How to make graphical mode of Kali linux by Raj Gupta

[root@ip-172-31-18-8 ~]# apt-get install tightvncserver
[root@ip-172-31-18-8 ~]# apt-get install xrdp
[root@ip-172-31-18-8 ~]# systemctl start xrdp
[root@ip-172-31-18-8 ~]# netstat -antup | grep xrdp
tcp        0      0 127.0.0.1:3350          0.0.0.0:*               LISTEN      6324/xrdp-sesman
tcp        0      0 0.0.0.0:3389            0.0.0.0:*               LISTEN      6325/xrdp
[root@ip-172-31-18-8 ~]# systemctl enable xrdp
[root@ip-172-31-18-8 ~]# passwd    ----set the password for root

Active information gathering and port scanning by Raj Gupta

Metasploitable :- Metasploitable is an intentionally vulnerable Linux virtual machine that can be used to conduct security training, test security tools, and practice common penetration testing techniques. The VM will run on any recent VMware products and other visualization technologies such as VirtualBox.

https://information.rapid7.com/metasploit-framework.html


username:   msfadmin
password:   msfadmin


--------------------------------------------------------------------------------------------------------------------------



Nmap: -

root@kali:~# nmap

  nmap -v -A scanme.nmap.org
  nmap -v -sn 192.168.0.0/16 10.0.0.0/8
  nmap -v -iR 10000 -Pn -p 80

nmap -p 1-65535 192.168.8.2

nmap -Pn 192.168.1.9

nmap -sT 192.168.1.9

nmap -sS 192.168.1.9       By using this less chance to catch by other 

nmap -sU 192.168.1.9        UDP scan

If request is blocked then to send the acknowledgement  to scan the other machine use below

root@kali:~# nmap -sA 172.31.86.179
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-12 08:21 UTC
Nmap scan report for ip-172-31-86-179.ec2.internal (172.31.86.179)
Host is up (0.0014s latency).
All 1000 scanned ports on ip-172-31-86-179.ec2.internal (172.31.86.179) are unfiltered
MAC Address: 12:74:AD:24:21:51 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.70 seconds


If only a particular port are open for to accept request then use below

root@kali:~# nmap --source-port 80 172.31.86.179
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-12 08:25 UTC
Nmap scan report for ip-172-31-86-179.ec2.internal (172.31.86.179)
Host is up (0.0011s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
111/tcp open  rpcbind
MAC Address: 12:74:AD:24:21:51 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
root@kali:~#

nmap --data-length 50 172.31.86.179       To set packet size

nmap --spoof-mac 22:33:44:55:66:77 172.31.86.179    To hide our mac address 

-----------------------------------------------------------------------------------------------------------------------

Zenmap it is graphical interface of Nmap

we can do same thing in GUI mode

--------------------------------------------------------------------------------------------------------------------

Using Nmap scripts:-

root@kali:~# cd /usr/share/nmap/
root@kali:/usr/share/nmap# ls
nmap.dtd  nmap-mac-prefixes  nmap-os-db  nmap-payloads  nmap-protocols  nmap-rpc  nmap-service-probes  nmap-services  nmap.xsl  nselib  nse_main.lua  scripts
root@kali:/usr/share/nmap# cd scripts/
root@kali:/usr/share/nmap/scripts# ls
root@kali:/usr/share/nmap/scripts# ls | grep ssh

root@kali:/usr/share/nmap/scripts# nmap --script=ssh-brute.nse 172.31.86.179

root@kali:/usr/share/nmap/scripts# nmap --script=ssh-hostkey.nse 172.31.86.179

-------------------------------------------------------------------------------------

https://github.com/scipag/vulscan

root@kali:~# git clone https://github.com/scipag/vulscan.git

https://github.com/vulnersCom/nmap-vulners

root@kali:~# git clone https://github.com/vulnersCom/nmap-vulners.git

root@kali:~# ls

Desktop  Documents  Downloads  Music  nmap-vulners  Pictures  Public  Templates  Videos  vulscan

root@kali:~# mkdir nmapscripts

root@kali:~# ls

Desktop  Documents  Downloads  Music  nmapscripts  nmap-vulners  Pictures  Public  Templates  Videos  vulscan

root@kali:~# mv vulscan/ nmapscripts/

root@kali:~# mv nmap-vulners/ nmapscripts/

root@kali:~# ls

Desktop  Documents  Downloads  Music  nmapscripts  Pictures  Public  Templates  Videos

root@kali:~#

root@kali:~# ls

Desktop  Documents  Downloads  Music  nmapscripts  Pictures  Public  Templates  Videos

root@kali:~# cd nmapscripts/

root@kali:~/nmapscripts# ls

nmap-vulners  vulscan

root@kali:~/nmapscripts# ls

nmap-vulners  vulscan

root@kali:~/nmapscripts# nmap --script vulscan,nmap-vulners -sV 172.31.86.179

-------------------------------------------------------------------------------------------------------------------

amap:- This is same as nmap tool

Passive information gathering and footprinting by Raj

---------------------------------------------------------------------------------------------------------------------

Google Hacking Database :-  In the GHDB, you will find search terms for files containing usernames, vulnerable servers, and even files containing passwords.

https://www.exploit-db.com/google-hacking-database



inurl: "index.php?id="



----------------------------------------------------------------------------------------------------------------
Nikto :- This will give information about server on which web application is running

This will give
nikto -e 1 -h 172.31.93.23
nikto -h 172.31.93.23 -p 80

root@kali:~# nikto -e 1 -h 52.23.205.52
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          52.23.205.52
+ Target Hostname:    52.23.205.52
+ Target Port:        80
+ Using Encoding:     Random URI encoding (non-UTF8)
+ Start Time:         2019-11-11 08:47:00 (GMT0)
---------------------------------------------------------------------------
+ Server: Apache/2.2.34 (Amazon)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /, inode: 394812, size: 38, mtime: Mon Nov 11 07:57:20 2019
+ Apache/2.2.34 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /icons/: Directory indexing found.
+ 7888 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time:           2019-11-11 08:47:15 (GMT0) (15 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

------------------------------------------------------------------------------------------------------------------

whois :-

whois cnn.com     --- This give information about the domain

 Domain Name: CNN.COM
   Registry Domain ID: 3269879_DOMAIN_COM-VRSN
   Registrar WHOIS Server: whois.corporatedomains.com
   Registrar URL: http://www.cscglobal.com/global/web/csc/digital-brand-services.html
   Updated Date: 2018-04-10T16:43:38Z
   Creation Date: 1993-09-22T04:00:00Z
   Registry Expiry Date: 2026-09-21T04:00:00Z
   Registrar: CSC Corporate Domains, Inc.
   Registrar IANA ID: 299
   Registrar Abuse Contact Email: domainabuse@cscglobal.com
   Registrar Abuse Contact Phone: 8887802723
   Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
   Domain Status: serverDeleteProhibited https://icann.org/epp#serverDeleteProhibited
   Domain Status: serverTransferProhibited https://icann.org/epp#serverTransferProhibited
   Domain Status: serverUpdateProhibited https://icann.org/epp#serverUpdateProhibited
   Name Server: NS-1086.AWSDNS-07.ORG
   Name Server: NS-1630.AWSDNS-11.CO.UK
   Name Server: NS-47.AWSDNS-05.COM
   Name Server: NS-576.AWSDNS-08.NET
   DNSSEC: unsigned
   URL of the ICANN Whois Inaccuracy Complaint Form: h

and many more

----------------------------------------------------------------------------------------------------------------

Harvester :-

root@kali:/usr/share/theharvester# ./theHarvester.py -d microsoft.com -l 500 -b google      ----This will give all the list of URL address with ip of application server

Like below

cloudblogs.microsoft.com:107.154.103.97
compass-ssl.microsoft.com:104.106.190.130
devblogs.microsoft.com:104.81.164.97
ds.microsoft.com:204.79.197.219
msdn.microsoft.com:104.108.116.12
msrc-blog.microsoft.com:40.122.65.162
news.microsoft.com:192.237.225.141
schemas.microsoft.com:104.108.119.185
support.microsoft.com:184.28.88.173
techcommunity.microsoft.com:208.74.205.202
www.microsoft.com:23.66.102.27

--------------------------------------------------------------------------------------------------------------

Shodan :- Shodan is a search engine that lets the user find specific types of computers connected to the internet using a variety of filters.

https://www.shodan.io/ 

To get router IP address

root@kali:~# netstat -nr

Kernel IP routing table

Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface

0.0.0.0         172.31.80.1     0.0.0.0         UG        0 0          0 eth0

172.31.80.0     0.0.0.0         255.255.240.0   U         0 0          0 eth0

root@kali:~#

-------------------------------------------------------------------------------------------------------------------------

DNS Zone transfers with Dig :-

root@kali:~# dig axfr facebook.com @A.NS.FACEBOOK.COM

; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> axfr facebook.com @A.NS.FACEBOOK.COM

;; global options: +cmd

facebook.com.           3600    IN      SOA     a.ns.facebook.com. dns.facebook.com. 1573464454 14400 1800 604800 300

; Transfer failed.

root@kali:~#

root@kali:~# dig google.com

; <<>> DiG 9.11.5-P4-5.1+b1-Debian <<>> google.com

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 34527

;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 4096

;; QUESTION SECTION:

;google.com.                    IN      A

;; ANSWER SECTION:

google.com.             60      IN      A       172.217.15.78

;; Query time: 2 msec

;; SERVER: 172.31.0.2#53(172.31.0.2)

;; WHEN: Mon Nov 11 09:25:09 UTC 2019

;; MSG SIZE  rcvd: 55

----------------------------------------------------------------------------------------------------------------------

dnsenum :-   is same kind of dig tool but it will give more information

root@kali:~# dnsenum google.com

Smartmatch is experimental at /usr/bin/dnsenum line 698.

Smartmatch is experimental at /usr/bin/dnsenum line 698.

dnsenum VERSION:1.2.4

-----   google.com   -----

Host's addresses:

__________________

google.com.                              60       IN    A        172.217.12.238

Name Servers:

______________

ns4.google.com.                          60       IN    A        216.239.38.10

ns1.google.com.                          60       IN    A        216.239.32.10

ns2.google.com.                          60       IN    A        216.239.34.10

ns3.google.com.                          60       IN    A        216.239.36.10

Mail (MX) Servers:

___________________

alt2.aspmx.l.google.com.                 60       IN    A        209.85.202.26

alt3.aspmx.l.google.com.                 45       IN    A        172.253.120.26

alt4.aspmx.l.google.com.                 60       IN    A        172.217.218.27

aspmx.l.google.com.                      60       IN    A        172.217.197.26

alt1.aspmx.l.google.com.                 60       IN    A        64.233.186.27

Trying Zone Transfers and getting Bind Versions:

_________________________________________________

Trying Zone Transfer for google.com on ns4.google.com ...

AXFR record query failed: corrupt packet

Trying Zone Transfer for google.com on ns1.google.com ...

AXFR record query failed: corrupt packet

Trying Zone Transfer for google.com on ns2.google.com ...

AXFR record query failed: corrupt packet

Trying Zone Transfer for google.com on ns3.google.com ...

AXFR record query failed: corrupt packet

brute force file not specified, bay.

root@kali:~#