KL_Module_2

MODULE 2

POPULAR TOOLS & EXPLOIT

Penetration Testing tools aid in identifying security weaknesses in a network, server or web
application. These tools are very useful since they allow you to identify the "unknown
vulnerabilities" in the software and networking applications that can cause a security breach.
Vulnerability Assessment and Penetration Testing (VAPT) Tools simulate an attack on your
system within the network and outside the network as if a hacker would attack it. The system
must be corrected if unauthorized access is possible.

The tools are as defined below:

1. NMAP:

Nmap is an abbreviation of ‘Network Mapper’. It is very well known free open source
hackers’ tool. Nmap is mainly used for network discovery and security auditing.

Nmap is used by thousands of system admins all around the world for network
inventory, to check for open ports, manage service upgrade schedules, and monitor host
or service uptime.

As a tool, Nmap uses raw IP packets in creative ways to ascertain what hosts are
available on the network, what services (application name and version) those hosts are
providing information about, what operating systems (fingerprinting) and what type and
version of packet filters/ firewalls are being used by the target.

There are alot of benefits of using Nmap, one of which is the fact that the admin user is
able to determine whether the network (and associated nodes) need patching.

There is a GUI version of Nmap called ‘Zenmap’. It is advisable to learn using Nmap (i.e.
the ‘command line’) then rotate into Zenmap when you are feeling all confident.

Features of Nmap

• Flexible: It supports heaps of advanced techniques for mapping out networks filled with
IP filters, firewalls, routers, and other obstacles. This is inclusive of many port scanning
mechanisms (both TCP & UDP), version detection, OS detection, ping sweeps, and more.

• Powerful: Nmap can be and has been used to scan huge networks of hundreds of
thousands of machines.

• Easy: While Nmap offers a rich set of advanced features for power users, you can start
out as simply as “nmap -v -A targethost”. To suit your preference, both traditional
command line and graphical (GUI) versions are available. For those who do not wish to
compile Nmap from source, binaries are available

• Free: The main goal of the Nmap Project is to help make the Internet a little more
secure and to provide administrators/auditors/hackers with an advanced tool for
exploring their networks. Nmap is free to download. It also comes with full source code
that can be modified and redistributed under the terms of the license.

• Popular: Nmap is downloaded by thousands of people every day. It is included with
many operating systems such as Redhat Linux, Debian Linux, Gentoo, FreeBSD,
OpenBSD, etc. It is in the top ten out of 30,000 programs at the Freshmeat.Net
repository. This is important because it provides Nmap with its creative development
and lively user support communities.

• It identifies hosts on a network and enlists hosts that respond to TCP/ICMP requests.
• It finds out open ports on target hosts.
• It investigates network services on target systems and determines application name and

version details.
• It identifies the operating system of target host.
• Detect the vulnerability and security holes (Nmap scripts).

Format of using Nmap is as follows:
nmap [Scan Type] [Option] [target specification]

2. NETCAT TOOL – “The Swiss Army knife”

Netcat is a utility that is able to write and read data across TCP and UDP network
connections. It essential that you understand the capabilities of Netcat if you are
responsible for network or system security. Netcat can be used as port scanner, a
backdoor, a port listener, a port redirector, and many more things as well.
Features of Netcat
Netcat provides the following functionalities that can be useful for a hacker/pentester
or a network admin
• Chatting
• Port Scanning
• Banner Grabbing
• Port Redirection/Proxying
• File Transfer
• Honeypot
• RAT/Backdoor

Port scanning
The act of systematically scanning a host for open ports. Once discovered, these open
ports can be used to gain access to the host or to launch an attack.

Machine B C:\> nc –v –w 2 –z 192.168.118.130 1-100

Banner Grabbing
A fingerprinting technique aimed at extract information about a host such as operating
system, web server, applications etc. A simple example of banner grabbing is to send a
request and analyze the response received.

Machine B C:\> nc –vv 192.168.118.130 80

Port Redirection
A simple technique used to transfer traffic from one port to another. It is used to access
services that are restricted in any specific environment.

Machine A root@bt:- # nc –l –p 8008 –c “nc google.com 80”
Machine B Browse 192.168.118.130:8008

Honeypot

A Honeypot is a monitored decoy used to attract attackers away from critical resources.
It is also a tool used to analyze an attacker’s methods and characteristics. It can imitate
various services provided by an OS as well as generate responses for those services. It
provides an environment which can interact with an attacker and monitors their
activities without any real resources at risk.

Machine A root@bt:- # nc –lvvp 443 < apache2.txt
Machine B C:\> nc 192.168.118.130 443

Chatting
Netcat can be used for the purpose of chatting from one system to another. We need to
configure Netcat to listen on a specific port at one machine and connect to that specific
address (IP+port) from a remote Netcat.
For instance as shown below:

Machine A root@bt:- # nc –l –p 123

Machine B C:\> nc 192.168.118.130 123

UNICORNSCAN TOOLS
Unicornscan is a new information gathering and correlation engine built for and by
members of the security research and testing communities. It was designed to provide
an engine that is SAFE i.e Scalable, Accurate, Flexible, and Efficient.
Benefits
Unicornscan is an attempt at a User-land Distributed TCP/IP stack. It aims to provide
researchers with a superior interface for introducing a stimulus into and measuring a
response from a TCP/IP enabled device or network. While it currently has hundreds of
individual features, a main set of it’s abilities include:
• Asynchronous stateless TCP scanning with all variations of TCP Flags.
• Asynchronous stateless TCP banner grabbing
• Asynchronous protocol specific UDP Scanning (sending enough of a signature to
elicit a response).
• Active and Passive remote OS, application, and component identification by
analyzing responses.
• PCAP file logging and filtering.

• Relational database output.
• Custom module support.
• Customized data-set views.

USEAGE: unicornscan -mTsf -Iv -r 1000 192.168.0.102:a

NIKTO TOOL

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests
against web servers for multiple items, including over 6700 potentially dangerous
files/programs.

Howver, Nikto was not designed as a stealthy tool. It will test a web server in the
quickest time possible but is obvious in log files or to an IPS/IDS. There is support for
LibWhisker’s anti-IDS methods in case you want to give it a try or test your IDS system.

Features

Here are some of the major features of Nikto.

• SSL Support (Unix with OpenSSL or maybe Windows with ActiveState’s Perl/NetSSL)
• Full HTTP proxy support
• Checks for outdated server components
• Save reports in plain text, XML, HTML, NBE or CSV
• Template engine to easily customize reports
• Scan multiple ports on a server, or multiple servers via input file (including nmap output)
• LibWhisker’s IDS encoding techniques
• Easily updated via command line
• Identifies installed software via headers, favicons and files
• Host authentication with Basic and NTLM
• Subdomain guessing
• Apache and cgiwrap username enumeration
• Mutation techniques to “fish” for content on web servers
• Scan tuning to include or exclude entire classes of vulnerability checks
• Guess credentials for authorization realms (including many default id/pw combos)
• Authorization guessing handles any directory, not just the root directory
• Enhanced false positive reduction via multiple methods: headers,
• page content, and content hashing
• Reports “unusual” headers seen
• Interactive status, pause and changes to verbosity settings
• Save full request/response for positive tests

• Replay saved positive requests
• Maximum execution time per target
• Auto-pause at a specified time
• Checks for common “parking” sites
• Logging to Metasploit
• Thorough documentation

USEAGE: root@kali:~# nikto -Display 1234EP -o report.html -Format htm -Tuning 123bde -
host 192.168.0.102

Aircrack-ng Tool

Aircrack-ng is a wireless security software suite. It consists of a network packet analyzer, a WEP
network cracker, and WPA / WPA2-PSK along with another set of wireless auditing tools. It is an
802.11 WEP and WPA-PSK keys cracking program which can recover keys once enough data
packets have been captured. It implements the standard FMS attack along with few
optimizations such as KoreK attacks, as well as the all-new PTW attack, thus making the attack
much faster compared to other WEP cracking tools.

Here are the most popular tools included in the Aircrack-ng suite:
• Airmon-Ng: converts your wireless card into a wireless card in a promiscuous way
• Airmon-Ng: captures packages of desired specification, and t is particularly useful in
deciphering passwords
• Aircrack-Ng: used to decrypt passwords — able to use statistical techniques to decipher
WEP and dictionaries for WPA and WPA2 after capturing the WPA handshake
• Aireplay-Ng: can be used to generate or accelerate traffic in an access point
• Airdecap-Ng: decrypts wireless traffic once the key is deciphered

Features of Aircrack-ng suite
• Support for WEP, WPA/WPA2-PSK passwords
• Fast WEP and WPA password decryption
• Packet sniffer and injector
• Ability to create a virtual tunnel
• Automated WEP key password recovery

• Password list management

JOHN THE RIPPER
John the Ripper is a fast password cracker, currently available for many variants of Unix,
Windows, DOS, BeOS, and OpenVMS. Its primary purpose is to detect weak Unix passwords.
Moreover, several crypt(3) password hash types most commonly found on various Unix
systems, supported out of the box are Windows LM hashes, plus lots of other hashes and
ciphers in the community-enhanced version. John the Ripper is free and Open Source software,
distributed primarily in source code form.
USAGE:
To run John, you need to supply it with some password files and optionally specify a cracking
mode, like this, using the default order of modes and assuming that "passwd" is a copy of your
password file:

john passwd

or, to restrict it to the wordlist mode only, but permitting the use of word mangling rules:

john --wordlist=password.lst --rules passwd

Cracked passwords will be printed to the terminal and saved in the file called $JOHN/john.pot
(in the documentation and in the configuration file for John, "$JOHN" refers to John's "home
directory"; which directory it really is depends on how you installed John). The $JOHN/john.pot
file is also used to not load password hashes that you already cracked when you run John the
next time.
To retrieve the cracked passwords, run:

john --show passwd

While cracking, you can press any key for status, or 'q' or Ctrl-C to abort the session saving its
state to a file ($JOHN/john.rec by default). If you press Ctrl-C for a second time before John had
a chance to complete handling of your first Ctrl-C, John will abort immediately without saving.
By default, the state is also saved every 10 minutes to permit for recovery in case of a crash.
To continue an interrupted session, run:

john --restore

These are just the most essential things you can do with John. Note that "binary" (pre-
compiled) distributions of John may include alternate executables instead of just "john". You
may need to choose the executable that fits your system best, e.g. "john-omp" to take
advantage of multiple CPUs and/or CPU cores.

Features of john the Ripper

• John the Ripper is designed to be both feature-rich and fast. It combines several
cracking modes into one program and is fully configurable for your specific needs. You
can even define a custom cracking mode using the built-in compiler supporting a subset
of C.

• Also, John is available for several different platforms which enables you to use the same
cracker everywhere. You can even continue a cracking session which you started on
another platform.

• Out of the box, John supports the following Unix crypt(3) hash types:
• traditional DES-based
• bigcrypt
• BSDI extended DES-based
• FreeBSD MD5-based (also used on Linux and in Cisco IOS)
• OpenBSD Blowfish-based
• Also supported out of the box are Kerberos/AFS and Windows LM (DES-based)
hashes, as well as DES-based tripcodes.

• Dictionary attacks and brute force testing
• Compatible with most operating systems and CPU architectures
• Can run automatically by using crons
• Pause and Resume options for any scan
• Let’s you define custom letters while building dictionary attack lists
• Allows brute force customization rules

THC Hydra Tool

Hydra is a parallelized login cracker which supports numerous protocols to attack. Apart from
being is very fast and flexible, new modules are easy to add. It makes it possible for researchers
and security consultants to prove how easy it would be to gain unauthorized access to a system
remotely.

It supports: Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-
POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP,
Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh,
SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY,
Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Features of THC Hydra

• Full time-memory trade-off tool suites along with rainbow table generation, sort,
conversion and look up

• It supports rainbow table of any hash algorithm
• Support rainbow table of any charset
• Support rainbow table in compact or raw file format
• Computation on multi-core processor support
• Runs on Windows and Linux operating systems
• Unified rainbow table file format on all supported OS
• Support GUI and Command line user interface
• Ultrafast password cracking speed
• Ability to launch parallel brute force cracking attacks
• Support for multiple protocols such as CVS, FTP, HTTP, HTTPS, HTTP-Proxy, IMAP, IRC,

LDAP, MS-SQL, MySQL, etc.

WPScan

WordPress is one of the best open source CMS and this would be the best free WordpPress
security auditing tool. It’s free but not open source.

If you want to know whether a WordPress blog is vulnerable in some way, WPScan is your
friend.

In addition, it also gives you details of the plugins active. Of course, a well-secured blog may not
give you a lot of details, but it is still the best tool for WordPress security scans to find potential
vulnerabilities.

Wireshark

Wireshark is the most popular network analyzer that comes baked in with Kali Linux. It can be
categorized as one of the best Kali Linux tools for network sniffing as well.

It is being actively maintained, so I would definitely recommend trying this out.

Skipfish

Similar to WPScan, but not just focused for WordPress. Skipfish is a web application scanner
that would give you insights for almost every type of web applications. It’s fast and easy to use.
In addition, its recursive crawl method makes it even better.

For professional web application security assessments, the report generated by Skipfish will
come in handy.

Maltego

Maltego is an impressive data mining tool to analyze information online and connect the dots
(if any). As per the information, it creates a directed graph to help analyze the link between
those pieces of data.Do note, that this isn’t an open source tool.

It comes pre-installed, however, you will have to sign up in order to select which edition you
want to use. If you want for personal use, the community edition will suffice (you just need to
register for an account) but if you want to utilize for commercial purpose, you need the
subscription to the classic or XL version.

Popular Exploits

Metasploit is a powerful and popular tool for penetration testers and security experts.
However, it’s also a goldmine for the darker side of the hacking community. Recently, Rapid
7 published a list of most popular Metasploit modules, offering an interesting look at the
vulnerabilities that earned the most attention last month.

The list was compiled by examining the webserver stats for the Metasploit Auxiliary and Exploit
Database.

1. MS12-020:
At the top of the list is MS12-020. Although never proven, earlier this year it was implied
that MS12-020 would allow an attacker to hijack RDP and execute code. The second
vulnerability addressed in MS12-020 based on a flaw in RDP that could be used to create
a Denial-of-Service condition on systems where RDP was enabled. Rapid 7’s Tod
Beardsley explained “This is likely the most popular module we have due to both
recency bias and because there was an unusual level of spontaneous organization of the
Metasploit developer community to search for the correct path to remote code
execution.”

2. MS08-067:
Tod Beardsley explains this one as a “four year old vulnerability that tends to give the
most reliable shells on Windows 2003 Server and Windows XP... This exploit is also not

ancient, so it’s reasonable to expect to find some unpatched systems in a medium to
large enterprise vulnerable to it.” Most security admins and aficionados will recognize it
as the vulnerability used by Conficker and its many variants to spread. It was released
out-of-cycle in 2008 (October 23) in order to address a flaw in the Server service, which
is enabled by default on Windows 2000, Windows XP (all versions), and Windows Server
2003. Prophetically, Microsoft pushed a fix for this flaw earlier than usual because of the
concern that it could be used in the creation of a new Worm variant. Months after the
patch was developed, the vulnerability was used in the first version of Conficker. The
Worm remains active to this day.

3. MS06-040
This is the go-to method for gaining remote root on Windows NT. Beardsley explains “A
six-year-old vulnerability that’s notable in that there’s no official patch from Microsoft
for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you
need remote root on an NT machine (and there are still plenty out there), this is going to
be your first choice.”

4. Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240):
This module exploits CVE-2010-1240 in Adobe Reader. The idea is that you can embed
and execute a Meterpreter PE Executable in a PDF, and when the user opens the PDF,
surprise shells! Since it's on this list, it's probably the most popular social engineering-
style module.

5. Microsoft Plug and Play Service Overflow (CVE-2005-1983, MSB-MS05-039):
This exploits the Plug and Play service on Windows 2000. This is the exploit that MS06-
040 replaced, though until MS06-040, this was the most reliable exploit around for
Windows 2000. The Zotob worm used it. Note that while the exploit isn't 100% reliable,
failed attempts had a tendency to trigger a reboot of the target, so the next attempt
would be 100% successful. In other words, for some people, the reboot-on-failure is
really more of a feature than a bug.

6. Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-
067):
A four-year-old vulnerability tends to give the most reliable shells on Windows 2003
Server and Windows XP. It's also got a great pile of language pack targets. All of
Metasploit's exploits provide US English targeted shellcode, a few might provide
Chinese, Spanish, French, or other popular languages; this one has targets in pretty
much every language you've ever heard of. This exploit is also not ancient, so it's
reasonable to expect to find some unpatched systems in a medium to large enterprise
vulnerable to it.

References:

• Nmap (Network Mapper)- Techcodezz
https://www.techcodezz.ooo/2017/12/hacking-tools-and-hacking-tips.html

• Kali Tools: Nikto
https://tools.kali.org/information-gathering/nikto

• John The Ripper- Github
https://github.com/magnumripper/JohnTheRipper

• What is Hydra in Hacking?
http://securityandhackingtips00.blogspot.com/2017/06/tool-used-to-crack-passwords-
hydra-know.html

• Rapid 7 outlines the most popular Metaspolit Modules – Steve Ragan
https://www.securityweek.com/rapid-7-outlines-most-popular-metasploit-modules

• Top 10 most searched Metasploit Exploit and Auxiliary Modules – Cyber
Marshalls
https://cybermarshalls.wordpress.com/2012/07/29/top-10-most-searched-metasploit-
exploit-and-auxiliary-modules/