Installing Kioptrix Level 1.
Hey guys.
Welcome to the scanning and enumeration section of this course flow.
To begin, we’re going to install a vulnerable virtual machine, called Kioptrix. Load up your web browser, in your host machine, and search for kioptrix level 1. This is what you should look for:
Vulnhub is a great resource, with a bunch of vulnerable machines available to be downloaded, with different levels.
We are going to run both Kali and Kioptrix together. So click on download, I picked the mirror download.
NB: Kioptrix was intended to use VMware. So I’ll be switching back to VMware. Please, don’t mind my switching, I love to have a good grip of and try different software, than what I’m comfortable with and I’m very comfortable with Virtual box.
Alright, go ahead and find your downloaded file, it should be a rar file. Use 7zip or winrar, to extract it. Once extraction is complete, go to your VM and select open a virtual machine, navigate to the folder where you extract the Kioptrix file and click on ht e file.
If you insist on using Virtual box, which is fine, head over here.
Now that we’ve created the machine, lets edit the settings. In the network, give it a NAT setting, increase the memory to about 256 MB (you don’t need a lot for this machine) and click OK.
One last thing before we boot our machine. Go over to your extracted kioptrix file, it should look like this:
Right click on the virtual machine configuration file and open with Notepad. Click ctrl + f and search for bridged, like this:
Now change the bridged to nat an save..
Now, power on the kioptrix machine, click “I copied it”. If your mouse disappears or hangs when you click on the screen, just press ctrl + alt.
Minimize the kioptrix machine, we are going to attack it from our Kali Linux machine. First, we are going to scan and do a little enumeration before we attack it.
Scanning With Nmap.
Before we get to attacking the kioptrix machine (I’ll be calling it our target from here on out), we need to discover where it is first.
Open up your terminal in your Kali machine, we’re going to use a tool called netdiscover, but before we do that, lets get our IP address. Enter the ifconfig command in your terminal and copy the first three (3) octet from the INET.
Then we run netdiscover.
-r: range.We are using arp to detect all the machines on the network. You should only have two (2) machines in the network, because we are running two. Ignore the .1, .2 and .254, IP addresses, the one left should be the IP for the kioptrix machine, which should look similar to ours.
NB: If you have a problem running netdiscover, like I did, use this command- arp-scan –l
Remember the three (3) way handshake? Where we reach out to a port (SYN) to ask if it’s open, the port replies that it’s open (SYNACK) and we connect to it (ACK).
We’re going to use a tool called nmap (Network Mapper), it’s going to scan for open ports and services, identify the open ports with something similar to the three (3) way handshake. The process we’ll use is called stealth scanning, it’s SYN, SYNACK and RST. RST, because, after the machine replies that it’s open and we can connect, we don’t actually connect to it, the whole point is to know if the port is open or not, that’s why it’s called stealth.
NB: Even though the name of the scan is called stealth, it’s not so stealthy, especially if the clients security is top notch.
Here is the nmap command we’re going to use and don’t worry, I’ll explain what is means before we have to run the command.
-T4 is our choice in speed, which can be between 1 & 5, where 1 is really slow and 5 is really fast.
-p-, this stands for scanning all ports. Without putting p, it’ll scan the top 1000 ports (which are the most common ports, like port 80, 443, 139, 445, etc), there are 65,535 ports and we want to scan every single one of those ports. Because, what if there’s a service running in port 43,200, it’s not common and if we don’t broaden our search, we’ll miss it. You can scan specific ports, we’ll look at that later, but since we’re beginners here, we’ll scan everything.
-A, stands for everything. Scan and give me back the version, operating system, fingerprinting, everything.
After this command, place in the IP address of the target machine and hit enter.
This shouldn’t take long. I recommend using the –help for nmap and reading through the available command syntax, so you can get a broader understanding and other commands that can be used with nmap.
From the result, the first thing we see are the open ports, we need to know what is running on these open ports.
You can see port 22 open, and ssh is running, with a version.
So we just performed a stealth scan (SYN, SYNACK, RST), found a few open ports and we have to look up the information that we see on the open ports and try to find exploits on them.
I encourage you go go back and run this scan again, in your free time, to get the syntax in your head, to remember it. You’ll need this syntax a lot more than you think and go read the nmap help page, try a few of the syntax to know what they do and get an idea of their results. Play around with the syntax, make sure you use the target machine (Kioptrix), it’s your personal lab target to practice anything and everything on.
Enumerating HTTP/HTTPS. (Part 1)
From our nmap scan we’ve got 22/SSH, 80 & 443 which are hosting websites, 139 which has file share with samba on it.
We need to think like an attacker would and figure out our point of attack. As a beginner, I don’t expect you to know that port 80 & 443, 139 are commonly found with exploits, it’ll take a series of hacks to know that off the top of your head. But what I suggest is googling your ports, to find out about their vulnerabilities.
Remember, Google is your best friend. I really think it’s the best way to get a grasp of the possible vulnerabilities and exploits, just google it, until you have a firm grip on some basic ports and their vulnerabilities.
We’re going to start with the enumeration of port 80 & 443.
The first step should be to go out to the website, so copy the target IP address and paste it in the url search bar. We get nothing from visiting the page, as seen below:
So lets scan for vulnerabilities, using a new tool called nikto. Nikto is a vulnerability scanner, and it’s a great beginner tool for practicing with CTFs or boxes.
If you use this tool against a client website and the site is running good security, it might auto-block your scan if it’s detected, not always though. So if you get the sense that a client has a web application firewall, you’ll get a feel for this has you get more practice, don’t use it.
From the scan result you can see that it detects the server version running, giving us some vulnerabilities back and tells us what’s missing in terms of protection (which isn’t really important if it’s a external pen test but are more important for a web application pen-test). It shows the outdated softwares and in a case where we find these on a clients site, we put these finding on the report (I’ll show you how to go about making reports in a later section), It also tells us the types of attacks that can be carried out with the available vulnerabilities
Save the scan, just copy it and save it into a directory, and gedit a file for it. You are free to name your file whatever you like. This is part of being a good pen tester, saving your scans and having them available, in case you need to go back to them or make references for your report.
That’s it for this post. In the next post, we’ll be trying a new tool called dirbuster, to go directory bursting. Then we’ll move on to enumerating SMB, port 139, using Metaslpoit.
Until next time, Keep learning. Keep hacking. And don’t forget to breathe!
Phoenix Information Security 