Hacking Tools Introduction Author: Rassoul Ghaznavi-ZadehCopyright © 2016 by Primedia E-launch LLC All rights reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher, except in the case of brief quotations embodied in critical reviews and certain other non-commercial uses permitted by copyright law. For permission requests, write to the publisher, addressed “Attention: Permissions Coordinator,” at the address below. Primedia E-launch LLC 3900 Swiss Ave, Dallas, TX 75204, United States +1 469-232-7943 www.primediaelaunch.com Ordering Information: This book is available on most of the eBook distributors including Amazon Kindle, Barnes and Noble, the Apple iBookstore, Kobobooks, and Google Play. The main category of the book: IT, Computer and Electronics — Ethical Hacking First Edition Book name: Kali Linux — Hacking Tools IntroductionTabl a, About the Author Anote from the Author Warning Chapter 1 = Ethical Hacking and Steps What is ethical hacking? What is the purpose of this book? What are the responsibilities of an Ethical Hacker? What are the customer's mpc How to get prepared for the Preparation testing Chapter 2 - Reconnaissance (Information Gathering) (nat is reconnaissance? : Popular reconnaissance tools on Kali Dmitry Maltego What does Maltego do? What can Maltego do for me? Using Maltego How to use Maltego without using wizard? NMAP -- Network Mapper Security Scanner Getting Started with NUAP Ping test on a host, IP range or network Copyrighted materialPing and basic TCP scan test on a host or network TCP quick scan test with “NO PING” test Full TCP Scan Full U DP Scan Scan specific TCP/UDP ports on a host _ Traceroute by NMAP - Excluding IP addresses from scan Using a list of hosts SYN Stealth Scan : os detection by NMAP ijust Timing aggressiveness with NMAP scan Using NMAP Scripts Some NMAP scripts examples SMB Operating System discovery HTTP Enumeration Traceroute Geolocation Whois-domain and whois-ip_ SMB Brute Force Some other usage example of NMAP scripts: NMAP | Cheat Sheet HPING3 Sample Scans using hping3 Copyrighted materialDoS attack using hping3 Chapter 3 -- Vulnerability Analysis What is Vulnerability Analysis? ‘Popular Vulnerability Analysis tools on Kali Golismero _ Enable or disable plugins on Golismero_ OpenVAS -- Free Vulnerability Assessment Software Setting u oO enVAS on Kali Linux for the first time Wé3af -- Web Application Attack and Audit Framework | Using w3af in command line Set up additional options via command line interface Nikto- Using Vega as proxy server OwasP: ZAP Burp Suite Burp Suite intercepting Prox; - Burp Spider Burp Web Vulnerability Scanner _ Burp fsirallbn Bur Repeater - Burp Sequencer Burp Decoder Loading Raw Data Copyrighted materialTransformations What is penetration testing? Popular Penetration tools on Kali John the Ripper Wordlist mode “Sing ecrack" mode "Incremental" mode External mode ‘Crunch — Password file maker “Nerack Ettercap - ARP poisoning and Man-In-The-Middle Atta Using Xplico application to sniff the traffic / DNS Spoofing with ettercap | DoS attack with ettercap Metasploit Framework Using NMAP within Metasploit Framework Metasploit exploit Payloads and Options - Metasploit exploit Payloads Metasploit exploit Options - Example of a payload attack Metasploit auxiliary vs exploit Active vs Passive exploits — Metasploit Workspaces Copyrighted materialVulnerability scanning with Metasploit "Using MSEVENOM rmitage Running NMAP scans with Armitage How to launch a specific exploit or auxiliary on a host in Armitage Hail Mary attack ‘Updating the configuration of setoolkit Complex Spear phishing attack using SET (Social Engineering Toolkit) Web Site attack vectors using SET Harvesting credentials using SET and website cloning Aircrack-ng Finding WEP passwords using aircrack-ng Finding WPA2 passwords using aircrack-ng met Gathering information with Kismet Post exploitation backdoors Netcat (NC) / Using Metasploit meterpreter with netcat Backdoor Factory Chapter 5 — Reference of tools and terms on Kali Tools reference Glossary of terms Ki Copyrighted materialCopyrighted materialIntroduction In this book, you will be learning the basic techniques about how to hack and penetrate computer networks, systems and applications. This book covers a lot of top penetration tools which are available on Kali Linux and their operations. It is expected the readers have minimum knowledge of computer networking, command utilities and basic Linux administration to be able to understand and follow the guidance’s available on this book. About the Author Rassoul Ghaznavi-zadeh, the author, has been an IT security consultant since 1999. He started as a network and security engineer and developed his knowledge around enterprise business, security governance and also standards and frameworks like ISO, COBIT, HIPPA, SOC and PCI. He has helped a lot of enterprise organizations to have a safe and secure environment by testing, auditing and _ providing recommendations. He has also other security books around penetration and enterprise security. Rassoul holds multiple international certificates around security and architecting enterprise IT. A note from the AuthorThis is my second book about penetration and Kali Linux. | tried to add more details and in-depth explanation about how things work and what should be done in steps. | hope you find this book useful and if | can help my bit to keep the technology industry safer and more secure. For those who buy this book, | am available on LinkedIn for any follow up. Add me to your network and ask any question you might have and | am more than happy to assist. I'd like to present this book to my wife and daughter who have always been with me and helped sparing some time to write this book. Warning The techniques you learn in this book are not meant to be used in any production environment for abusiveness purposes. It is illegal to use these techniques without having a formal permission from the management team in any organization. The main purpose and aim is to keep the technology environment secure by doing these tests as an Ethical hacker within a specified agreement with the customers. Do not use these techniques without written authorization. It is illegal and it can put you in trouble.Chapter 1 — Ethical Hacking and Steps What is ethical hacking? Ethical hacking is a process of investigating vulnerabilities in an environment, analyse them and use the information gathered to protect that environment from those vulnerabilities. Ethical hacking requires a legal and mutual agreement between ethical hacker and the asset and system owners with a defined and agreed scope of work. Any act outside of the agreed scope of work is illegal and not considered as part of ethical hacking. What is the purpose of this book? The purpose of this book is to prepare the readers to be able to act and work as an ethical hacker. The techniques on this book must not be used on any production network without having a formal approval from the ultimate owners of the systems and assets. Using these techniques without having an approval can be illegal and can cause serious damage to others intellectual property and is a crime.What are the responsibilities of an Ethical Hacker? As an Ethical hacker you have a clear responsibly about how you use your knowledge and techniques. It is also very important to understand what the expectations from an Ethical hacker are and what you should consider when assessing the security of a customer's organization. Below are a couple of important things you must consider as an Ethical hacker: e Must use your knowledge and tools only for legal purposes e Only hack to identify security issues with the goal of defence e Always seek management approval before starting any test * Create a test plan with the exact parameters and goals of test and get the management approval for that plan e Don’t forget, your job is to help strengthen network and nothing else!What are the customer’s expectations? It is very important to understand the customer’s expectation before starting any work. As the nature of this work (Ethical hacking) is high risk and requires a lot of attentions; if you don’t have a clear understanding of their requirements and expectations, the end result might not be what they want and your time and effort will be wasted. This could also have some legal implications as well if you don’t follow the rules and address customer's expectation. Below are some important things you should note: e You should work with customer to define goals and expectations e Don’t surprise or embarrass them by the issues that you might find e Keep the results and information confidential all the time *¢ Company usually owns the resultant data not you * Customers expect full disclosure on problems and fixes What are the required skills of the hacker? To be an Ethical hacker you should have extensive knowledge about a range of devices and systems. Ideally you should have multiple years of experience in IT industry and be familiar withdifferent hardware, software and networking technologies. Some of the important skills required to be an Ethical hacker are as below: Should already be a security expert in other areas (perimeter security, etc.) Should already have experience as network or systems administrator Experience on wide variety of Operating Systems such as Windows, Linux, UNIX, etc. Extensive knowledge of TCP/IP - Ports, Protocols, Layers Common knowledge about security and vulnerabilities and how to correct them Must be familiar with hacking tools and techniques (We will cover this in this book) How to get prepared for the Preparation testing Once you want to start a penetration project, there are number of things that you need to consider. Remember, without following the proper steps, getting approvals and finalizing an agreement with customer; using these techniques is illegal and against the law. Important things to consider before you start: Get signed approval for all tests from the customer You need to sign confidentiality agreement (NDA) Get approval of collateral parties (ISPs) Put together team and tools and get ready for the testsDefine goals (DoS, Penetration, etc.) Set the ground rules (rules of engagement with the customer and team) Set the schedule (non-work hours, weekends?) Notify appropriate parties (Sys admin, Security department, Legal department, law enforcement)Chapter 2 - Reconnaissance (Information Gathering) What is reconnaissance? Reconnaissance is the first step in penetration testing. The point is to gather as much as information about the Target Company, network, infrastructure or personnel as possible. There are two different types of gathering information; active (calling, talking visiting, etc.) and passive (finding information on websites, jobs advertisement, etc.) Popular reconnaissance tools on Kali Dmitry DMitry (Deepmagic Information Gathering Tool) is a UNIX/(GNU) Linux Command Line Application coded in C. DMitry has the ability to gather as much information as possible about a host. Base functionality is able to gather possible subdomains, email addresses, uptime information, TCP port scan, whois lookups, and more. The following is a list of the current features: ¢ An Open Source Project. « Perform an Internet Number whois lookup. Retrieve possible uptime data, system and server data Perform a SubDomain search on a target host. * Perform an E-Mail address search on a target host. * Perform a TCP Portscan on the host target. * A Modular program allowing user specified modules Sample command output:reas Pune oe Poe? Peat EO ee Oe ee ee Pee eat a a ee Ce eee rte tec ey Farforr a whois Tookt.p en the TP eddress of a heat Ce Reet Cr Cr aS a ee eC ter seer Meal Test aiC ee ats Cee er ete reel eee eis Ce eee se ee eT Ener Came caine ass Perfurr a TEP pork scan on a best swing wlou. repurling “iLlered pols ee el ce ies Os eles Be ete aed ce ee cer ee ed PCR ee er ec Usage: Below command will start gathering information about facebook.com domain name. Dmitry --winsepo facebook.example facebook.com The report will include the domain and IP address lookup information (-w and --i), netcraft information about the website and servers, information about subdomains (- s) and email addresses associated with this domain (-e), TCP scan results of the domain (-p) and it will be saved to facebook.example file name (-o). Seige mes Reece mesa) oes Cesta bere by sume deep magic ere Cece jou LIP: 173.252.120.683 Peer eee Gachered Iret-whors infornetior fo~ 173.2% Sasa oe odie sce Moog eee eae caeThe file report will look like below Bene ee TE tle ire eee a eee fe are The information in the file can be used for the next steps of attack which will be explained in the next chapters. Maltego Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. Maltego’s unique advantage is to demonstrate the complexity and severity of single points of failure as well as. trust relationships that exist currently within the scope of your infrastructure. The unique perspective that Maltego offers to both network and resource based entities is the aggregation of information posted all over the internet -- whether it’s the current configuration of a router poised on the edge of your network or the current whereabouts of your Vice President on his intemational visits, Maltego can locate, aggregate and visualize this informationMaltego offers the user with unprecedented information. What does Maltego do? Maltego is a program that can be used to determine the relationships and real world links between: People Groups of people (social networks) Companies Organizations Web sites Internet infrastructure such as: Domains DNS names Netblocks IP addresses Phrases Affiliations Documents and files These entities are linked using open source intelligence. Maltego is easy and quick to install -- it uses Java, so it runs on Windows, Mac and Linux. It provides you with a graphical interface that makes seeing these relationships instant and accurate -- making it possible to see hidden connections. Using the graphical user interface (GUI) you can see relationships easily -- even if they are three or four degrees of separation away. Maltego is unique because it uses a powerful, flexible framework that makes customizing possible. As such, Maltego can be adapted to your own, unique requirements What can Maltego do for me? Maltego can be used for the information gathering phase of all security related work. it will save you time and will allow you to work more accurately and smarter.Maltego aids you in your thinking process by visually demonstrating interconnected links between searched items. Maltego provide you with a much more powerful search, giving you smarter results If access to “hidden” information determines your success, Maltego can help you discover it. Using Maltego To use Maltego, you need to run it using maltego command. First time you run it, you need to create an online account to be able to use it. The Community edition is free and can be used by creating a free account. The free version is a good start and if you need more features, it must be purchased. First time running Maltego: Welcome tn Maltego! tn td ayer) Enter your detai Tas to the Melteao Community Server br # you nave net cone eo yat regeter here Login pemaltacdess [SSS Paswward j Rules ‘*Solvecaptehs [SSOS—~—~—SSSSOOCCCSCSCSC~C~*S Soe |[onese a] [oe [oemnee | [eeOnce it is running, there are multiple ways to do gather information including domain lookups, email address gathering, and Twitter lookup for a specific domain or even looking up WikiPedia edits. Start « Machine Run Machine - Choose machine (1 of 2) Please select the machine to ran trom che list below: © Company Stalker [Dont © Find Wikipedia edits © Footprint 2. [Domain ie) footer © Footprint 2 [Domair} cornain This perform 2 (mic) feotprint © LO potonnt gp mt 1) [Show en etartus Show cn ematy graph click @ Please selecta machine zo run. < Beck Next = Finis Cancel Help We will show you a couple of them below. Select “Company Stalker” from the options and click on next, then type the domain name you want to do a look up for. In this case, we are looking up kali.org domain name. With the free edition the results will be limited but that’s enough for the purpose of demonstration and testingAs it can be seen on the below picture, Maltego will search and find the email addresses associated with that domain name. Once we select and proceed with the email addresses that we like, Magneto will try to find any possible available account with those email addresses on Myspace or Flicker websites.Ab sakst 29) bes Fale WeElaltlghors TMbe Salih Reqiied inate cc cia as Yl ML ne fotoning afer roy ipa Finding an email address linked to the domain names or owner of the domain is the first step of reconnaissance. As you can guess, once any social media account linked to that email address is found, attacker is one step ahead to find the next steps of attacks, for example, finding someone's password On below picture, you can see how Maltego can show links, domain names and email addresses associated with a specific domain on a dashboardOn the next test, we want to get a foot print of the domain and all necessary information that we might need to attack a host. To be able to do this, close the current page and open a new page in Maltego. If you want to open the initial wizard again to select the required option, you can right click on the blank page and it will open the wizard windows. From the wizard, select “Footprint L1”, click on next, choose your domain name (we use kali.org again) and start the footprint. You might get some warnings as it will try to load the DNS zones as part of the foot printing. !f you get a warning, select “accept” and click on Run.IRAs Aden Baw: nec I sfehesy ve ‘Scrat ea: aa sw iesc\enma3 cl tet” F ttiettotinr The output will be a lot of information about subdomains, hosts, their |P addresses, network ranges and even BGP AS number if there is any available. This information is very useful and can be used on the next step of attack against a host. The output will look like below:How to use Maltego without using wizard? Now it is time to go one step further and do some more advanced checks on the objects. Maltego gives you lots of objects like Website, URL, Domain, AS Number, IP Address, NetBlock and even Facebook or Twitter objects. To use these objects and do some lookup on them, you need to follow the below instructions. Close the current tabs on Maltego and open a new one. On the left side you can see the Palette window and objects are in that window.TAX sercsonten 69 nallkon 3 Bdncrunte ay seacrewt moter eran = | OE [Gaear Transtar cutee Drag and drop a Domain object in the blank page. On the right side (red circle on below picture), change the domain name to “kali.org” and press enter. Then right click on the kali.org domain object in the middle of the page and click on the yellow start icon next to the “All Transforms” from the menu. This will initiate all checks to run. You need to choose “accept” on a couple of terms in a new window before the operation starts.This will do all the required checks on a domain and gives you a full snapshot of domain, subdomains, email addresses, networks, etc.Close all the windows and open a new one. This time drag and drop an “AS” object to the blank area. On the right side, change the AS number from default to 15169. This is Google's BGP AS number. Right click on the AS object and click on the yellow start icon on the right side of the menu. Note: BGP AS numbers are used for global internet routing. All large providers have an AS number and advertise their IP addresses through their AS numbers. The results will be a snapshot of all Google's IP address ranges.Repeat the same test with another object like NS Record. Drag and drop NS Record object to the blank area and change the name to “ns1.google.com”. Then right click on the object and start all transform tests by clicking on the yellow start icon on the menu.On the next prompt for the enumerateHostNamesNumerically, select 1, 0 and 4 for rangeStart, Padding and rangeEnd, so it will look for ns1 google.com to ns4.google.com. i Seer 1D tranetore > e arersane » % conversa Serta GN o> hae wensns ol FS Su.cak-Treristonn Oulpot The result will be a snapshot of all information about the name server, IP addresses and linked domain names.NMAP -- Network Mapper Security Scanner NMAP (Network Mapper) is a security scanner used to discover hosts and services on a computer or a network and creating a "map" of the network. To accomplish its goal, NMAP sends specially crafted packets to the target host and then analyses the responses. The software provides a number of features for probing computer networks, including host discovery and service and operating system detection. These features are extensible by scripts that provide more advanced service detection, vulnerability detection and other features. NMAP is also capable of adapting to network conditions including latency and congestion during a scan. NMAP is an open source and free software under development and refinement by its user community.Getting Started with NMAP NMAP has a range of switches, options and scripts that can be used to complete different analysis. Running NMAP with no option will give you a list of all those options, “man nmap" command also can be used to open NMAP manual and learn about options and parameters. ames) skp host di Ren Lae oe ee ce Rell ay Ping test on a host, IP range or network To do a simple ping and TCP scan test on a host, simply type the host IP address after nmap command with “-sP” option and run it. Below command will do a simple Ping test on 172.21.130.1 nmap -sP 172.21.130.1image not availableimage not availableimage not availablenmap 172.21.130.84 -PO (Or nmap 172.21.130.84 --Pn) ee Full TCP Scan Using option “-sT" with NMAP, we will be able to complete a full TCP scan on a host or a network. This is useful to understand the open ports available on each host and services running on those ports. Below command will do a full TCP scan and return a list of all open TCP ports available on host 172.21.130.84. nmap -Pn -sT 172.21.130.84image not availableimage not availableimage not availablenmap -iL /home/rassoul/hosts.txt The content of the file can be a combination of host names, IP addresses, ranges or network addresses. Here is an example: Localhost rice We can also have an exclusion list and exclude some hosts from scanning as well Below is an example: nmap -iL /home/rassoul/hosts.txt --exclude-file /home/Rassoul/excludedhosts.txt SYN Stealth Scan The system initiating the connection sends a packet to the system it wants to connect to. TCP packets have a header section with a flags field. Flags tell the receiving end something about the type of packet, and thus what the correct response is. Here, we will talk about only four of the possible flags. These are SYN (Synchronise), ACK (Acknowledge), FIN (Finished) and RST (Reset). SYN packets include a TCP sequence number, which lets the remote system know what sequence numbers to expect in subsequent communication. ACK acknowledges receipt of a packet or set of packets, FIN is sent when a communication is finished, requesting that the connection be closed, and RST is sent when the connection is to be reset (closed immediately). To initiate a TCP connection, the initiating system sends a SYN packet to the destination, which will respond with a SYN of its own, and an ACK, acknowledging the receipt of the first packet (these are combined into a single SYN/ACK packet). The first system then sends an ACK packet to acknowledge receipt of the SYN/ACK, and data transfer can then beginimage not availableimage not availableimage not availableTo enables OS detection, as discussed above, “-O” (Enable OS detection) option can be used. Alternatively, “-A” can be used to enable OS detection along with other things. Using *--osscan-limit” (Limit OS detection to promising targets); NMAP will not even try OS detection against hosts if at least one open and one closed TCP port are not found. This can save substantial time, particularly on “-Pn" scans against many hosts. It only matters when OS detection is requested with -O or -A. When NMAP is unable to detect a perfect OS match, it sometimes offers up near- matches as possibilities if one of “--osscan-guess” or “fuzzy” (Guess OS detection results) options is used. Note: Root privileges are required to do OS finger printing. On below example using “nmap -O 172.21.130.84", you can see the results suggest it is Windows 7 or 2008 family. tere Cie cid Ce ieee oe yet ees ee eeaea eats) Prieta irreste! fae reneimage not availableimage not availableimage not availableNetwork discovery Sophisticated version detection Vulnerability detection Backdoor detection Vulnerability exploitation To use NMAP scripts, “-sC” option (or “--script’ if you wish to specify a custom set of scripts) can be used. “-sC” option will run a set of default scripts and return the results. This is the equivalent of using “--script=default” option Below picture shows a sample output of running default scripts against a host. open Crna Cray A (Lefc(hofoi) Crane kate Th 9) NetBIOS Pera} Os rae Ce te PETA ea etm Coa oem oa ac) eee ec Tee eon cn eC eat ee Cee Creo ean e ee sy celor) Neosat: The default location of NMAP scripts on Kali Linux is on /usr/share/nmap/scripts. To get a list of all available scripts run the below command: \s fusr/share/nmap/scriptsimage not availableimage not availableimage not availableSMB Operating System discovery Using “smb-os-discovery.nse", we can discover operating system, computer name, netbios name and domain. This information can be used against discovered host to initiate an attack Below command will run the ‘smb-os-discovery” script for IP addresses between 172.21.130.100 to 172.21.130.150 on port 445 (Microsoft ds port) nmap -p 445 --script smb-os-disovery 172.21.130.100-150 ee ee (eoieroees HTTP Enumeration Using “http-enum.nse” script, we can enumerate an http server and try to discover as much as information as we need. These information could include admin pages, specific URLs, sitemap, security related files, etc. Below example is an output of using “http-enum.nse” script.image not availableimage not availableimage not availableete a ae ipt=whois ip 4.2.2.6 ree eS ple ph ac eat Se en) Sera ee nce aeCRerD Cone Gare) mecca ee root@kali: SMB Brute Force Using "smb-brute.nse", NMAP will attempt to brute force local accounts against the SMB service on a host. There are other SMB scripts that can be leveraged to retrieve all local user accounts “smb-enum-users.nse’, groups “smb-enum-groups.nse”, and processes “smb-enum-processes.nse” and even execute processes remotely with the “smb- psexec.nse’ script. Below picture is an output of the next command nmap -sV -Pn -p 445 --script smb-brute 172.21.130.84 Note: -sV will force nmap to probe open ports (445 in this case) to determine service/version infoimage not availableimage not availableimage not availableIP protocol ping —-> nmap -PO [target] ARP ping —> nmap -PR [target] Traceroute —> nmap --traceroute [target] Force reverse DNS resolution —> nmap -R [target] Disable reverse DNS resolution —> nmap -n [target] Alternative DNS lookup —> nmap --system-dns [target] Manually specify DNS servers —> nmap --dns-servers [servers] [target] Create a host list —-> nmap -sL [targets] Advanced Scanning Options TCP SYN Scan —> nmap -sS [target] TCP connect scan —-> nmap -sT [target] UDP scan —-> nmap -SU [target] TCP Null scan —-> nmap -sN [target] TCP Fin scan —> nmap -sF [target] Xmas scan —-> nmap -sX [target] TCP ACK scan —> nmap -sA [target] Custom TCP scan —-> nmap --scanflags [flags] [target] IP protocol scan —-> nmap -sO [target] Send Raw Ethemet packets —-> nmap --send-eth [target] Send IP packets —-> nmap --send-ip [target] Port Scanning Options Perform a fast scan —> nmap -F [target]image not availableimage not availableimage not availableNdiff Comparison using Ndiff —-> ndiff [scan1.xml] [scan2.xml] Ndiff verbose mode —-> ndiff -v [scan1.xml] [scan2.xml] XML output mode —-> ndiff --xml [scan1.xm] [scan2.xml]image not availableimage not availableimage not availableChapter 3 -- Vulnerability Analysis What is Vulnerability Analysis? Vulnerability analysis, also known as vulnerability assessment, is a process that defines, identifies, and classifies the security holes (vulnerabilities) in a computer, network, or communications infrastructure. In addition, vulnerability analysis can forecast the effectiveness of proposed countermeasures and evaluate their actual effectiveness after they are put into use. This is the second step after reconnaissance phase and information gathered on pervious step will be used to find vulnerabilities on the network or a resource. Popular Vulnerability Analysis tools on Kali Golismero GoLismero is a free software framework for security testing. It's currently geared towards web security, but it can easily be expanded to other kinds of scans. It can run their own security tests and manage a lot of well-known security tools (OpenVas, Wfuzz, SQLMap, DNS recon, robot analyzer...) take their results, feedback to the rest of tools and merge all of results. And all of this is done automatically. Run “golismero --help” on a terminal console to get a list of its options.image not availableimage not availableimage not availableEnable or disable plugins on Golismero Using -e and -d options, we can enable or disable the plugins to be used with Golismero. For example, the below command will disable using “theharvester” plugin when scanning the host. golismero -d theharvester scan http://172.30.22.194 --o report.html Using default option, Golismero scan can be very time consuming as it will try to use all the plugins and scans and also scanning subdomains. Another option to use would be *--forbid-subdomains” to make the process quicker if we don’t need Golismero to scan all subdomains Below example will initiate a Golismero scan without using “theharvester’,”openvas” and any plugin starts with dns keyword and also disables scanning subdomains. golismero -d theharvester,openvas,dns* --forbid-subdomains --audit-name Test -o Test.html 172.30.22.194 Below example will initiate a Nikto plugin scan for the hostimage not availableimage not availableimage not availableee ee a cradaatic. generation fer ee ae ee lee ee Poets) Cinta teers you" Openvas & irszallatioa is OK Tega ar eory Prem Pure eet ney era Start a browser and go to hitps://localhost:9392 to use OpenVAS. © 8 oes wor or fimage not availableimage not availableimage not availableosm garaceey rareimage not availableimage not availableimage not availablePgueeers Dean Peis | i bal TCC! EA aM cee Le oh me Mae od Cato) | Conn cit: Ser Rete a ead | el ee eee | Cae Oe eC eas | EVs reams Osa Pe MOE E Rehr ewes esta er “isk, 1=ke SJ_ Injectien, OS Commanding, | aural eet ore i vam eS Pg i par eee Cen mmc Lec Ae i] hse P Sea RL MeL mes Fe [ats Ls i Sorters | Cea et Tee eee eee an a a worldwice t-ee and oper commurity tecused on | imaraving the secur-ty ot anal ication so-tware | on Pee RCo aera Sets el Fea Mid eco Sa cattle me | Now we need to set a target. To set a target type “target” and press enter. Then type “set target ” and press enter. For example, typing “set target 172.26.6.120” will set the target as 172.26.6.120 Once we have specified the target, type “back” to go back to previous menu We can now start the scan by typing “start”. apewer ce woe l/conf_g:largela=> sel lerge. 172.26.6..20 eee CHC he Lean Ls UecCn eee ea eer eC CE Cea © See ea kee CE Pee tas ceed eae coe Coe See eee aa ee ee OGL) CO a ide aoe ce eee eet Pole Ro Rc Cie en Read Cech es eet ee et Pe eC eee oe ee eek eC ele Pali nan ees ea Met) eet ed Seer Ch as tte eee ia Ree te es Fovicen ident. “icativy failec. If che renote site Ls resteimage not availableimage not availableimage not availableCopyrighted materialimage not availableimage not availableimage not availableea eee en ge ccr CREE ee anT So ees ta a Vega Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows. Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. The Vega scanner finds XSS (cross-site scripting), SQL injection, and other vulnerabilities. Vega can be extended using a powerful API in the language of the web: Javascript. To run Vega, we need to run vega command ona terminal with sudo privileges as below: sudo vega Once we run it, it will give us a graphical interface and we can initiate targeted scans on websites.