Vulnerable Machines for your Lab:

  1. (msfadmin / msfadmin) Metasploitable
  2. UltimateLAMP
  3. Web Security Dojo
  4. OWASP Hackademics
  5. DVWA Damn Vulnerable Web Application
  6. Mutillidae
  7. De-ICE
  8. OWASP Web Goat
  9. Google Gruyere
  10. old Ubuntu versions

Tools:

 

Commands:

  • use sudo netdiscover to list all the active hosts in your network
  • use netstat -nr to discover the Router/Gateway
  • use nmap 192.168.1.1/24 to scan the entire network for open ports
  • use sudo nmap -sS 192.168.1.2 for a TCP syn scan, where the kali machine does not open a full tcp connection, only the first of the 3 way handshake.
  • use sudo nmap -sU 192.168.1.2 for an UDP scan
  • use sudo nmap -O 192.168.1.2 to get the operrationg system running on the target machine
  • use sudo nmap -sV — version-intensity 9 192.168.1.2 to discover the software version running on an open port with increased intensity
  • use sudo nmap -sV 192.168.222.127 -p- for a scan of all 65536 ports on a tager machine
  • use sudo nmap -A 192.168.1.2 (aggressive) enables some advanced features of nmap, OS and version detection included
  • use nmap -sn 192.168.1.1/24 to check which hosts are UP
  • use nmap -p 80,22 192.168.1.1 to check for a specific port details on the target host, in this case port 22 and port 80
  • use nmap -p 1-65635 192.168.1.1 to check for a range of ports
  • use nmap -F 192.168.1.1 to scan the TOP 100 ports (usually most used, not 1 to 100)
  • use sudo nmap -f 192.168.1.1 to send tiny (8 byte) fragmented packages to avoid detection of a firewall or IDS (3 packets for a 24 byte header)
  • use sudo nmap -f -f 192.168.1.1 to split the package into 16 bytes per fragment
  • use sudo nmap -D 192.168.1.2,192.168.1.3,192.168.1.5,ME 192.168.1.targetIP to use multiple local IP addresses to scan the target as a decoy
  • use sudo nmap -sD 192.168.1.1 >> outputofscan.txt to write in a given file the output (with no output to the terminal)
  • use /usr/share/nmap/scripts/ sudo nmap — script auth 192.168.1.1 -sS to use an entire category of scripts against the target (metasploitable) (found tomcat:tomcat on port 8180)
  • use /usr/share/nmap/scripts/ sudo nmap — script malware 192.168.1.1 -sS to check if the target machine is infected by malware
  • use /usr/share/nmap/scripts/ sudo nmap — script banner 192.168.1.1 -sS to check if the message (usually holds information disclosure – exact version of the software running on that port) sent by an open port on the target machine
  • use /usr/share/nmap/scripts/ sudo nmap — script exploit 192.168.1.1 -sS that aims to actively exploit some vulnerability (port 21 ftp user:root pass: root)
  • use /usr/share/nmap/scripts/ sudo nmap — script-help firewall-bypass.nse to get details about what a certain scrip is able to do
  • use /usr/share/nmap/scripts/ sudo nmap — script firewall-bypass.nse 192.168.1.1 to execute the above mentioned script
  • use ftp 192.168.1.1 to ftp connect to the target machine (anonymous | password123) (help to help | exit to exit)
  • use sudo nmap -sV 192.168.1.2 to discover the software version running on an open port (default intensity is 7) and then simply google the software ant the version + exploit (example: VSFTPD v2.3.4 Backdoor Command Execution – https://www.rapid7.com/db/modules/exploit/unix/ftp/vsftpd_234_backdoor/) or (apache httpd 2.2.8 exploit – https://charlesreid1.com/wiki/Metasploitable/Apache | https://www.cvedetails.com/vulnerability-list.php?vendor_id=45&product_id=66&version_id=416233)
  • use searchsploit UnrealIRCd to find into KALI linux exploit library of tools that could be used
  • use locate 49757.py to find the location of this script that will be usable to exloit a vulnerability identifies by the command above “searchsploit

Notes:

  • use sudo nmap -sS 192.168.1.2 instead of nmap -sT 192.168.1.2 as the first one leave less traces available on a system. -sT make more noise on the target machine

Resources:

  • use cd /usr/share/nmap/scripts/ for a full list of nmap scripts that could help with target scanning | described here: https://nmap.org/book/nse-usage.html

Tools: