Penetration Testing with Kali Linux - A Complete Guide!

This video will give you an overview about the course.

So we don’t have a spare computer laying around to install this amazing OS on, not a problem. We are going to be looking into installing a VirtualBox to help us setup a virtual desktop on our computer.

• Install VirtualBox

• Create a new virtual computer

We will now download Kali Linux and install that OS on our virtual machine we had setup. Once we have Kali installed on our virtual computer, we will take a look at it and get ourselves accustomed to this operating system.

• Download and Install Kali Linux

• Play around with Kali Linux

In this video, you will learn about the Penetration testing and will show you how to get started using Kali Linux.

• Update the Kali

• Explore the terminal

• View the browser and looking at the menu

While we are performing our password attacks, we are going to be needing a password text file. Instead of utilizing the default password text file during our testing, we will create our own dictionary of passwords we can use.

• Create a password dictionary

Does your target run WordPress? If so we can easily take advantage of different.

• Exploit Usernames associated with our target

• Crack passwords of the usernames we extracted from our target

• Log into the WordPress website using the correct credentials we collected

So we have been challenged with a web-based application and need to test it for vulnerabilities. Not a problem. This section we will learn how to exploit that web app using Burp Suite.

• Web-Based application testing with Burp Suite

With that web-based application, we will discover how to scan that web app to see if there are any penetration marks that we can use to work our way into any possible back-doors, and other information that we can use to attack our target.

• Pen Testing with XSSER to find vulnerabilities

While scanning the website is one task that everyone usually tends to go for, I personally will be showing you my favourite task, viewing the websites source code. We can either download the website directly to our computer, or external storage device, or view it live.

• View the source code offline

• View the source code live

Throwing testing packages and viewing the source code is a great place to start, we will need to check to see if that web-based application has any open and weak ports that we can use.

• Utilize Wireshark to help us with port snooping

While extracting all of this useful information is a great practice, we will need to learn more about who we are dealing with. This can be for a personal reason, or maybe we have been asked to learn all we can about the website owner.

• Use an online service, MXToolBox to help us extract information from our target

One of the easiest methods to do is test our targeted server for any SQL Injection vulnerabilities. This will allow us to throw SQL Injections to the server for a variety of things.

• Test server with SQLMap for vulnerabilities

• Search vulnerabilities using SQLNinja

Sometimes our servers are vulnerable to JSP Shell attacks, and if our targeted server is indeed vulnerable to JSP Shell, we should test and document it for future reference.

• Utilize JBoss-AutoPWN to test for vulnerabilities

Assuming that our target has open ports for SSH, FTP, or other types of remote connection, we can attempt to brute force our way past the login credentials to gain access to the server.

• Brute forcing passwords using Cain and Abel

• Test Passwords with John the Ripper

In this video, you will learn how to use the PunkSPIDER.

• Find security measures and weaknesses

• Highlight every single option available in PunkSPIDER

This is extremely important as there are numerous programs that are target could be running. If there is an outdated software, we can view the reports on that specific version to see if there are any vulnerabilities.

• Scan for outdated software using Nikto

This is an attack in which a host with no authority is directing a domain name server and all of the requests. This allows a hacker to redirect all of the DNS requests, thus the traffic as well, to another machine.

• Manipulate DNS Traffic By using Ettercap

Reconnaissance is a crucial part of our ethical hacking pen testing. Recon is the process of gathering all of the required information needed in order to determine the best strategy for hacking our target.

• Perform a Recon using Sparta

Utilizing a Social Engineering Toolkit (SET), we can create a false login page and have the credentials stored onto our designated location. This allows us to steal login details of users.

• Create a login page using SET

• Deploy Virtual Server

• Send Login page to victim

One of the hardest methods of SEA is gaining access to the physical location. Sometimes our clients will ask us to gain physical access to a section of a building. This can be accomplished, if you have proper people skills and can read people.

• Learn to read people

• Figure the best method to talk to someone

• Gain access to the building

We have seen on countless hacking movies that the hacker will call the target to extract some type of information. And still to this day, that method is frequently used. We will talk about how to carry out this SEA.

• Discover which person and sector to talk to

While many people don’t realize this, but email is one of the greatest methods of extracting information about a company. An email contains the IP Address and the MX directory of the companies email provider. Plus we can use this method to service our SET section.

• View IP Address from email

In this video, you will learn about the Harvester: Social Gathering.

• Find the target

• Exploit the target by means of emails

• Extract the data directly from Kali Linux

If you are inside of a company, chances are they have their own hidden wireless network. If they do, that is our golden ticket! We will learn how to view those hidden networks, and then crack their passwords.

• Search for those hidden SSID’s using ArioDump

So we have a SSID we can connect too, now what? This section we will learn how to hack those wireless passwords using a few different techniques. We will be using our created PWD List for this.

• Explore the password hacking

• Look into the brute forcing application Air-crack

• Use ‘pwd.txt’ dictionary

In this video, you will learn about the John the ripper

• Explore alternate way of brute forcing

• Pass through dictionaries

While connected to our network, we need to do something instead of Google or Facebook. We are going to learn how to intercept incoming and outgoing traffic on our connected network.

• Use Wireshark to intercept and read incoming/outgoing traffic

We have a domain name to test, not an IP. How can we extract the IP information? We will be utilizing the PING command in order to pull that information. Then we will perform an NS Look Up test to find out more information.

• Ping domain name to get IP Address of target

• Utilize NS Lookup to extract information about our target

This is a two part section. We will first dive into the IP WhoIS report, and then follow up with the domain name WhoIs. This is helpful to see if the domain admin is the same as the server admin, and we can extract other forms of information using these techniques.

• Search IP Address WhoIS

• Search Domain Name WhoIS

Often overlooked, but we will be looking at the websites background. Much like your background report, we will need to see what all the creators have done to the website, and when they did it.

• Perform a background history report using Netcraft

Another overlooked aspect, is searching for email accounts and social media accounts. This will be helpful as we can get an insight to who works there, and helps us with our SEA.

• Learn how to use the Harvester

While performing a Recon, typically our motions are visible to the website, or servers, admins. In this section, we will learn how to perform a stealthy approach by using a protected network.

• Protect network using VPN

• Perform a Stealth Recon using Nmap

Much like we showed on our wireless intercepting, we will be looking at incoming and outgoing connections for the targeted website.

• Learn how to intercept website traffic using Wireshark

Now that we have performed our hacks and attacks, we need to generate a report to present to our employer. This should give them some details about your exploits, how you did them, and options on how to fix them.

• Design the report and adding proper content

This video will give you an overview about the course. 

In this video, we will discuss the concerns with web applications.

• Look at the web application specifications

• Understand the risks associated with web applications

• Understand the penetration testing process

In this video, we will discuss the common vulnerabilities of a web application.

• Learn what OWASP is

• Look at the OWASP Top 10 vulnerabilities

• Get a summary of the vulnerabilities

In this video, we will look at the differences between vulnerability assessment and penetration testing (or ethical hacking).

• Understand vulnerabilities, threats, and risks

• Understand vulnerability assessment and the challenges involved in it

• Understand the difference between penetration testing and vulnerability assessment

In this video, we will understand the challenges and expectations of ethical hacking.

• Understand the responsibilities of an ethical hacker

• Understand the customer goals and expectations

• Look at the challenges and limitations

In this video, we will learn the requirements for building a hacking test lab.

• Look at the standard laptop/computer requirements

• Understand the software installation requirements

• Understand the virtual images requirements

In this video, we will learn how a hacking test lab is designed and set up on a single computer.

• Understand the diagram and design

• Understand IP addressing and networking

• Look at the VirtualBox settings and configuration

In this video, we will see how to set up IP addressing, networking, and connectivity.

• Understand IP address configuration on Kali Linux

• Understand IP address configuration on DVWA

• Test connectivity and DVWA web access

In this video, we will learn how to use the DVWA web interface.

• Input your login information

• Perform setup/reset operations

• Understand the security settings

In this video, we will learn three types of attacks.

• Understand what brute force is

• Understand what CSRF is

• Understand what file inclusion is

In this video, we will learn what SQL injection is and how it works.

• Understand what an SQL injection attack is

• Perform SQL injection tests on DVWA

• Learn how to protect yourself against SQL injection

In this video, we will learn what XSS is and how it works.

• Understand what an XSS attack is

• Perform XSS tests on DVWA

• Learn how to protect yourself against XSS

In this video, we will learn what command execution is and how it works.

• Understand how a command execution attack works

• Perform a command execution attack on DVWA

• Take control over the server

In this video, we will learn how to use OWASP-ZAP.

• Change the DVWA security level

• Understand the basics of OWASP-ZAP

• Perform OWASP-ZAP scans

In this video, we will learn how to scan authenticated websites.

• Learn the OWASP-ZAP modes

• Understand the challenges with authenticated websites

• Perform OWASP-ZAP authenticated scans

In this video, we will learn what Burp Suite is and how to use it.

• Understand Burp Proxy

• Understand Burp Spider

• Understand Burp Scanner

In this video, we will dive deeper into Burp Suite.

• Understand Burp Intruder

• Perform brute-force attacks

• Understand Burp Repeater

In this video, we will learn considerations for web application development security.

• Understand risk analysis

• Look at the vulnerability categories

• Understand the remediations

In this video, we will learn about web application firewalls.

• Understand how a WAF works

• Compare WAF to Firewalls and IPS

• Learn about WAF vendors and demonstration

In this video, we will learn about mod_security installation and configuration.

• Understand what mod_security is

• Install mod_security

• Configure mod_security

This video provides an overview of the entire course.

Hacking is a legal gray zone, thus students need to understand that due diligence has to be practiced.

• Understand what ethical means

• Warn students that they need to understand the laws of their country

• This course is for educational purposes only

We need a windows environment where all exercises in the course can be executed.

• Understand the architecture of the network

• Understand how the three machines relate to each other

• Get ready to install the test machines

Kali Linux is used as the attacker’s machine. It needs to be installed.

• Download Kali

• Download Virtual box

• Import Kali to Virtual box

Most of the attacks will be done against a Windows 10 machine that symbolizes a standard enterprise workstation. It has to be configured carefully so that all exercises could be run.

• Download the evaluation version of Windows 10

• Create a new virtual machine and install Windows 10

• Do additional configuration

Enterprise environments usually run Windows Servers. In our test network it will be a Windows 2016 that will act as the domain controller as well.

• Download the evaluation version of Windows Server 2016

• Create a new virtual machine and install Windows Server 2016

• Save the virtual machine

The Windows machine should connect to an internal network that also runs an Active Directory Domain.

• Turn the Windows 2016 to a domain controller

• Join the new domain with the Windows 10

• Create dummy service on the Windows 10

To define the attack surface, we would like to know as much about the target network as possible.

• Identify all running hosts on the network

• Identify all open TCP ports

• Identify all running UDP port

To be able to exploit services we need to know exactly what they are.

• Find out what kind of service is running on a port

• Identify the program that is running the service

• Identify the exact version of the program

Exploit development is very time consuming and complex. In most penetration tests publicly available exploits are used.

• Find a suitable exploit on the Internet

• Understand and modify the exploit as necessary

• Run the exploit and get access to the machine

A more extensive framework is needed to efficiently do testing. The Metasploit Framework offers various tools that will be used in every stage of a pentest.

• Find suitable exploit in Metasploit

• Choose payload for the exploit

• Run the exploit

Although not real exploitation but lot of real attacks rely on files that are that are executed by a victim user after a social engineering attack.

• Choose a payload that should be executed by the victim

• Create a malicious executable with the payload

• Social engineer the target user to run you executable

Modern Anti-Virus programs such as Windows Defender can detect a wide variety of malicious actions. Evading these tools is a typical cat-and-mouse game.

• Choose a legitimate Windows executable that will be used to carry the payload

• Download and run shelter to inject the malicious payload into the executable

• Run a handler to receive the connect back shell

We learnt a lot in this section and it should be practiced.

• Review what we learnt

• Explain how exploitation can be practiced

• Practice the given steps

We need to understand where we in the penetration test are and what are the at this point.

• Understand what the post-exploitation phase is about

Usable and stable backdoor is needed to properly interact with the exploited machine.

• Create a meterpreter payload

• Execute a payload handler

• Get to know the meterpreter shell

After a successful exploit the attacker inherits the privileges of the exploited application. If that is not administration or system privilege, then further exploits are needed to achieve maximum privileges on the target machine.

• Look for a process that runs as SYSTEM

• Try to find a way to manipulate that process

• Get the SYSTEM process to execute our payload

Credentials are valuable assets that can be used in further attacks. Thus harvesting them on newly compromised machines is essential.

• Harvest Windows password hashes

• Harvest passwords from HeidiSQL

• Collect credentials from memory

Most modern systems only store password hashes. The plain text passwords can be still recovered though.

• Understand how hash functions wor

• Run dictionary attack with hashcat

• Run dictionary attack with John the Ripper

The attackers’ first connection could be broken by various events, such as a reboot. To avoid losing the machine it should be made sure that a persistent backdoor is installed.

• Understand various ways to achieve persistence

• Use PowerSploit to create a persistent backdoor

• Execute the backdoor on the target machine

A compromised machine could allow access to a network segment that was previously not reachable. Using these techniques, the traffic can be tunneled through the compromised host.

• Understand the concept of pivoting

• Use the Metasploit autoroute module to route traffic to the new network

• Use a SOCKS proxy and proxychains to access the internal network by tools outside of Metasploit

Usually only password hashes are stored by Windows. However these can be still used to compromise other machines.

• Understand the legitimate use of using password hashes

• Dump password hashes with mimikatz

• Take over the domain controller with mimikatz

We will see some important measures that should be taken after this course to get success in the penetration testing.