command prompt belonging to this
computer. To further drive this home, consider the following scenarios, involving Bob
and Alice.
2.1.4.1 – Netcat Bind Shell Scenario
In our first scenario, Bob (running Windows) has requested Alice’s assistance (running
Linux) and has asked her to connect to his computer and issue some commands
remotely. Bob has a public IP address, and is directly connected to the Internet. Alice,
however, is behind a NAT’d connection, and has an internal IP address. To complete
the scenario, Bob needs to bind cmd.exe to a TCP port on his public IP address, and ask
Alice to connect to this particular IP and port. Bob will proceed to issue the following
command with netcat.
Netcat has bound TCP port 4444 to cmd.exe and will redirect any input, output, or error
messages from cmd.exe to the network. In other words, anyone connecting to TCP port
4444 on Bob’s machine, hopefully Alice, will be presented with Bob’s command prompt.
Department of Computer Science
Fall 2023
The following image depicts the bind shell scenario where Alice gets remote command
prompt access on Bob’s Windows machine:
Netcat Bind Shell Scenario
Department of Computer Science
Fall 2023
2.1.4.2 – Reverse Shell Scenario
In our second scenario, Alice needs help from Bob. However, Alice has no control over
the router in her office, and therefore cannot forward traffic from the router to her
internal machine. Is there any way for Bob to connect to Alice’s computer, and solve her
problem?
Here we discover another useful feature of Netcat, the ability to send a command shell
to a listening host. In this situation, although Alice cannot bind a port to /bin/bash
locally on her computer and expect Bob to connect, she can send control of her
command prompt to Bob’s machine, instead. This is known as a reverse shell. To get
this working, Bob needs to set up netcat to listen for an incoming shell. We’ll use port
4444 in our example:
Now, Alice can send a reverse shell from her Linux machine to Bob:
Once the connection is established, Alice’s netcat will have redirected input, output,
and error from /bin/bash, to Bob’s machine, on port 4444.
Take some time to consider the differences between bind and reverse shells, and how
these differences may apply to various firewall configurations from an organizational
security standpoint. It is important to realize that outgoing traffic can be just as harmful
as incoming traffic. The following image depicts the reverse shell scenario where Bob
gets remote shell access on Alice’s Linux machine, traversing the corporate firewall.
Department of Computer Science
Fall 2023
Netcat Reverse Shell Scenario
2.1.5 – Exercises
1. Implement a simple chat between your Kali and Windows systems
2. Using Netcat to create the following:
a. Reverse shell from Kali to Windows
b. Reverse shell from Windows to Kali
c. Bind shell on Kali. Use your Windows client to connect to it
d. Bind shell on Windows. Use your Kali system to connect to it
3. Transfer a file from your Kali system to Windows and vice versa
4. Conduct the exercises again, with the firewall enabled on your Windows host.
Department of Computer Science
Fall 2023
2.2 – Ncat
Ncat is described as “a feature-packed networking utility that reads and writes data
across networks from the command line.” Ncat was written for the Nmap project9 as a
much-improved reimplementation of the original Netcat program.
One of the major drawbacks of Netcat, from a penetration tester’s standpoint, is that it
lacks the ability to authenticate and encrypt incoming and outgoing connections. These
options provide an important layer of security while using these tools during a
penetration test. Encryption of the bind or reverse shell will aid the penetration tester in
avoiding intrusion detection systems, while allowing authentication on bind or reverse
shells will ensure that use of these tools does not expose the penetrated machines to
unwanted IP addresses.
Ncat provides all these features. When possible, tools such as ncat and sbd should be
used rather than Netcat. For example, ncat could be used in the following way to
replicate a more secure bind shell between Bob and Alice in our previous bind shell
scenario. Bob would use ncat to set up an SSL encrypted connection on port 4444 and
allow only Alice’s IP (10.0.0.4) to connect to it:
Alice, in turn, would connect to Bob’s public IP with SSL encryption enabled,
preventing eavesdropping, and possibly even IDS detection.
2.2 – Exercises
1. Use Wireshark to capture the network activity of Netcat connecting to port 110
(POP3) and attempting a login.
2. Read and understand the output. Where is the session three-way handshake?
Where is the session closed?
3. Follow the TCP stream to read the login attempt.
4. Use the display filter to only see the port 110 traffic
5. Re-run the capture, this time using the capture filter to only collect port 110
Department of Computer Science
Fall 2023
3.1 – Open Web Information Gathering
Once an engagement starts, it’s important to first spend some time browsing the web,
looking for background information about the target organization. What do they do?
How do they interact with the world? Do they have a sales department? Are they
hiring? Browse the organization’s website, and look for general information such as
contact information, phone and fax numbers, emails, company structure, and so on.
Also, be sure to look for sites that link to the target site, or for company emails floating
around the web.
Sometimes, it’s the smallest details that give you the most information: how well
designed is the target website? How clean is their HTML code? This might give you a
clue about their web development budget, which may reflect on their security budget.
3.1.1 – Google
The Google search engine is a security auditor’s best friend, especially when it comes to
information gathering.
3.1.1.1 – Enumerating with Google
Google supports the use of various search operators, which allow a user to narrow
down and pinpoint search results.
For example, the site operator will limit Google search results to a single domain. A
simple search operator like this provides us with useful information. For example, say
we want to know the approximate web presence of an organization, before starting an
engagement.
In the example above, we used the site parameter to limit the results that Google will
show to only the microsoft.com domain. On this particular day, Google indexed around
67 million pages from the microsoft.com domain.
Notice how most of the results coming back to us originate from the www.microsoft.com
Department of Computer Science
Fall 2023
subdomain. Let’s filter those out to see what other subdomains may exist at
microsoft.com.
These two simple queries have revealed quite a bit of background information about
the microsoft.com domain, such as a general idea about their Internet presence and a list of
their web accessible subdomains.
Product-specific examples like these are dynamic by nature, and may produce no
results at all for this specific appliance in the next few months. However, the concept
behind these types of searches is the same. If you understand how to use Google search
operators efficiently, and know exactly what you are looking for, you can find almost anything.
Department of Computer Science
Fall 2023
3.1.2 – Google Hacking
Using Google to find juicy information, vulnerabilities, or misconfigured websites was
publicly introduced by Johnny Long in 2001. Since then, a database of interesting
searches has been compiled to enable security auditors (and hackers) to quickly identify
numerous misconfigurations within a given domain. The next few screenshots
demonstrate such searches.
3.1.2.1 – Hardware with Known Vulnerabilities
3.1.2.2 – Web Accessible, Open Cisco Routers
Department of Computer Science
Fall 2023
3.1.2.3 – Exposed Frontpage Credentials
There are hundreds of interesting searches that can be made, and many of them are
listed in the Google Hacking (GHDB)18 section of the Exploit Database.
3.1.3 – Exercises
1. Choose an organization and use Google to gather as much information as
possible about it
2. Use the Google filetype search operator and look for interesting documents from
the target organization
3. Re-do the exercise on your company’s domain. Can you find any data leakage
you were not aware of?
Department of Computer Science
Fall 2023
3.2 – Email Harvesting
Email harvesting is an effective way of finding emails, and possibly usernames,
belonging to an organization. These emails are useful in many ways, such as providing
us a potential list for client side attacks, revealing the naming convention used in the
organization, or mapping out users in the organization. One of the tools in Kali Linux
that can perform this task is theharvester19. This tool can search Google, Bing, and other
sites for email addresses using the syntax shown below.
3.2.1 – Exercise
1. Use theharvester to enumerate email addresses belonging to the organization
you chose in the previous exercises
2. Experiment with different data sources (-b). Which work best for you?
3.3 – Additional Resources
Google is by no means the only useful search engine. An in-depth comparison chart for
some of the main search engines can be found at the Search Engine Showdown 20
website. Other, more specialized services worth knowing about can be found below.
3.3.1 – Netcraft
Netcraft21 is an Internet monitoring company based in Bradford-on-Avon, England.
Netcraft can be used to indirectly find out information about web servers on the
Internet, including the underlying operating system, web server version, and uptime
graphs. The following screenshot shows the results for all the domain names containing
the string *.cisco.com, performed through the DNS search page offered by Netcraft.
Department of Computer Science
Fall 2023
3.3.2 – Whois Enumeration
Whois23 is a name for a TCP service, a tool, and a type of database. Whois databases
contain name server, registrar, and, in some cases, full contact information about a
domain name. Each registrar must maintain a Whois database containing all contact
information for the domains they host. A central registry Whois database is maintained
by the InterNIC24. These databases are usually published by a Whois server over TCP
port 43 and are accessible using the whois client program.
Department of Computer Science
Fall 2023
The whois client can also perform reverse lookups. Rather than inputting a domain
name, you can provide an IP address instead as shown below:
3.3.3 – Exercise
1. Use the whois tool in Kali to identify the name servers of your target organization
3.4 – Recon-ng
As described by its authors, “Recon-ng 25 is a full-featured web reconnaissance
framework written in Python. Complete with independent modules, database
interaction, built in convenience functions, interactive help, and command completion,
Recon-ng provides a powerful environment in which open source web-based
reconnaissance can be conducted quickly and thoroughly. Recon-ng has a look and feel
similar to the Metasploit Framework, reducing the learning curve for leveraging the
framework”.
Let’s use recon-ng to quickly compile a list of interesting data. We’ll start by using the
whois_poc module to come up with employee names and email addresses at Cisco.
Department of Computer Science
Fall 2023
Next, we can use recon-ng to search sources such as xssed 26 for existing XSS
vulnerabilities that have been reported, but not yet fixed, on the cisco.com domain.
We can also use the google_site module to search for additional cisco.com subdomains,
via the Google search engine.
Department of Computer Science
Fall 2023
4. – Active Information Gathering
Once you have gathered enough information about your target, using open web
resources, and other passive information gathering techniques, you can further gather
relevant information from other, more specific services. This module will demonstrate
several of the options available to you. Please keep in mind that the services presented
in this module are just an introductory list.
4.1 – DNS Enumeration
DNS is often a lucrative source for active information gathering. DNS offers a variety of
information about public (and sometimes private!) organization servers, such as IP
addresses, server names, and server functionality.
4.1.1 – Interacting with a DNS Server
A DNS server will usually divulge DNS and mail server information for the domain it
has authority over. This is a necessity, as public requests for mail and DNS server
addresses make up the basic Internet experience. For example, let’s examine the
megacorpone.com domain, a fake Internet presence we constructed for this exercise.
We’ll use the host command, together with the –t (type) parameter to discover both the
DNS and mail servers for the megacorpone.com domain.
By default, every configured domain should provide at least the DNS and mail servers
responsible for the domain.
4.1.2 – Automating Lookups
Now that we have some initial data from the megacorpone.com domain, we can
continue to use additional DNS queries to discover more host names and IP addresses
belonging to megacorpone.com. For example, we can assume that the
megacorpone.com domain has a web server, probably with the hostname www. We can
test this theory using the host command once again:
Department of Computer Science
Fall 2023
Now, let’s check if megacorpone.com also has a server with the hostname idontexist.
Notice the difference between the query outputs.
4.1.3 – Forward Lookup Brute Force
Taking the previous concept a step further, we can automate the Forward DNS Lookup
of common host names using the host command and a Bash script. The idea behind this
technique is to guess valid names of servers by attempting to resolve a given name. If
the name you have guessed does resolve, the results might indicate the presence and
even functionality of the server. We can create a short (or long) list of possible
hostnames and loop the host command to try each one.
Our DNS forward brute-force enumeration revealed a set of scattered IP addresses. If
the DNS administrator of megacorpone.com configured PTR records for the domain,
we might find out some more domain names that were missed during the forward
lookup brute-force phase, by probing the range of these found addresses in a loop.
Department of Computer Science
Fall 2023
4.1.5 – DNS Zone Transfers
A zone transfer is similar to a database replication act between related DNS servers.
This process includes the copying of the zone file from a master DNS server to a slave
server. The zone file contains a list of all the DNS names configured for that zone. Zone
transfers should usually be limited to authorized slave DNS servers. Unfortunately,
many administrators misconfigure their DNS servers, and as a result, anyone asking for
a copy of the DNS server zone will receive one.
This is equivalent to handing a hacker the corporate network layout on a silver platter.
All the names, addresses, and functionality of the servers can be exposed to prying
eyes. I have seen organizations whose DNS servers were misconfigured so badly that
they did not separate their internal DNS namespace and external DNS namespace into
separate, unrelated zones. This resulted in a complete map of the internal and external
network structure.
A successful zone transfer does not directly result in a network breach. However, it
does facilitate the process. The host command syntax for performing a zone transfer is
as follows.
From our previous host command, we noticed that two DNS servers serve the
megacorpone.com domain: ns1 and ns2. Let’s try a zone transfer on each of them.
In this case, ns1 refused us our zone transfer request, while ns2 allowed it. The result is
a full dump of the zone file for the megacorpone.com domain, providing us a
convenient list of IPs and DNS names for the megacorpone.com domain.
The megacorpone.com domain has only three DNS servers to check. However, some
larger organizations might have numerous DNS servers, or you might want to attempt
Department of Computer Science
Fall 2023
zone transfer requests against a given domain. This is where Bash scripting comes into
play. To perform a zone transfer with the host command, we need two parameters: the
analyzed domain name and the name server address. To get the name servers for a
given domain in a clean format, we can issue the following command.
Taking this a step further, we could write the following simple Bash script to automate
the procedure of discovering and attempting a zone transfer on each DNS server found.
Running this script on megacorpone.com should automatically identify the name
servers and attempt a zone transfer on each of them.
Department of Computer Science
Fall 2023
4.1.6 – Relevant Tools in Kali Linux
Several tools exist in Kali Linux to aid us in DNS enumeration and most of them
perform the same tasks we have already covered in DNS enumeration. Two notable
tools are DNSRecon and DNSenum. These tools each have options that are useful. The
following output demonstrates the use of these tools, with minimal parameters.
4.1.6.1 – DNSRecon
DNSRecon 27 is an advanced, modern DNS enumeration script written in Python.
Running the dnsrecon script against the megacorpone.com domain produces the
following output:
4.1.6.2 – DNSenum
DNSenum is another popular DNS enumeration tool. Running this script against the
zonetransfer.me domain, which specifically allows zone transfers, produces the
following output:
4.1.7 – Exercises
1. Find the DNS servers for the example.com domain
2. Write a small Bash script to attempt a zone transfer from example.com
3. Use dnsrecon to attempt a zone transfer from megacorpone.com
Department of Computer Science
Fall 2023
