Kali Linux Penetration Testing Bible. Gus Khawaja

Чтение книги онлайн.

Figure 1.19 Testing Internet Connection

      Take note that we're using 10.0.0.0 network as our main VLAN (virtual network). In fact, we have multiple VLANs in our home network. For example, we have a VLAN for IoT devices, but why? It's because we want IoT devices to be on a separate network (10.0.50.0/24) without interfering with my main production hosts.

Another example is the Guests VLAN. This network is for people who connect to the wireless guest access point, and they will be assigned in the 10.0.20.0 address range.

      Companies implement the same concept. Ideally, they have a development environment that is different than the production environment network VLAN.

      DNS

      The Domain Name System (DNS) translates domain names into IP addresses. For example, instead of typing https://172.217.13.132 , you simply type https://google.com. The question is, how did I come up with the IP address? Use the host command on your terminal window:

      $host [domain name] root@kali:/# host google.com google.com has address 172.217.13.174 google.com has IPv6 address 2607:f8b0:4020:806::200e google.com mail is handled by 40 alt3.aspmx.l.google.com. google.com mail is handled by 30 alt2.aspmx.l.google.com. google.com mail is handled by 10 aspmx.l.google.com. google.com mail is handled by 50 alt4.aspmx.l.google.com. google.com mail is handled by 20 alt1.aspmx.l.google.com.

      The DNS is divided into two categories: public and private (like the IP addresses). The Google DNS address is public so that anyone connected to the internet can reach Google's website.

      On the other hand, we can have private DNS for our local intranet. This can be set up using a DNS server (e.g., Microsoft Windows Server) or your router if it has a built‐in DNS server. In my home network, I defined a domain called ksec.local . Each host on the network will have a domain name that corresponds to its IP address. For example, my file server domain name is ds‐server.ksec.local (because the server hostname is ds‐server ), and the router/DNS server will manage all the DNS A records (an A record is a mapping between IPv4 addresses and domain names):

      root@kali:~# host ds-server.ksec.local ds-server.ksec.local has address 10.0.0.177

      If you specify a nonexisting DNS record, you will get an error message (this is useful to brute‐force the DNS records):

root@kali:~# host hello.ksec.local Host hello.ksec.local not found: 3(NXDOMAIN)

      Take note that you can add your own static DNS records inside your Kali host. The file is located at /etc/hosts , and here you can redirect any domain name to any live IP address. (This is how DNS poisoning works; the hacker will manipulate the A records to point to his server IP address.)

      root@kali:~# cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters

      You'll learn more about this subject later in this book, and you will learn how DNS brute‐forcing and zone transfers work.

      Established Connections

      To display the active network connections on your Kali host, you must use the netstat command tool to get the job done. You'll use this command in your post‐exploitation phase to check how the Linux host is communicating with its network.

      On our Kali host, we have started the SSH (port 22) and the web (port 80) services; the netstat tool will allow us to see them listening for incoming connections:

      root@kali:~# netstat -antu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN udp 0 0 10.0.0.185:68 10.0.0.1:67 ESTABLISHED

      It's essential to understand what each option means:

      File Transfers

      There are so many ways to transfer files in Kali Linux. First, to download files from the internet/intranet, you have two tools in your arsenal: wget and curl . In the following example, we use both of the tools to download a password text file from one of my local web servers:

      $wget [URL] root@kali:~# wget http://ubuntu.ksec.local/passwords.txt --2020-10-01 13:32:02-- http://ubuntu.ksec.local/passwords.txt Resolving ubuntu.ksec.local (ubuntu.ksec.local)… 10.0.0.186 Connecting to ubuntu.ksec.local (ubuntu.ksec.local)|10.0.0.186|:80… connected. HTTP request sent, awaiting response… 200 OK Length: 0 [text/plain] Saving to: 'passwords.txt.1' passwords.txt.1 [ <=> ] 0 --.-KB/s in 0s 2020-10-01 13:32:02 (0.00 B/s) - 'passwords.txt.1' saved [0/0] $curl -O [URL] root@kali:~# curl -O http://ubuntu.ksec.local/passwords.txt % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 32 100 32 0 0 16000 0 --:--:-- --:--:-- --:--:-- 16000

      TIP

      If you want to download files from GitHub, then you can use the git command:

      $git clone [git project URL]

      Another way to securely transfer files using the SSH protocol is the scp command tool. It's important to understand that you will need the SSH service to be started for this process to work properly. As usual, you see a practical example of how the workflow of copying works from source to destination.

First, we will start the SSH server on a remote Ubuntu Linux host, and this is where you're going to download my files. (By default SSH server is not installed on Ubuntu. To get the job done, execute the command $sudo apt install openssh‐server ‐y .) In this example, we are downloading a passwords.txt file from the remote Ubuntu server:

      gus@ubuntu:~$ ls Desktop Downloads passwords.txt Public Videos Documents Music Pictures Templates

      To get the job done of downloading the file, use the scp command with the following pattern (the dot at the end means that we are copying the file to our current directory in Kali):

      $scp [remote-username@remote-ip:/remote-path] СКАЧАТЬ