Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Kali Linux - An Ethical Hacker's Cookbook

You're reading from   Kali Linux - An Ethical Hacker's Cookbook Practical recipes that combine strategies, attacks, and tools for advanced penetration testing

Arrow left icon
Product type Paperback
Published in Mar 2019
Publisher Packt
ISBN-13 9781789952308
Length 472 pages
Edition 2nd Edition
Arrow right icon
Author (1):
Arrow left icon
Himanshu Sharma Himanshu Sharma
Author Profile Icon Himanshu Sharma
Himanshu Sharma
Arrow right icon
View More author details
Toc

Table of Contents (15) Chapters Close

Preface 1. Kali - An Introduction 2. Gathering Intel and Planning Attack Strategies FREE CHAPTER 3. Vulnerability Assessment - Poking for Holes 4. Web App Exploitation - Beyond OWASP Top 10 5. Network Exploitation 6. Wireless Attacks - Getting Past Aircrack-ng 7. Password Attacks - The Fault in Their Stars 8. Have Shell, Now What? 9. Buffer Overflows 10. Elementary, My Dear Watson - Digital Forensics 11. Playing with Software-Defined Radios 12. Kali in Your Pocket - NetHunters and Raspberries 13. Writing Reports 14. Other Books You May Enjoy

Prepping with custom tools

In this recipe, we will set up a few tools beforehand; not to worry, we will be covering their usage in detail in later chapters.

Getting ready

Here is a list of some tools that we will need before we dive deeper into penetration testing. Don't worry, we will learn about their usage with some real-life examples in the next few chapters. But those of us who are excited about them right now can run the following simple commands to view the -help section where toolname is the name of the tool we would like to view the help of:

toolname -help
toolname -h

How to do it...

We will be looking at two tools in this section.

Aquatone

Aquatone is a tool for visually inspecting websites across a large amount of hosts and is convenient for quickly gaining an overview of an HTTP-based attack surface. Aquatone has four major modules: discover, scanner, gather, and takeover. Each of these can be used to perform in-depth enumeration of a target:

  1. We will use a simple command to install aquatone:
gem install aquatone

The following screenshot shows the output of the preceding command:

  1. Next, we create a directory in /root/folder using the following command:
mkdir /root/aquatone/
  1. As aquatone uses different modules to hunt for subdomains, we will have to configure aquatone's discovery module before running it.
  2. For example, to configure the shodan, we can use the following command:
aquatone-discover --set-key shodan XXXXXXXXXXX

The following screenshot shows the output of the preceding command:

  1. Similarly, we can set keys for other services too, such as Censys and PassiveTotal.
  2. Once it is all set, we can start our subdomain hunting. We can do this using the following command:
aquatone-discover -d domain.com

The following screenshot shows the output of the preceding command:

  1. Aquatone also allows us to set a custom wordlist by using the -w flag, and we can also set the threads by using the -t flag.
  2. By default, aquatone stores the output in TXT as well as JSON format in the /root/aquatone/ directory.
  3. After we find the subdomains, we can use the aquatone scanner to scan for open ports on the discovered hosts. Let's look at an example:
aquatone-scan --ports 80 -d packtpub.com

The following screenshot shows the output of the preceding command:

  1. This will look for the domain's hosts.json file in the aquatone directory.
    Aquatone by default has four inbuilt port scanning flags (small, medium, large, and huge). These flags will decide the number of ports being scanned on the hosts, or we can define custom ports by using the -ports flag.
    • aquatone-gather: This tool makes a connection to the web services found using the discover and scanner modules of aquatone and takes screenshots of discovered web pages for later analysis.
    • aquatone-takeover: This module is used to find subdomains that are vulnerable to the subdomain takeover vulnerability.

Let's refer to the following screenshot:

Subfinder

Subfinder is considered as a successor to sublist3r. It is amazingly fast and finds valid subdomains using passive online sources such as Ask, Archive.is, Baidu, Bing, Censys, CertDB, CertSpotter, Commoncrawl, CrtSH, DnsDB and so on.

  1. Install subfinder. It needs Go to be installed, which we can install by using the following command:
apt install golang

The following screenshot shows the output of the preceding command:

  1. Next, we clone subfinder by using the following command:
git clone https://github.com/subfinder/subfinder.git

The following screenshot shows the output of the preceding command:

Or you can download and save it from https://github.com/subfinder/subfinder.

  1. To install subfinder, we go to the cloned directory and run the go build command.
  2. Once the installation is complete, we will need a wordlist for it to run, so we can download dnspop's list. This list can be used in the previous recipe too: https://github.com/bitquark/dnspop/tree/master/results.
  3. Now that both are set up, we browse into subfinder's directory and run it using the ./subfinder -h command.

The following screenshot shows the output of the preceding command:

  1. To run it against a domain with our wordlist, we use the following command:
./subfinder -w /path/to/wordlist -d hostname.com

If we do not specify a wordlist the tool will run with a default wordlist as shown in the following screenshot:

Once the enumeration is complete, the output will be shown onscreen as follows:

  1. Subfinder is also designed to work with services such as shodan, censys, and virustotal, but they need to be configured in the config.json file shown here:

There's more...

A subdomain takeover vulnerability exists when a service that previously pointed to a subdomain is removed but the CNAME record still exists. More information can be read about it at the following GitHub link: https://github.com/EdOverflow/can-i-take-over-xyz/.

Aquatone-takeover is based on the same methodology described by EdOverflow at the preceding URL.

lock icon The rest of the chapter is locked
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image