Nmap is a network scanning tool. By sending packets to the target and analysing the responses, Nmap discovers hosts and the services that are offered. When performing a remote attack, Nmap is useful to discover the open ports in the target.

In command line, by typing in nmap we will see the available commands we can run and what they do. The command we will try to execute is: nmap -sV <target>

The command -sV is used to probe the open ports in the target and determine the service.

The screenshot below shows the result of nmap -sV 128.199.101.40

This Nmap scan was done on the IP address and as seen in the screenshot, it led to the domain team5.pentest.id and mentions that the host is up. It reported back the number of closed ports, filtered ports, and the details on the opened ports including the service for each opened port.

Nikto is a vulnerability scanner that operates via command line to scan websites for outdated server, dangerous files, directories, etc. It performs a large number of tests against a website to gather and report back security vulnerabilities that can be exploited. As it is able to find hard to detect problems, it is a popular tool among system admin and security professionals.

To scan a target website, use the command: nikto -host <target>. In the target space, it can either be a domain or an IP address.

In the example below, we are doing a Nikto scan of a website with the IP address 128.199.101.40. So the command is: nikto -host 128.199.101.40

In this example, the IP address is used because using the domain would lead to a scan of the Cloudflare SSL IP address. As shown below, we are able to find information regarding the server which is Apache/2.4.6 and the OS is CentOS. The scan also detected a robots.txt file that has directories such as /password.lst. It was also found that the PHP version is outdated.

The weakness of Nikto is the fact that it is not stealthy. Nikto makes over 2000 HTTP GET requests to the web server, which means that a Nikto scan should be detectable. The number of GET requests can be used to test the system’s Intrusion Detection System (IDS).

Cloudflare provides the services of a Content Delivery Network and at the same time enhances the security of websites. Cloudflare is easily setup for websites regardless of the platform. What Cloudflare does is it stops malicious traffic from reaching the website’s server. Any traffic requesting to access the website gets routed through Cloudflare’s network. It has its own domain name server services, so any website that uses Cloudflare will not have their real IP public.

As shown below, running the command ping team5.pentest.id gives the IP address 104.28.30.3.

However, if we try to access the website through that IP address, we get the following Cloudflare error.

If we check the domain pentest.id using the command whois pentest.id, it shows that the name server is Cloudflare. This verifies that 104.28.30.3 is the Cloudflare IP and not the real IP.

There are various methods to find the real IP of a website behind Cloudflare. The simplest one and probably the first one that should be tried is Censys.io. To use censys.io, all you need to do is input the domain that you are targeting. As shown below, censys.io gives us an IP address along with the OS, open ports, etc.

The IP address detected by censys.io is 128.199.101.40. We need to make sure that this is the correct IP of the domain. One thing you can do is try to access the website through the IP address as shown below. We see that the IP address detected by censys.io leads to team5.pentest.id.

Social engineering is the act of exploiting human vulnerabilities to obtain sensitive information. It relies on trust, because with a trusting relationship, the target will be more likely to share information.

Methods of social engineering include: impersonation, reciprocation, influential authority, scarcity, and social relationship.

SET is a Social Engineering Toolkit. We will be using this tool to clone a popular website, applying the method of impersonation.

To start with SET, in Kali Linux navigate to “applications” > “social engineering tools” > “social engineering toolkit”

Once SET has started, it will give you a number of options.

First, choose 1: social engineering attacks

Choose 2: website attack vectors

Choose 3: credential harvester attack method

Choose 2: site cloner

Next, input the IP address of the attacking VM. This can be found through the ifconfig command. Include also the URL of the website you are cloning. In this example, https://www.twitter.com.

If you go to the browser and type in the IP of the attacking VM, a clone of twitter.com will be displayed. If you input a username and a password into the login box, the information will be displayed in your Kali Linux command line.

This is an example of the impersonation method, because we are impersonating the login page of a well known website. The victims who visit this cloned website will assume it is the real one and would input their username and password. They will not be aware that their username and password have been sent to the attacker.

Google is not just a search engine to help you find news, videos or images. Google can be a very useful hacking tool. Keep in mind, Google does not allow you to directly hack into websites, but because of its web-crawling abilities, you will be able to find any sensitive information that was not meant to be public consumption.

The act of utilising Google to find sensitive information is also called “Google Dorking” or “Google Hacking”. Google Dork uses queries to find hidden information. Running Google Dork queries will allow you to find a list of files, usernames, passwords, emails, ID’s, as well as web vulnerabilities.

The syntax format is Operator: <search string>

You can also search “index of” followed by what you are looking for. For example, index of “/ktp” will display people’s IDs.

Other Google Dork operators include:

1. cache = this will show the cached version of any website
2. allintext = this will search for a specific text contained in a webpage
3. allintitle = this will search for a specific title
4. allinurl = this will search for URLs that have specific characters contained in them
5. filetype = this will search for file extensions

There are many more operators that can be used in a Google Dork query. To learn more, visit the Google hacking database: https://www.exploit-db.com/google-hacking-database

When you are intercepting network traffic with BurpSuite, you may get an SSL error saying that your connection is not secure. Websites may not load properly and the padlock symbol next to the URL will have a warning lock. In order to prevent this, you can create a custom certificate.

In Kali Linux, open the browser, navigate to “preferences” and find “network proxy”. Click on the settings and set it to “manual proxy”.

In BurpSuite, navigate to “proxy”, then “options”. You will see that the proxy listeners is the one set previously in the browser.

To create the certificate, we will be using 3 commands in terminal as shown below:

The first command is: openssl req -x509 -days 730 -nodes -newkey rsa:2048 -outform der -keyout server.key -out ca.der

After this command, OpenSSL will ask you to enter some details for the certificate. This includes a 2-letter country code, state or province, city, organisation, unit name, common name and an email address. The example above sets the organisation name to Verisign Corp.

The second command is: openssl rsa -in server.key -inform pem -out server.key.der -outform der

The third command is: openssl pkcs8 -topk8 -in server.key.der -inform der -out server.key.pkcs8.der -outform der -nocrypt

Now when you go to “files”, you will see that three files have been created.

Return to the BurpSuite window and select “import/export CA certificate”. Then, select “certificate and private key in DER format”. The certificate file is ca.der and the private key file is server.key.pkcs8.der.

Return to the browser, open “preferences” and click on the padlock.

Scroll to the bottom of the page and click on “view certificates”.

Next you will import the ca.der file to the browser. Select “Trust this CA to identify websites”.

Verisign Corp is now included in the certificates:

The websites that you open in the browser now has an SSL certification from Verisign Corp.

Reference: https://portswigger.net/burp/documentation/desktop/tools/proxy/options

In Kali Linux, you can use a tool called Burp Suite to intercept network traffic. You can find this tool under the “application” dropdown. Once you open this tool, you can select “temporary project” and “use burp defaults”. Start Burp Suite and you will see the screen shown below:

Click “proxy” and “options”. Highlight the current host and post and click “edit”. Click “request handling” and tick “support invisible proxying”. Click OK.

Open the browser (Mozilla Firefox) and go to preferences. Scroll to the bottom and click on “settings”. Select “manual proxy configuration” and put the proxy listener in the HTTP proxy. The proxy listener is 127.0.0.1 port 8080. Tick “use this proxy server for all protocol. Click OK.

In the browser, open the URL of your target. Requests are now intercepted by Burp Suite. In Burp Suite, go to “proxy”, then “intercept”. Continue to click “forward” and you will see the request as shown below:

Previously we have discussed how to enumerate valid usernames and create a dictionary of common passwords. Using WPScan, we are able to perform a brute force attack to find a password that matches the username.

In the command line, type:

wpscan –url <targeturl> -P <path to password list> -U <username>.

You are able to brute force multiple usernames at once by separating them with a comma:

wpscan –url <targeturl> -P <path to password list> -U <username,username,username>.

WPScan will then try all the possible passwords in the .txt file. It will take some time depending on how many passwords are in the list and where in that list the correct password is.

Before we can proceed to brute force passwords for a particular user, we need to have a list of passwords. CUPP or Common User Passwords Profiler works by asking for basic information about the target such as their first name, last name, birthday, spouse, children, pets, occupation, etc. It then uses that information to generate a list of possible passwords.

To start using CUPP, we first need to clone the repository from github. In the command line, type: git clone https://github.com/Mebus/cupp.git.

Once its cloned, cd to the directory. You can list out the folders and files in the current directory by typing “ls”. As shown below, there is the folder “cupp”, so we type: cd cupp.

To run the tool, type: python3 cupp.py -i.

CUPP will then ask you to input information about the target. As seen in the screenshot below, it will ask for first name, surname, nickname, birthdate, partner, children, pets, and company. If you are unsure you can press “enter” to skip. It is optional to add a few keywords related to the target.

Once you have included such information, CUPP will generate a password dictionary.

The screenshot below shows the password dictionary generated by CUPP.

Now that we are aware of such a tool, it is important to always think of a strong password. Try to not use common passwords that include your name or birthday, as they are easy to guess and not secure against a brute force attack.

One method of gaining access to an account is to brute force usernames and passwords. However, this attempt will not be successful if we do not have a valid username. In order to find valid usernames, we can use WPScan to enumerate users.

In the command line, type: wpscan –url <targeturl> –enumerate u.

In the above example, the target URL is team5.pentest.id.

Give it a few moments and it will list out the valid users. In this case, user5 and adminteam5.