Last week, Kali announced the release of Kali Linux 2017.2! The new version is a collection of all updates and fixes since the last release, but also includes several new tools. In this article we will see what new tools were installed and take a closer look at some of them.
Note: The tools are not installed automatically, but are available from the repositories. So, to use them, you will need to ‘apt-install’ the ones you want.
Let’s take a closer look at some of the tools.
APT2 – An Automated Penetration Testing Toolkit
APT2 performs an NMap scan (or import scans from Nexpose, Nessus, or NMap) and launches enumeration modules and exploits against the target. Options are set in the “default.cfg” file:
- Start Metasploit and run the following command:
load msgrpc User=msf Pass=msfpass ServerPort=55552
This is needed as when APT2 runs, it it is able to open any remote sessions they will show up in Metasploit.
Then launch APT2 against a target:
apt2 -v -s 1 -b –target 192.168.1.135
The program scans the target, and will automatically begin to attack the target based on the safety level (-s) that you choose.
Any vulnerabilities are listed, and reports are saved to the designated directory:
A html report file is saved in the “Reports” folder. The “proofs” folder contains a lot of information and results from the scan:
BruteSpray – Service Brute Force tool
BruteSpray takes nmap GNMAP/XML output and automatically brute-forces services with default credentials using Medusa.
Run nmap scan and save output, then start Brutespray in interactive mode:
brutespray –file nmap.xml -i
You can also run it in manual mode by supplying specific information using switches. See the help file or tool website for more information.
A brute forcing tool that supports OpenVPN, Remote Desktop Protocol, SSH Private Keys and VNC Keys.
RDP target with known user and password:
crowbar -b -rdp -s 192.168.1.204/32 -u test -c monkey
Crowbar can be run against a single target or range of targets. It can use individual passwords, password lists and SSH or VNC keys. See tool website for more examples.
Tool website: https://github.com/nccgroup/redsnarf
Redsnarf is a pen-testing / red-teaming tool by Ed Williams for retrieving hashes and credentials from Windows workstations, servers and domain controllers
Redsnarf looks like a very useful tool that has a ton of features. It targets Windows computers and can pull information from the system, recover passwords, enable remote access, run remote shells and much more.
I ran it against a local test Windows 7 desktop system, and it would only run when UAC was totally disabled on the system. So, this seems to be a great post-exploitation tool.
Information dump with a known admin user name and password:
redsnarf -H ip=192.168.1.93 -u dan -p password
Information including passwords and shares is displayed and saved to the log directory.
Remote Command shell
Redsnarf has the capability to create several different types of shells.
redsnarf -H ip=192.168.1.93 -u dan -p password -d WIN-42ORBM3SRVF -uD y
Running the command above will connect to the target system and list available shells, as seen below:
The Stealth Mimikatz option is pretty interesting. It creates a webserver on the target system, pulls the system creds and downloads them in plain text:
redsnarf -H ip=192.168.1.93 -u dan -p password -d WIN-42ORBM3SRVF -hR y
Whenever you run a command, the program provides you with a directory that contains the program logs. The logs contain a lot of important information gleaned from the system:
In this article we discussed a few of the new tools included with Kali Linux. Kali Linux is the most feature rich computer security testing platform available and it continues to grow as new tools and capabilities are constantly added.
If you are new to Kali or a seasoned user interested in learning more, check out my “Security Testing with Kali Linux” book series:
And keep an eye out for the upcoming, “Advanced Security Testing with Kali Linux”.