Skip to main content

Hacking with Security Tools Part - I

 Setting up your Virtual Environment

    Welcome to the first module of this workshop where we will present lots of hacking tricks and techniques you can achieve with Kali Linux. In fact, you can perform complete end-to-end hacking with Kali Linux. When thinking about hacking you might think that it’s a difficult job, but with Kali, this job will be much easier and all the instructions will be presented in this workshop.

Prerequisites 

Surprisingly, you don’t need to have any solid background in a security or hacking field, we will present all the skills that can make you a hacker! 

     However, you need to have a solid playground where you can perform hacking on a trial basis and for this reason you need to have a solid machine on which you can build your hacking environment. In this module, we will be guiding you on how you can make your own lab to practice hacking. 

Building the Virtual Hacking Environment

 To achieve this goal, you need to have one platform on which you can run multiple operating systems including victim machines and Kali Linux as your master machine from which you will be performing hacking attempts. To make it happen, let’s download Virtual Box! 

Download Link: https://www.virtualbox.org/wiki/Downloads. 

Now select & download the binary, as per your operating system requirement, in my case, I will be installing the VirtualBox-4.3.12-93733-OSX from the above download link as shown below.








Great, Virtual Box installation is now complete. This will be your platform on which you will be building the virtual lab to learn hacking with Kali Linux.

 Now we will proceed with installing Kali Linux. First we need to get the latest copy of the Kali Linux Image from kali.org.

 Download link: http://www.kali.org/downloads/.


Download the Kali Linux image as per your hardware requirements; in our lab, we will be using Kali Linux 64 bit ISO 1.0.0 version. 

  Once you finish the download then follow the below steps to prepare the virtual machine in order to install the Kali Linux on top of it. 

 Setup up virtual machine and install Kali Linux (master operating system) 

  Following the instructions as shown for installing Kali Linux. 

 Now set up new machine as Linux Type, as shown below, and continue the configuration of a new virtual machine as BSD type.








Now your Virtual Machine with the Kali Linux is running as shown above to boot from CD in shown modes of Kali Linux. We recommend keeping the Live CD option for using on go. However, you can choose options to install the Kali Linux as Operating System. 

 Great, you managed to install Kali Linux but this is just the one side of the mirror, as you also need the victim machines that you can hack into by using Kali Linux. For this purpose we have the following options to build the next requirements of our virtual hacking lab. 

1. Vulnerable Microsoft Operating System (Windows XP) 

2. Metasploitable (Linux as Vulnerable Operating System) 

3. Vulnerable Microsoft Operating System (Windows 8) 

We will setup these above vulnerable operating systems in our environment so that we can practice with real hack attempts.

  Also, it’s beneficial to install two instances of each operating system, however, think about your hardware capacity, as well.

Victim Machine (Microsoft Windows) 

  Now setup up a new machine as shown below to install Windows XP with the following naming and type info.














Without hiccups this would lead to a successful installation of Windows XP operating system. However, you need to ensure that your Network Card type is set as shown below in order to connect your Virtual Machine with your virtual lab.


Victim Machine (Metasploitable)

 Next, we will setup another virtual machine to install this Linux based vulnerable operating system called Metasploit. First, download the image from the link below.

Download Link: https://information.rapid7.com/metasploitable-download.html .

However, you need to complete a general form so that the community knows you. It’s easy and quick to download this vulnerable operating system.

 Metasploitable comes in a zip format, which you can unzip to get the files to be used as virtual machine. After unzipping, you should be able to see the following files. This was running on VMware, so you might see a couple more files.











Victim Machine (kioptrix) 

 This operating system is basically a hacking challenge, which is being developed by one of the wellknown offensive-security members. We will download these challenges as well to make them part of our hacking with Kali Linux. Download the images from the link below, one by one, and add them to your virtual lab environment just as you did for Metasploitable. In case you cannot achieve this task with Virtual Box than it is recommended that you should switch to VMware to build your lab. 

Kioptrix Hacking Challenges 

• Level1 image http://www.kioptrix.com/blog/dlvm/Kioptrix_Level_1.rar 
• Level2 image http://www.kioptrix.com/blog/dlvm/Kioptrix_Level_2.rar 
• Level3 image http://www.kioptrix.com/blog/dlvm/KVM3.rar 
• Level4 image http://www.kioptrix.com/blog/dlvm/Kioptrix4_vmware.rar 
• Final Level http://www.kioptrix.com/blog/dlvm/kiop2014.tar.bz2 

   It is also recommended that you should create more virtual machines depending on how much space and memory you have in your system. Below are some of the vulnerable operating systems specifically developed for hacking purposes!

OS for Web for Pen testers 
  
  This is the operating system dedicated with web-based vulnerabilities on which you can practice hacking skills pertaining to web hacks. This OS can be downloaded from the link below. 

 Link: http://files.pentesterlab.com/web_for_pentester_II/web_for_pentester_II.iso. 

 DVWA

  You can also download Damn Vulnerable Web Application kit which is also equipped with web application vulnerabilities which can be downloaded from the link below. 

  Link: http://www.dvwa.co.uk/DVWA-1.0.7.iso. 

  By setting up your lab with these operating systems in the virtual environment, you will be able to practice hacking skills with Kali Linux. In the upcoming module we will be focusing how you can achieve ethical hacking with Kali Linux.

Popular posts from this blog

Haking On Demand_WireShark - Part 5

Detect/Analyze Scanning Traffic Using Wireshark “Wireshark”, the world’s most popular Network Protocol Analyzer is a multipurpose tool. It can be used as a Packet Sniffer, Network Analyser, Protocol Analyser & Forensic tool. Through this article my focus is on how to use Wireshark to detect/analyze any scanning & suspect traffic. Let’s start with Scanning first. As a thief studies surroundings before stealing something from a target, similarly attackers or hackers also perform foot printing and scanning before the actual attack. In this phase, they want to collect all possible information about the target so that they can plan their attack accordingly. If we talk about scanning here they want to collect details like: • Which IP addresses are in use? • Which port/services are active on those IPs? • Which platform (Operating System) is in use? • What are the vulnerabilities & other similar kinds of information. • Now moving to some popular scan methods and ho
Read more

Bypassing Web Application Firewall Part - 2

WAF Bypassing with SQL Injection HTTP Parameter Pollution & Encoding Techniques HTTP Parameter Pollution is an attack where we have the ability to override or add HTTP GET/POST parameters by injecting string delimiters. HPP can be distinguished in two categories, client-side and server-side, and the exploitation of HPP can result in the following outcomes:  •Override existing hardcoded HTTP parameters  •Modify the application behaviors   •Access and potentially exploit uncontrollable variables  • Bypass input validation checkpoints and WAF rules HTTP Parameter Pollution – HPP   WAFs, which is the topic of interest, many times perform query string parsing before applying the filters to this string. This may result in the execution of a payload that an HTTP request can carry. Some WAFs analyze only one parameter from the string of the request, most of the times the first or the last, which may result in a bypass of the WAF filters, and execution of the payload in the server.  Let’s e
Read more

Bypassing Web Application Firewall Part - 4

Securing WAF and Conclusion DOM Based XSS DOM based XSS is another type of XSS that is also used widely, and we didn’t discuss it in module 3. The DOM, or Document Object Model, is the structural format used to represent documents in a browser. The DOM enables dynamic scripts such as JavaScript to reference components of the document such as a form field or a session cookie, and it is also a security feature that limits scripts on different domains from obtaining cookies for other domains. Now, the XSS attacks based on this is when the payload that we inject is executed as a result of modifying the DOM environment in the victim’s browser, so that the code runs in an unexpected way. By this we mean that in contrast with the other two attacks, here the page that the victim sees does not change, but the injected code is executed differently because of the modifications that have been done in the DOM environment, that we said earlier. In the other XSS attacks, we saw the injected code was
Read more