Kali Linux Tutorials

Category: Scanning

How Port Scanning Works ? Port Scanning TCP & UDP Explained
Identifying open ports on a target system is extremely
important step to defining the attack surface of a target system. Open
ports correspond to the networked services that are running on a system.
Programming errors or implementation flaws can make these services susceptible to security and it also may cause compromise entire system. to work out the possible attack vectors, we must first enumerate the open ports on all of the remote systems.

These open ports correspond to services which will be addressed with either UDP or TCP traffic. Both TCP and UDP are transport protocols. Transmission Control Protocol (TCP) is that the more widely used of the 2 and provides connection-oriented communication. User Datagram Protocol (UDP) may be a non connection-oriented protocol that’s sometimes used with services that speed of transmission is more important than data integrity.

The penetration testing method used to determine these services is called port scanning. In our this article we are going to cover some basic theory about the port scanning then we can easily understand the work methodology of any port scanner tools.

UDP Port Scanning

Because TCP may be a more widely used transport layer protocol, services that operate over UDP are frequently forgotten. Despite the natural tendency to overlook UDP services, it’s absolutely critical that these services are enumerated to accumulate an entire understanding of the attack surface of any given target. UDP scanning can often be challenging, tedious, and time consuming. It’s important to know the 2 different approaches to UDP scanning which will be used.

In the first method, is to rely exclusively on ICMP port-unreachable responses. this sort of scanning relies on the idea that any UDP ports that aren’t related to a live service will return an ICMP port-unreachable response, and a scarcity of response is interpreted as a sign of a live service. While this approach are often effective in some circumstances, it also can return inaccurate leads to cases where the host isn’t generating port-unreachable responses, or the port-unreachable replies are rate limited or they’re filtered by a firewall.
In the second method, which is addressed within the second and third recipes, is to use service-specific probes to aim to solicit a response, which might indicate that the expected service is running on the targeted port. While this approach are often highly effective, it also can be very time consuming.

TCP Port Scanning

In this article, many different methods to TCP scanning will be covered. These methods include stealth scanning, connect scanning, and zombie scanning. To understand how these scanning techniques work, it is important to understand how TCP connections are established and worded. TCP is a connection-oriented protocol, and data is only transported over TCP after a connection has been established between two systems. The process associated with establishing a TCP connection is often referred to as the three-way handshake. This name alludes to the three steps involved in the connection process. The following diagram shows this process in a graphical form:

From the above picture we can see that a TCP SYN packet is sent from the device that wishes to establish a connection with a port of the device that it desires to connect with. If the service associated with the receiving port grants the connection, it will reply to the requesting system with a TCP packet that has both the SYN and ACK bits activated. The connection is established that time when the requesting system responds with a TCP ACK response. This three-step process (three-way handshake) establishes a TCP session between the two systems. All of the TCP port scanning techniques will perform some varieties of this process to identify live services on remote hosts.

Connect scanning and stealth scanning both are quite easy to know . Connect scanning wont to establish a full TCP connection for each port that’s scanned. that’s to mention , for each port that’s scanned, the complete three-way handshake is completed. If a connection is successfully established, the port is then seems to be open.
In the case of stealth scanning doesn’t establish a full connection. Stealth scanning is additionally referred as SYN scanning or half-open scanning. for every port that’s scanned, one SYN packet is shipped to the destination port, and every one ports that reply with a SYN+ACK packet are assumed to be running live services. Since no final ACK is shipped from the initiating system, the connection is left half-open. this is often mentioned as stealth scanning because logging solutions that only record established connections won’t record any evidence of the scan. the ultimate method of TCP scanning which will be discussed during this chapter may be a technique called zombie scanning. the aim of zombie scanning is to map open ports on a foreign system without producing any evidence that you simply have interacted thereupon system. The principles behind how zombie scanning works are somewhat complex. perform the method of zombie scanning with the subsequent steps:
- Identify a remote system for our zombie host. The system should have the some characteristics, they are following:
1. The system need to be idle and does not communicate actively with other systems over the network.
2. The system need to use an incremental IPID sequence.
- Send a SYN+ACK packet to this zombie host and record the initial IPID value.
- Send a SYN packet with a spoofed source IP address of the zombie system to the scan target system.
- Depending on the status of the port on the scan target, one of the following two things will happen:
1. If the port is open, the scan target will return a SYN+ACK packet to the zombie host, which it believes sent the original SYN request. In this case, the zombie host will respond to this unsolicited SYN+ACK packet with an RST packet and thereby increment its IPID value by one.
2. If the port is closed, the scan target will return an RST response to the zombie host, which it believes sent the original SYN request. This RST packet will solicit no response from the zombie, and the IPID will not be incremented.
- Send another SYN+ACK packet to the zombie host, and evaluate the final IPID value of the returned RST response. If this value has incremented by one, then the port on the scan target is closed, and if the value has incremented by two, then the port on the scan target is open.
The following image shows the interactions that take place when we use a zombie host to scan an open port:

To perform a zombie scan, an initial SYN+ACK request should be sent to the zombie system to work out the present IPID value within the returned RST packet. Then, a spoofed SYN packet is shipped to the scan target with a source IP address of the zombie system. If the port is open, the scan target will send a SYN+ACK response back to the zombie. Since the zombie didn’t actually send the initial SYN request, it’ll interpret the SYN+ACK response as unsolicited and send an RST packet back to the target, thereby incrementing its IPID by one.

Finally, another SYN+ACK packet should be sent to the zombie, which can return an RST packet and increment the IPID another time. An IPID that has incremented by two from the initial response is indicative of the very fact that each one of those events have transpired which the destination port on the scanned system is open. Alternatively, if the port on the scan target is closed, a special series of events will transpire, which can only cause the ultimate RST response IPID value to increment by one.
The following picture is an demo of the sequence of events comes with the zombie scan of a closed port:

If the destination port on the scan target is closed, an RST packet are going to be sent to the zombie system in response to the initially spoofed SYN packet. Since the RST packet solicits no response, the IPID value of the zombie system won’t be incremented. As a result, the ultimate RST packet returned to the scanning system in response to the SYN+ACK packet will have the IPID incremented by just one .

This process are often performed for every port that’s to be scanned, and it are often wont to map open ports on a remote system without leaving any evidence that a scan was performed by the scanning system.

This is how port scanning methods works. In this article we tried to do something different, this is not about any tool but if we are using Kali Linux or we are in cybersecurity field then we should have some technical knowledge. Hope this article also get love. This is all for today.

Love our articles? Make sure to follow us on Twitter and GitHub, we post article updates there. To join our KaliLinuxIn family, join our Telegram Group. We are trying to build a community for Linux and Cybersecurity. For anything we always happy to help everyone on the comment section. As we know our comment section is always open to everyone. We read each and every comment and we always reply.
June 7, 2022
Burp Suite — Web Application Security, Testing & Scanning
Burp or Burp Suite is a collection of multiple tools built in Java used for penetration testing of web applications. It is developed by Portswigger web security. Burp Suite is a graphical tool which aims to be an all in one set of tools and its capabilities can be enhanced by installing add-ons that are called BApps.
Burp Suite is the most popular tool among professional web app security researchers and bug bounty hunters. Kali Linux has a free community version of Burp Suite pre-installed.

Burp suite has various products, such as Spider, Proxy, Intruder, Repeater, Sequencer, Decoder, Extender, Scanner. Let we know about a little bit about the tools used in Burp, then we go for the practices.

Some tools in Burp Suite

Spider: Spider is a web spider/crawler that is used to make a map of the target website or web application. The mapping can give us a list of endpoints so that their functionality can be observed and potential vulnerabilities can be found. Spidering or crawling is done for a simple reason that the more endpoints we gather during our recon process, the more attack surfaces we possess during our actual testing.
Proxy: Burp suite has an intercepting proxy that lets the user see and modify the contents of requests and responses while they are in transit. It also help the user to end the request or response under monitoring to another tool in Burp suite, it removes the copy-paste process. The proxy server can be run on a specific loop-back IP and a port. The proxy in Burp suite also can be configured to filter out specific types of request-response pairs.
Intruder: Intruder is a tool that allow us to perform various types of attacks that can be used to find all types of vulnerabilities. Intruder used to run a set of values through an input point. Those values are run and the output is observed for success or failure and content length. Generally, an anomaly result in a change in response code or content length of the response. Some of the most common attacks that can be used with Intruder as follows:

Brutef-orcing

Fuzzing

Enumeration

Application layer DoS

Repeater: This is a very simple tool for manually manipulating and reissuing individual HTTP and WebSocket messages, and analyzing the web application’s responses. It is used for

Verify that the user supplied values are being verified.

If the values are verified then, how well is it being done?

What values in the server expecting in an input parameter or request header.

How the server handle with the unexpected values.
Sequencer: Burp Sequencer is a tool for analyzing the quality of randomness in an
application’s session tokens and other important data items that are
intended to be unpredictable. This is an entropy checker that checks for the randomness of tokens generated by the targeted web server. These tokens are generally used for authentication in sensitive operations like cookies and anti-CSRF tokens.
Admirably, these tokens must be generated in a fully random manner so that the probability of appearance of each possible character at a position is distributed uniformly. This should be achieved both bit-wise and character-wise. An entropy analyzer tests this hypothesis for being true. It works like this initially, it is assumed that the tokens are random. Then the tokens are tested on certain parameters for certain characteristics.

Using Burp Sequencer may result in unexpected effects in some applications. Until we are fully familiar with its functionality and settings, we should only use Burp Sequencer against non-production systems.

Decoder: Decoder lists the commonly used encoding methods like URL, HTML, Base64, Hex, etc. Decoder comes handy when looking for chunks of data in values of parameters. It is also used for payload construction for different vulnerability classes. It is used to uncover session hijacking.
Extender: Extender allows us to load various extensions that can be used to make penetration testing even more efficient. These extensions are called BApps. These work just like browser extensions. These can be viewed, modified, installed, uninstalled in the Extender tab.
Scanner: Scanner automatically scans for many common vulnerabilities in target web application. It updates frequently and add many lesser known vulnerabilities with the updates.

How to use the Burp Suite

Let we take a look how we can use the Burp suite effectively.

Kali already has a free community version of Burp suite, but we will need to buy a full version Burp to fully use its features. So we open Burp from the menu.

Burp Suite in Kali

After opening Burp we can see Burp’s window as following screenshot:

Then we click on Start Burp and we will see the Burp load up:

Before we start penetration testing or hunting for bugs, we first install some extensions that will may help us. So we go to the BApp Store from the Extender menu.

Here we will see a list of all available extensions. Some of the extensions we will have to install are as following:
1. J2EEScan
2. Wsdler
3. Java Deserialization Scanner
4. HeartBleed
We select these and click on Install to install extensions.

When the extensions are all set, we prepare for scanning. We fire up a browser (Firefox) and go to its preferences.
In the Network settings (last in the General Settings), we add our HTTP Proxy, IP and Port as showing in following screenshot.

Configuring Browser for Burp Suite

We can verify this with Burp’s Options tab under the proxy menu.

Click on the Intercept is on to start intercepting the requests.

Then we browse the website we need to scan.
Whenever all request are captured, we can just go to Target and select our domain.
To perform a scan, we can select individual requests and send them for an active scan.

Even, we also can select the entire domain to send for a scan.

After sending requests on Scanner, we go to the Scanner tab and choose the Options. Here we can basically tell the scanner what actually we want to scan in our target domain.

After started scan we can see the progress in the Scan queue tab.

We can see the Scan queue tab in the following screenshot.

Now the following screenshot shows much more details of the Scan queue tab.

For this example tutorial we use only a few extensions, but we also can use the whole extension list and choose our own extensions also. Extensions are very easy to set up. We can learn it by simply googling it.
This is how BurpSuite works on Kali Linux. This is an basic tutorial.

Liked our tutorials then
visit our website regularly and for the quick updates follow us on Twitter and GitHub. Join our community on Telegram to get in touch with us.

For anything please comment down in the comment section. We always reply.
April 30, 2021
Scan Web Applications Using Metasploit
In penetration testing and bug bounty fields, scanning a website for vulnerabilities is the most crucial part. In our previous articles we had talk about some website or web application scanner like SkipFish and Wapiti, but in our this article we are going to talk about scan website using Metasploit Framework.

Metasploit is very famous for searching and using exploits, but now we can scan for vulnerabilities using Metasploit. To do this we are going to use a plugin called WMAP.

WMAP is a feature-rich web-application scanner that integrated with metasploit and allow us web application scanning. We are going to use it on our Kali Linux system.

Setting Up Metasploit Database

At first we need to setup Metasploit database. WMAP requires database support to run. So we need to set up database. We initialize Metasploit database using following command:
```
sudo msfdb init
```
The above command will create a default database and user for Metasploit to interact with. The screenshot of the command is following:

Metasploit uses PostgreSQL database system, this database system is very useful to keep track of large amount data during penetration testing. So we start PostgreSQL by applying following command:
```
sudo service postgresql start
```
Database setup for Metasploit is complete now.

Running WMAP

Before opening WMAP module we need to start metasploit framework by using following command:;
```
msfconsole
```
The above command will start Metasploit framework as we can see in the following screenshot;

After opening Metasploit framework console we can check if it is connected with database or not by applying db_status command:
```
db_status
```
In the following screenshot we can see that our database is connected with Metasploit.

Now we can load WMAP plugin by using following command:
```
load wmap
```
Then the plugin will load as we can see in the following screenshot:

Now we can check WMAP help by using help or ? command:
```
?
```
In the following screenshot we can see WMAP’s help menu:

Scanning Website using WMAP Metasploit Module

After checking the help options we can add sites on WMAP plugin. We use wmap_sites here. To check wmap_sites help we can simply use following command:
```
wmap_sites
```
This will show us the help of wmap_sites, as we can see in the following screenshot:

To add a site we need to use -a flag following by the website URL.

Here for an example we are going to test our localhost web server for just an example. So the command will be following:
```
wmap_sites -a http://192.168.225.48
```
In the following screenshot we can see that the site is created.

We can see the listed website on our WMAP by using following command:
```
wmap_sites -l
```
We can see our added websites list here in the following screenshot:

Next, we need to set the specific target. Here we need to set the specify any part of website or the whole website (main URL). To set the target we need to use -t flag following wmap_targets, an example command to scan a specific part of a website is following:
```
wmap_targets -t http://192.168.225.48/dvwa
```
We an add more than one targets here by separating them with a comma (,). We can see the listed targeted website by using following command:
```
wmap_targets -l
```
In the following screenshot we can see our pointed part of web application for scanning.

Now we can start the scan. Before scanning we check the help of scanning by using following command:
```
wmap_run
```
We can see the options of this command in the following screenshot:

We can see the -t flag will show us all enabled modules in the scan.
```
wmap_run -t
```
The modules list shows in the following screenshot:

If we want to check more information of any module we can use info path/of/module command (optional).

Finally, to run the scan we can use -e flag.
```
wmap_run -e
```
This command will start all the loaded modules against the target, as we can see in the following screenshot:

After completing the scan we can check the result of the scan by using following command:
```
wmap_vulns -l
```
The above command will show us the result of the scan, as we can see it on the following screenshot:

We can see in the above screenshot that we got some potentially interesting things about the target. We can now use these results to gather further information on the reported vulnerabilities. As penetration testers, we would want to investigate each finding further and identify if there are potential methods for attacks.

Here one thing we need to clear that our target was intentionally vulnerable, in the real world scenario things might be different.

WMAP might not provide us so much detailed results like other vulnerability scanners. But the fact is this comes with the Metasploit Framework and we can easily use it without installing. That makes it very useful website or web-application scanner.

Love our articles 💖 ? Make sure to subscribe our e-mail notification for free, then our new articles directly reached in inbox. We also have a Telegram Group to discuss things related Kali Linux and cyber security. To get our article and other updates follow our Twitter and GitHub.

For anything comment down in the comment section. We read each comment and we always reply.

This tutorial is for
educational purpose only. Hacking website or web applications that we
don’t own is a serious crime. If anyone do any illegal activity then we
are not responsible for that. We should take legal permission to attack
before starting penetration testing..
February 18, 2021
Zenmap — Easy GUI version of Nmap [UPDATED 2022]
Zenmap is Official Graphical User Interface (GUI) version of Nmap. Zenmap is also very powerful tool like nmap. For it’s graphical interface and easy menus makes it very easy to use.

Previously Zenmap comes pre-installed on Kali Linux but newer version (from 2019.4) doesn’t comes with Zenmap. So in our this article we are going to learn how to install Zenmap on Kali Linux in 2022 and use it.

Installing Zenmap on Kali Linux 2022

Zenmap relies on deprecated Python 2 libraries that are not available in Kali Linux. So it is not available on Kali Linux repository. Also it’s official .deb file comes with some errors during installing. So we are going to install it using Kaboxer (Kali Applications Boxer).

To install it we need to have an updated system. We need to apply following command to install Zenmap on our Kali Linux system.
```
sudo apt install zenmap-kbx -y
```
After providing our root password the installation will be started, as we can see in the following screenshot:

After the installation is complete we just need to run following command to start Zenmap:
```
zenmap-kbx
```
Now we can see that the above command opens Zenmap on our Kali Linux system in the following screenshot:

This is how we can install and run Zenmap on Kali Linux using Kaboxer.

Using Zenmap on Kali Linux

After a successful installation we can use Zenmap. If we use Zenmap with root then we can use it’s all options. So we open it with root by using following command:
```
sudo zenmap
```
We can see that Zenmap is opened on the following screenshot:

Here everything is very easy. Here we need to put the IP address of our target network. For an example we are choosing our localhost system’s IP address (192.168.122.148), we also can choose the website’s address.

Then we need to choose the profile as “Quick Scan“. For an example we have chosen “Quick Scan” we can choose other profiles as per our requirements. Then we just need to click on “Scan”. Then the result will comes in front of us as the following screenshot:

In the above screenshot we can see the open ports on our target.

Once the scan has completed, we can click on each tab to get further details about our target. If we’re performing a scan on an entire network, the “Topology” tab will help us create a network diagram of the target network.

Zenmap is very easy to use and user-friendly. This is how we can install Zenmap on Kali Linux new versions and it’s uses.

Liked our article? Then make sure to follow our mail-subscription to get new articles directly on inbox. We also update articles on our Twitter and GitHub profiles. Make sure to follow us there. We also have Telegram group for chatting with everyone.

For any kind of problem and queries make sure to comment in the comment section. We always reply.
February 3, 2021
SkipFish — Web Application Scanner
SkipFish is an active web application security scanner developed by Google’s information security engineering team, Michal Zalewski, Niels Heinen and Sebastian Roschke.

SkipFish comes preinstalled with Kali Linux and it can identify various vulnerabilities inside a web application.

SkipFish Key Features

SkipFish have some advantages they are following:
1. High performance: 500+ requests per second against responsive Internet targets, 2000+ requests per second on LAN / MAN networks, and 7000+ requests against local instances have been observed, with a very modest CPU, network, and memory footprint.
2. Well-designed security checks: the tool is meant to provide accurate and meaningful results.
3. Automatic wordlist construction based on site content analysis.
4. Probabilistic scanning features to allow periodic, time-bound assessments of arbitrarily complex sites.
5. Handcrafted dictionaries offer excellent coverage and permit thorough $keyword.$extension testing in a reasonable timeframe.
6. Three-step differential probes are preferred to signature checks for detecting vulnerabilities.
7. Ratproxy-style logic is used to spot subtle security problems: cross-site request forgery, cross-site script inclusion, mixed content, issues MIME- and charset mismatches, incorrect caching directives, etc.
8. Bundled security checks are designed to handle tricky scenarios: stored XSS (path, parameters, headers), blind SQL or XML injection, or blind shell injection.
9. Snort style content signatures which will highlight server errors, information leaks or potentially dangerous web applications.
10. Report post-processing drastically reduces the noise caused by any remaining false positives or server gimmicks by identifying repetitive patterns.
How to use SkipFish on Kali Linux

As we previously said that SkipFish comes pre-installed with Kali Linux (Full version) so we don’t need to install it (if not we can use sudo apt install skipfish).

We can check it’s options by entering following command on our terminal:
```
sudo skipfish -h
```
The following screenshot shows the output of the preceding command and the help of SkipFish tool.

Now we can run this tool against our target. Here we have a demo localhost target, because using this tool without proper permission will be illegal. We can use this against our own site or have a permission to test.

So we run it against our localhost (http://192.168.225.37/bodgeit, we can use live websites URL when we want to run it against live website) using following command:
```
sudo skipfish -o SkipfishTEST http://192.168.225.37/bodgeit
```
In the above command we have used -o flag to specify our output directory and SkipFish will generate a folder called SkipfishTEST as per our used command.

After applying the above command we can see some welcome note on our terminal, as the following screenshot:

Here we can wait 60 seconds to start our scan or we can press any key to start the scan immediately.

After the scanning process is start we can see SkipFish is trying to find vulnerabilities on our target, as we can see in the following screenshot:

This will take some time to scan depending on the size of our target web application and internet speed (Here we are in localhost so internet speed is not an issue).

If we want to see the details of scanning we can press space bar, then we can see the live scanning:

After the scan complete we can see SkipFish generated a ton of output
files in the location specified.

Now we can go to the location where we have saved our reports. In our case it is in SkipfishTEST folder inside the /home/kali directory.

Inside the folder we got a file called index.html we need to open the html file on our browser to get the reports generated by SkipFish. As we did in the following screenshot:

We can see the issues here. To know on which URL we have issues we need to click the issue to expand it.

We can see on the above screenshot we have some serious issue to fix. Bad guys can use these loopholes for bad things. But a ethical guy or bounty hunter will report these issues to the admins. To know more specific scans of SkipFish click here.

This is how we can use SkipFish to find security problems on websites or web application using Kali Linux.

Disclaimer: Please do not be evil. Use SkipFish only against services we own, or have a permission to test. Using these against other property may considered as crime. We wrote this article for educational purpose only. If anyone do any disturbing activity then we are not responsible for that, only that person will responsible.

Liked our article? then make sure to follow our e-mail subscription to get our latest article directly on inbox. We also update our article on our GitHub and Twitter, make sure to follow us there. We also have stated a Telegram group for more discussion.

For any kind of problem or query kindly leave a comment on the comment section. We always reply.
January 30, 2021
SpiderFoot — Most Complete OSINT Reconnaissance Tool
During a penetration testing or bug bounty hunting, the most crucial aspects of engaging a target is information gathering. The more information we collected, the more likely the attack is to succeed. In this tutorial we look at SpiderFoot.

SpiderFoot is a reconnaissance tool that automatically queries over 100 public data sources to gather intelligence on IP address, domain names, email address, names and more.

We just simply specify the target we want to investigate and pick which modules to enable, then SpiderFoot will collect data to build up an understanding of all the entities and shows the relation between each.

SpiderFoot is an OSINT tool. Open-source intelligence (OSINT) is data that can be gathered from public sources. This isn’t just limited to the internet. This also can gather through print media, government records, academic publications and many more.

SpiderFoot is written in Python3 and it has an interactive web-based interface or a powerful command-line interface.

SpiderFoot is highly configurable and supports cross platform. It’s available for Windows, Linux and MacOS.

Kali Linux doesn’t comes with SpiderFoot installed by default yet, so it comes in custom tools category. First we open our Kali Linux terminal window and type following command to download SpiderFoot from its GitHub repository:
```
git clone https://github.com/smicallef/spiderfoot
```
The screenshot is following:

Then we need to go to the SpiderFoot directory by using cd command :
```
cd spiderfoot
```
Now we install all the requirements by using following command:
```
pip3 install -r requirements.txt
```
The screenshot of the command is following:

Then we can run this tool by applying following command:
```
python3 ./sf.py -l 127.0.0.1:5001
```
Then SpiderFoot will start it’s server for web-based interface as following screenshot:

Now we can use SpiderFoot by starting our web browser and navigate to 127.0.0.1:5001 . The screenshot is following:

Here we can see the web-based interface of SpiderFoot. To start a scan we simply click on “New Scan” and the screenshot as following:

We can enter name of the scan, we can put any name here. Then we can set our target. The target will be a domain name, IP address, host name/sub-domain, sub-net,even we can enter e-mail address or phone number or a name of someone.

Then we need to select the scanning method. We can use the scan as foot-printing or investigation or passive scan, even we can choose first option to choose all the options.

Here we can choose a scan by our required data from another menu.

We can choose modules to do a better scan. Some modules are locked, these modules will work if we add the API keys. To do that we need to go to the official website of modules and register to get API key. Then we paste the API key in the modules setting in the settings menu. Adding API keys will make our scan batter. Then we can scan a target. Here is a scan result of an IP address.

This is how we can install SpiderFoot on our Kali Linux system and use it.
Love our super easy articles ? Don’t wanna miss new articles? follow our Email Subscription for free to get updates on E-mail. We also post articles on GitHub and Twitter. Make sure to follow us there.

For
anything problem please let us know in the comment section. We always
be there to help everyone. We read each and every comment and we always
reply.
January 7, 2021
Install and Use Vega on Kali Linux 2020 — Web penetration Testing
Vega is an open source and cross platform web application penetration testing tool built in Java. Vega has a JavaScript based API which makes it even more powerful and flexible. In our today’s article we are going to install and use Vega on our Kali Linux 2020.4 system without getting any error and use it.

Using Vega is pretty easy by reading our detailed guide, everyone can install & use it to perform a scan also as a proxy. Vega did not comes with Kali Linux. Vega come pre-installed on some previous versions of Kali Linux, but now we need to install it manually, before that we need to do some configuration on our system.

Configuring Kali Linux 2020 for Vega

First we need to setup our java version to 8. To do it we need to run following command on our terminal:
```
sudo update-alternatives --config java
```
The screenshot of the command is following:

Here we can see that our default Java version is marked by * i.e. Java version 11. To select Java version 8 we need to find the row number of Java 8. In our case Java 8 is on number 2. We need to type 2 and hit enter.

Now we have selected Java version 8 on our system. To check it we can run the previous command again to see the *’s location. It should be on Java 8.

We need to add Debian Linux’s repository to install libwebkit on our Kali Linux system. This libwebkit is not available on Kali Linux repository. That’s why we need to add Debian’s repository by using following command:
```
echo "deb http://deb.debian.org/debian oldstable main non-free contrib" | sudo tee -a /etc/apt/sources.list
```
The above command will add Debian repository. We just need to update our cache by using update command:
```
sudo apt update
```
Now we are going to install libwebkit on our system, to do it we need to run following command:
```
sudo apt-get install libwebkitgtk-1.0-0 -y
```
This may took some time depending on our internet speed and system performance. After this we may need to restart our system to see effects. We rebooted our system.

If we wish we can remove the Debian repository now by using following command:
```
sudo nano /etc/apt/sources.list
```
Downloading and Installing Vega on Kali Linux

We can download Vega from the official website and Here we got the download option.

After click on the download button we got options for various systems like Mac, Linux and Windows. Here we are using Kali Linux and we have 64 bit system so we download the 64 bit version of Linux.

After downloading the zip file on our downloads folder we can use following command to unzip it
```
cd Downloads && unzip -q VegaBuild*.zip
```
It will be unzip in seconds then we need to navigate to vega unzipped directory by using cd command:
```
cd vega
```
We can see the files, we just need to run following command to start Vega on our Kali Linux system.
```
./Vega
```
After this we can see that Vega is opened in our front as we can see in the following screenshot:
Web Penetration Testing with Vega

There are two ways to start a scan in Vega. We can use the Scanner mode or We can choose the Proxy mode. First we talk about Scanner mode.

Scanner Mode:

In Scanner mode first we need to choose the “Start New Scan” option from the Scan menu.

In the window, we enter the target website URL and click on Finish.

Then Vega will start the scan. After ending the scan we got the result as we can see in the following screenshot:

Here we can see we got 51 High risk on our vulnerable localhost server.

To check more details about the scan results and know about the vulnerabilities we need to look up at Scan Alerts in the left-hand side panel. Clicking on an alert shows us the details as we can see in the following screenshot:

This is how we can scan a website or web application using Vega on our Kali Linux system in 2020.

Proxy Mode:

This is very similar to Burp Suite and WebScarab. Vega also has a proxy feature, where we can intercept and analyze the requests manually too!

We are also able to edit and replay the requests to perform a manual check.

This is how we can install & use Vega on Kali Linux 2020 versions and use it to do web penetration testing. Vega is still a good all-in one tool for bug bounty hunters and cybersecurity experts.

Liked our tutorials then please do subscribe our website using mail id for free, our new articles will be send in mail. We are also available on Twitter and GitHub. Also follow us there we post updates there.

For any problem please comment down below in the comment section, we will happy to help. We always reply.
November 28, 2020
Legion — Test Web Application Vulnerability Automatically
Legion is an Open-Source and easy to use python based GUI tool that can helps in network penetration testing. Legion is a upgraded version of Sparta. Previously Sparta comes pre-installed with Kali Linux, Now Kali removed Sparta because of it’s older Python version(Python2).

Legion is very similar to Sparta. This semi-automated network penetration testing framework comes installed with Kali Linux.
The main features of Legion:
- Automatic recon and scanning with NMAP, whataweb, nikto, Vulners, Hydra, SMBenum, dirbuster, sslyzer, webslayer
  and more (with almost 100 auto-scheduled scripts).
- Easy to use graphical interface with rich context menus and panels that allow pentesters to quickly find and
  exploit attack vectors on hosts.
- Modular functionality allows users to easily customize Legion and automatically call their own scripts/tools.
- Highly customizable stage scanning for ninja-like IPS evasion.
- Automatic detection of CPEs (Common Platform Enumeration) and CVEs (Common Vulnerabilities and Exposures).
- Ties CVEs to Exploits as detailed in Exploit-Database.
- Realtime autosaving of project results and tasks.
Let’s start with installing Legion in our Kali Linux system. Usually it comes pre installed with Kali’s new versions but, if we need to install it we can run following command:
```
sudo apt-get install legion -y
```
The following screenshot shows the installation process:

Now we can run Legion’s graphical interface by using following command:
```
legion
```
Legion will open, as we can see in the following screenshot:

Here in input section we have an option to add hosts (target IP or web address). When we click on it we got following window like the screenshot:

Here we can add single or multiple host(s) for scanning. We can add a single IP, range of IPs or host names in the section. To add multiple target we need to separate them with semicolon.

Then we need to choose the ‘Mode Selection’, Easy or Hard.
For this example we choose ‘Hard’, in the ‘Easy Mode’ we got the nmap scanning option. Here we turn on the nmap host discovery and staged scan.

In the ‘Timing and Performance Options’ if we choose a higher performance option takes more time in compared to lower performance options.

In ‘Hard Mode’ we get additional customizing options like custom port scanning, host discovery, and custom discovery options.

For this tutorial we have selected a IP with custom scanning & host discovery. In the additional arguments we are using -sV and -O options. -sV flag is used for service version and -O flag is for OS detection.

Then we just need to click on “Submit”. Legion will do the rest. First it will scan the IP or web address with nmap then it run Nikto on the targeted IP or web address. Legion will test with various tools automated like Shodan, whataweb, Vulners, Hydra, SMBenum, dirbuster, sslyzer, webslayer and more (with almost 100 auto-scheduled scripts).

We got a Tab on Legion for every tool used and it is also able to find CVE. It will show us the CVE if available. So this Legion is GUI based very easy tool for every penetration tester.

Legion scans using nikto after completing nmap scan

Legion is a good tool for penetration testing. Using this we can do some automatic scanning and find vulnerabilities on web applications.

For more tutorials like this follow our website to get e-mail notification of our recent updates. We also update our tutorials on our social media as Twitter & Medium.
September 2, 2020
Leviathan scans — Scan Using Leaviathan | Mass Auditing Toolkit
Leviathan scans is for project auditing scanning framework. It is a mass auditing toolkit and it has wide range service discovery, brute force, SQL injection detection and running custom exploit capabilities.

Leviathan consists open source tool such mass scan, ncrack, dsss and provide us the flexibility of using them with a combination. This requires Python2 for run.

Key features of Leviathan Scans

Discovery: Leviathan can discover FTP, SSH, Telnet, RDP, MYSQL services running under a specific country or in an IP range by Shodan, Censys. It is also possible to manually discover running services on an IP range by integrated “Leviathan scan”.

Brute-Force: We can bruteforce the discovered services with integrated “ncrack” tool. It has wordlists which includes most popular combinations and default password for specific services.

Remote Command Execution: We can run system commands remotely on compromised devices.

SQL injection Scanner: Discover SQL injection vulnerabilities on websites with specific country extension or with our custom Google Dork.

Exploit Specific Vulnerabilities: Leviathan can scan vulnerabilities targets with Shodan, Censys or masscan and mass exploit them by providing our own exploit or using pre-included exploits.
Integrated Tools
Masscan: It’s a very fast TCP port scanner by Robert David Graham. Leviathan uses masscan for detecting services on a huge IP range. https://github.com/robertdavidgraham/masscan
Ncrack: Ncrack is a high-speed network
authentication cracking tool. Leviathan uses ncrack to brute force
services such as FTP, SSH, RDP, Telnet, MYSQL etc. https://github.com/nmap/ncrack
DSSS (Damn Small SQLi Scanner): DSSS is a fully
functional and minimal SQL injection vulnerability scanner by Miroslav
Stampar. Leviathan uses DSSS to identify SQL Injection vulnerabilities
on specific URLs. https://github.com/stamparm/DSSS
Installing Leviathan Scans

Leviathan is written in Python2 and Python2 is officially dead (No more supports). But to use Leviathan in Kali Linux latest version we don’t need to manually install Python2 in Kali Linux because newer versions of Kali Linux also comes with Python2.

We can clone Leviathan from it’s Github repository by using following command:
```
git clone https://github.com/utkusen/leviathan
```
Then we can go to the folder by using cd command:
```
cd leviathan
```
Now we give the installer script executable permissions using following command:
```
chmod +x scripts/debian_install.sh
```
Then it will install it’s requirements to run.
Now we run the installer script by using following command:

bash scripts/debian_install.sh
Let we run leviathan scans by applying following command:
```
python leviathan.py
```
In the following screenshot we can see that we have successfully run the leviathan framework:

From the Discovery menu we can use the discover and scanning sites like Shodan, Censys, Masscan, Web Scanner.

Discovery module helps us to identify machines which runs a specific service. We can extract pre-discovered machines with Shodan’s or Censys’s API (option 1-2) or we can scan them our-self with masscan tool (option 3) or we can discover websites according to a dork from Google (option 4).

In Attack module there are four options listed for our usage.
    Following attacks will be done to the targets which are discovered
    in ‘Discovery’ section.

    In ‘Brute Force’ section we can make brute force attacks for following
    protocols: ftp, ssh, telnet, rdp, mysql

    In ‘Web(SQL Injection)’ section we can search for SQL Injection
    vulnerabilities on pre-discovered URLs

    In ‘Custom Exploit’ section we can run a custom exploit for
    pre-discovered targets.

    In ‘Run remote command’ section we can execute commands remotely
    on compromised machines.

In the assets module we can see the lists of discovered machines and compromised machines.

We can use option 1 for showing discovered machines and option 2 for compromised systems.

In the configuration module we can change or add API keys for Google, Shodan or Censys.
We can use option 1 to add or change Google API Key, option for add or change Google CSE ID, similarly we can use option 3 for Censys UID option 4 for Censys Secret and for Shodan API key we can choose option 5 .

To see all the the configured API keys we can choose option 6 (Show Config File)

We can use these functions we can with leviathan scans tool.

Leviathan is a mass audit toolkit which has wide range service
discovery, brute force, SQL injection detection and running custom
exploit capabilities. It consists open source tools such masscan,
ncrack, dsss and gives you the flexibility of using them with a
combination.
The main goal of this project is auditing as many system as possible in country-wide or in a wide IP range.

Legal Waning: While this may be helpful for some, there are significant risks.
You could go to jail on obstruction of justice charges just for running leviathan,
even though you are innocent. Your are on notice, that using this tool outside your
“own” environment is considered malicious and is against the law. Use with caution.

Follow our blog to learn penetration testing, cyber security, digital forensics. For more updates follow us on Twitter and Medium.
February 21, 2020
Recon-ng — Information Gathering with Open Source Intelligence
Today we are going to learn about recon-ng. Recon-ng is very good tool for web application analysis.

Recon-ng is a fully featured Web-Reconnaissance framework which written in Python3. It gives a powerful environment to it’s users.

Recon-ng have some modules and functions which gives many useful information about the target, like sub-domains, IP, Geo-locations, vulnerabilities etc.

Recon-ng’s look and feel is close to metasploit framework This tool comes pre-installed with Kali Linux.

Let we check how we can use this tool as a basic user. Let we fire up our Kali Linux’s terminal window and apply following command:
```
recon-ng
```
Our call will open this framework as shown in following screenshot:

Here we got recon-ng version 5.0.1. We can see in the above screenshot that in this version ‘no modules enabled/installed’.

Let we run help command to see the help options.
```
help
```
We can install modules from the market places. To see all the list of modules we can run following command:
```
marketplace search
```
Then we can see all the modules in recon-ng as we can now see in the following screenshot:

Now if we want to install “hackertarget”module then we can search for it’s path using following command:
```
marketplace search hackertarget
```
After applying this command we can see the path of hackertarget as shown following screenshot:

Now in the V5 of recon-ng no modules comes pre-installed so we need to install “hackertarget” module. We can easily do it by applying following command:
```
marketplace install recon/domains-hosts/hackertarget
```
So here we used marketplace install and the path of module, that’s it.
This will install “hackertarget” module.

This is how we can install modules in recon-ng V5. But some advanced modules requires api keys to run.

Now we load a module for scan. For an example we choose “hackertarget” and load it by using following command:
```
modules load recon/domains-hosts/hackertarget
```
Now we can set sources with target, by using following command:
```
options set SOURCE kali.org
```
Now we can run by using run command.
```
run
```
Then this module will run on kali.org domain, as we can see in the following screenshot:

We can see after process complete that we got total 49 hosts These hosts are added in the hosts table. We can check by using following command:
```
show hosts
```
The screenshot is following:

We can see hosts in hosts table this is how we can use Recon-ng V5 in Kali Linux.
Follow our blog to get latest tutorial as soon as possible. Follow us on Twitter and Medium.
February 20, 2020