How to use Undercover-mode in Kali Linux

Yesterday a new version of Kali Linux were released, Kali 2020.1. You can download it here. Make sure that you have read the release notes to make sure that you don’t break anything you don’t want.

Upgrade your existing machine:

  1. Run sudo apt full-upgrade -y
  2. Wait for the job to finish.
  3. Verify that you got the new version by running
    cat /etc/os-release
    Verify-installation

How to use undercover mode in Kali Linux 2020.1:
Undercover mode is a new feature for version 2020.1 that will help you hide that you are a super elite hacker when you are out in public by temporarily changing the desktop to look like a Windows 10 machine. I’m not sure I see the real use cases for this but it’s actually a funny feature. To use it you just need to run kali-undercover.

Kali undercover

After a few seconds you will see a Windows 10-like appearance, pretty cool.

Windows10-like-Kali-Linux

Httprobe

This post is about httprobe which is a tool for quickly probing for active http and https servers. If you have a list with subdomains you can quickly check which are active by using this tool. Httprobe is available on Github and the tool was created by Tom Hudson (@tomnomnom on Twitter).

Pre requisites:
1. You need to have Golang installed. If you haven’t used golang before and need help to get started, read my guide on how to install Golang on Kali Linux

2. Download ‘httprobe’ by running
go get -u github.com/tomnomnom/httprobe

3. If you used my guide to install Go you can now find ‘httprobe’ at:
/root/go-workspace/bin/assetfinder

Basic usage:
To use httprobe you need to print out your domains and pipe them to httprobe. In the example below we are are using cat to read the data from domains.txt and gives its content as output to httprobe.
cat domains.txt | httprobe

Adding extra ports:
By default httprobe is probing for http on port 80 and https on port 443. We can add other ports by using the ‘-p’ parameter.
cat domains.txt | httprobe -p http:8080 -p https:8443

Skip default ports and only probe for defined ports:
By adding ‘-s’ parameter the default ports will be ignored.
cat domains.txt | httprobe -s -p http:8080 -p https:8443

Specify a timeout:
If you know that the response time on the target server might be high you can specify a custom timeout by using the ‘-t’ parameter. The time is configured in milliseconds.
cat domains.txt | httprobe -t 10000

Combine with other tools:
You can combine ‘httprobe’ with other tools such as ‘assetfinder’. If you don’t know about assetfinder you can read my earlier post that helps you getting started with assetfinder.

One example on how you can chain assetfinder with httprobe.
assetfinder --subs-only yahoo.com | httprobe -s -p http:80
In the example we first searched for subdomains at yahoo.com and piped the result to httprobe to find out which of the subdomains that were listening on port 80.
assetfinder+httprobe

Assetfinder

reconnaissance

In this post I will write a bit about Assetfinder which is an quick and awesome tool for finding subdomains. The tool is available in Github and was created by Tom Hudson (@tomnomnom on Twitter).

According to the information on Github, Assetfinder uses the following resources to find subdomains

  • crt.sh
  • certspotter
  • hackertarget
  • threatcrowd
  • wayback machine
  • dns.bufferover.run
  • facebook
  • virustotal
  • findsubdomains

Pre requisites:
1. You need to have Golang installed. If you haven’t used golang before and need help to get started, read my guide on how to install Golang on Kali Linux

2. Download assetfinder by running the following command.
go get -u github.com/tomnomnom/assetfinder

3. If you used my guide to install Go you can now find assetfinder at:
/root/go-workspace/bin/assetfinder

How to use Assetfinder:
Navigate to assetfinder and run
./assetfinder exampledomain.com
If you only want the subdomains you can add –subs-only.
./assetfinder --subs-only exampledomain.com

assetfinder --subs-only
Save the output to a file:
You can also save the output to a file by adding “> filename”
./assetfinder --subs-only exampledomain.com > domains

Assetfinder - Save output

The tool is really quick so it is perfect to use it when you want a fast way to find subdomains for a target company. I really love this tool. <3

How to Install Golang in Kali Linux

golang

Golang (Go) is a programming language that are becoming more and more popular and I have seen many interesting tools that are written in Go. Since Go are not being installed by default in Kali Linux I thought that publishing a quick-start guide could be a good idea.

  1. Start by open your web browser and visit https://golang.org/dl/
  2. Download the latest version for Linux – “gox.xx.x.linux-amd64.tar.gz”
    Download page on golang.org
  3. Open your terminal and navigate to your downloads folder
    cd /root/Downloads
  4. Extract the files
    tar -C /usr/local/ -xzf go1.13.6.linux-amd64.tar.gz
  5. Add variables for GO by modifying “~/.bashrc”
    vim ~/.bashrc
    Add the following paths to the end of the file
    export GOPATH=/root/go-workspace
    export GOROOT=/usr/local/go
    PATH=$PATH:$GOROOT/bin/:$GOPATH/bin
  6. Now we need to refresh the bashrc to get the updated variables
    source ~/.bashrc
  7. Now we just need to verify that everything is correct configured and we can do that by creating a simple ‘hello world’ program in Go.
    vim helloworld.go
    Add the following code to the file:
    package main
    import "fmt"
    func main() {
    fmt.Printf("Hello world!\n")
    }
    Then save the file and try to run the program:
    go run helloworld.go
    If everything was configured correctly you should see something like this:
    golang.helloworld
    hackerman1
    You are now ready to use Golang on your Kali Linux machine!

How to connect to Azure with SSH Tunneling

Have you just created your first Azure VM and are looking for a good, secure way to connect to you new machine without exposing more than necessary to the internet? Maybe you just want to run a few machines and don’t want to spend money on firewalls to configure VPN to your Azure Virtual Network (VNET)?

Connect-to-Azure-SSH-tunneling

In this post I will explain a method that can be used to connect to your machine securely without any cost. After reading this post you will know how you can set up a SSH tunnel to your machine so you only need to expose TCP port 22 to the internet. I will also show you how you can limit the access to that port by configuring a Network Security Group (NSG) in Microsoft Azure to only allow your own IP to connect. You will connect to the VM using Putty and either Google Chrome or Mozilla Firefox. We start off by configuring the NSG in Azure.

Configuring NSG in Azure:
The first thing that we need to do is to allow you to SSH to your machine and we do that by configuring the NSG. You want to modify the inbound security rule named ‘default-allow-ssh’ and you do that by clicking on ‘Inbound security rules’ in the left menu.

nsg

You should now add your public IP to the rule to allow you to connect from your home network. You probably know how to get your public IP but if you don’t know, one simple way is by visiting https://ipinfo.io and copy the address from there.

publicip

When you have the IP ready, click on the ‘default-allow-ssh’-rule to expand it and then add your IP to ‘Source IP addresses/CIDR ranges’ and press ‘Save’.

nsg2

The Azure configuration is now done. Lets move on to the Putty configuration.

Configuring Putty:
If you don’t have Putty installed you can download it from the official website and then just install it. After you have installed the software the first step is to run Putty and add the public IP of your Azure VM and select SSH port 22.

putty

Then navigate to SSH and check ‘Don’t start a shell or command at all’.

putty2

Move on by expanding SSH (+) and go to Tunnels. Add a forwarded port by choosing ‘Source port’. In this example we use port 1080. Select ‘Dynamic’ for destination and then press ‘Add’. Now you should see ‘D1080’ added above.

putty3

If you don’t want to configure these settings every time you want to use the tunnel you can save the session. That is done by going back to ‘Session’ and enter a name and then press ‘Save’.

putty4

Now the tunnel is ready and we just need to start it. Click on ‘Open’, enter your SSH credentials and press enter and the tunnel should be up and running.

Verify that the tunnel works:
You will probably want to make sure that the tunnel works as expected and we can verify that by configuring a simple HTTP server on the VM. In this example CentOS7 was used but it can be done on most machines.

Step one is to open another putty window and connect to you VM via SSH. Navigate to your home folder (cd /home) and create a directory (mkdir testfolder). Cd into that folder and create a testfile (touch text.txt). Then run the following command to run a python based HTTP-server on port 80.

sudo python -m SimpleHTTPServer 80

Your server will now listen for incoming connections on port 80. But since you don’t allow any connections to port 80 in the NSG you won’t be able to go directly to port 80. We need to send our HTTP traffic in the SSH tunnel to be able to reach it and we do that by configuring proxy settings in our web browser. This can be done in most of the common browsers and I will show you how to do it in Firefox and Chrome.

Chrome:
To configure proxy for Chrome you just right click on Chrome in the task bar and select ‘Properties’. You then need to add some run parameters.

chrome

The parameters you should add are:

--user-data-dir="%USERPROFILE%\proxy-profile" 
--proxy-server="socks5://127.0.0.1:1080"

Firefox:
For Firefox you just open up the browser, open the menu (1) and click on ‘Options’ (2).

firefox

Then you search for proxy and click on ‘Settings’

proxyfirefox

Select ‘Manual proxy configuration'(3) and then add ‘Socks Host 127.0.0.1 Port 1080′(4) and ‘SOCKS v5’ like in the example below.

firefox-proxy

After configuring the proxy settings you can just browse to the internal IP of your Azure VM. You can find the internal IP in the overview of the VM.

az-vm-private-ip

Then just browse to the IP ‘http://10.0.0.4’

result

Voila, you should now see the test file (test.txt) that you created earlier.

I really hope you found this guide useful, if you have any questions or reflections please send me a message on twitter.

/Rickard

Crunch

Today I will continue to write about tools that you can use to generate wordlists. Today we will take a look at crunch.

crunch
Where you can find crunch in Kali Linux.

Background and the functionality:
Crunch is another great tool that can be used to create wordlists. The tool was initially released in 2004 and the author is bofh28 according to tools.kali.org.

You use the tool to generates wordlists based on the charset you specify.

How to get started with Crunch:
To make sure that you have crunch installed, which comes pre-installed with Kali, you just open up the terminal and write crunch.

installed

If you start off by running the tool with only the required parameters you will get all possible words using all characters. So if you for example run “crunch 8 8” you will get all words that are eight characters long.

You can also specify which characters you want to use for your wordlist.

t-768x390

In the example above you can see that we specified all worlds between 5-6 that uses the following charcters: abcd123.

3-2
Here you can see the start and end of the file we just created.

-o
With the -o variable you can chose where the output should be saved.
Example: crunch 8 8 -o wordlist.txt

-b
With the -b parameter you can specify how big wordlist-files you want. In the example below I first created a wordlist with the size of ~2kB. When I use the -b parameter to define that each file only can be 1kB big you see that three files was created instead and none of them were bigger than 1kB.

b
An example of how you can use the -b parameter.

-i
With the -i parameter you can invert the order of the words. If you use crunch 3 3 without using the -i parameter you will get a file that starts with

  • aaa
  • aab
  • aac

If you use -i you will instead get the following result:

i

-t
The -t parameter is one of my favorites to use. If you know that a password uses a special pattern you can use the -t parameter to specify that pattern and reduce the amount of words in your list significantly and make your wordlist more efficient.

A normal use case can be that you got information about that many users in your targets company creates passwords based on the current season, for example Summer2019! . You can then create a wordlist based on that structure.

t-768x390
An example on how you can use the -t parameter.

You can use the following characters to build your patterns:

  • @ will insert lower case characters
  • , will insert upper case characters
  • % will insert numbers
  • ^ will insert symbols

-z
You can also use the -z parameter to compress and create an archive-file. You can choose between gzip, bzip2, lzma and 7z. Gzip is fastest but compression is minimal while 7z is slowest with best compression.

z
An example on how you can use the -z parameter.

That was everything for this time. Please contact me if you feel like I missed something or if you want to share any special tips and tricks for Crunch.

Thanks
/R

Cewl

This is the first blog post in my series where I will go through all built-in Kali Linux tools. I will write information about how the tools work and give you examples on when to use them. This will be an excellent way for me to learn the tools in depth and hopefully it can come in handy for some of you.
I won’t get much enjoyment if I write about them in one by one from top to bottom since that will be boring. The first tool I will write about is from section 05- Password Attacks and the tool I have chosen to start with is CeWL.

Background and the functionality:
CeWL is a tool that was created by Robin Wood and it is used for creating custom word lists based on the text from a target website. It can come in handy to use this tool if you are doing a pen test and you haven’t been successful with your usual word lists and want to create one that is more customized for the target company.

cewl
CeWL from Kali Linux

CeWL are built in Ruby and the main idea is that the program spiders the specified URL according to the configuration and returns a list of words that was found on that site. These custom word lists can later be used when trying to crack passwords with the other available tools. In a later post I will show you how that is being done.

How to get started with CeWL:
So how do you use CeWL then? It’s pretty easy and straight forward and you can get out the most information from the manual which you get by running “man cewl”. I will go through some of the most common options that you can configure and these are:

  • -w
  • -d
  • -m
  • –with-numbers
  • -c
  • -e

-w
Define where the word list should be saved. example: customwordlist.txt
-d
Define the depth the scan should spider. Default value is 2 and that means that it will go to all links that are presented on the defined URL and collect words from them as well.
-m
Define the minimum length of a word. No words with less characters than this will be saved.

So let’s try it and see how it works in practice. For this example I will just use a website that I know include many words and which site are better than Wikipedia? I’ve set the parameters to depth = 1 and characters = 10.

An example on how to use CeWL to generate a custom word list based on a URL.

It can take some time if you want to spider through many sites but if you use a configuration like mine it will be very quick and in this example I got out 1895 useful words.

wordcount
An example on how you can count the number of files in the file.

–with-numbers
Accept words where numbers are included as well. Like for example the word below. “Riteshkumar1256”.

In the figure you can see the first ten entries in the list that was created.

-c – counts number of entries
If you add the -c parameter the tool will also count how many times each word was found on the site. You can use that for many purposes and one example is that you easy can find out which words the company likes to mention and that might be something users uses in their passwords.

An example on how you can use the -c parameter for CeWL.

-e – includes email addresses
You can also save all email addresses that can be found on the website to a file. Perfect for recon and helps you find mailboxes at the target company. If you also include –email file you can specify where you want to save the emails addresses.

An example on how you can use the -e parameter for CeWL.

That was everything for this time. Please contact me if you feel like I missed something or if you want to share any special tips and tricks for using CeWL?

Thanks
/Rickard

Copyright © 2019