Kali Linux Information Gathering

Rosetta, 2021

Laboratory Setup
In this section, we will set up another testing machine to perform the tests with the help
of tools of Kali Linux.

Step 1: Download Metasploitable, which is a Linux machine. It can be downloaded from

the official webpage of Rapid7: https://information.rapid7.com/metasploitable-
download.html?LS=1631875&CS=web

Step 2: Register by supplying your details. After filling the above form, we can
download the software.

Rosetta Techonology | offensive security certified professional training 1

 Kali Linux Information Gathering
Rosetta, 2021

Step 3: Click VirtualBox -> New.

Step 4: Click “Use an existing virtual hard disk file”. Browse the file where you have
downloaded Metasploitable and click Open.

Rosetta Techonology | offensive security certified professional training 2

 Kali Linux Information Gathering
Rosetta, 2021

Step 5: A screen to create a virtual machine pops up. Click “Create”.

The default username is msfadmin and the password is msfadmin.

Rosetta Techonology | offensive security certified professional training 3

 Kali Linux Information Gathering
Rosetta, 2021

NMAP and ZenMAP

Nmap (Network Mapper) is a free and open-source network scanner created by Gordon Lyon (also known by
his pseudonym Fyodor Vaskovich). Nmap is used to discover hosts and services on a computer network by
sending packets and analyzing the responses.
NMAP and ZenMAP are useful tools for the scanning phase of Ethical Hacking in Kali Linux. NMAP and
ZenMAP are practically the same tool, however NMAP uses command line while ZenMAP has a GUI.
Nmap provides a number of features for probing computer networks, including host discovery and service and
operating system detection. These features are extensible by scripts that provide more advanced service
detection, vulnerability detection and other features. Nmap can adapt to network conditions including latency
and congestion during a scan.

Nmap features include:

 Host discovery – Identifying hosts on a network. For example, listing the hosts that respond to TCP
and/or ICMP requests or have a particular port open.
 Port scanning – Enumerating the open ports on target hosts.
 Version detection – Interrogating network services on remote devices to determine application name
and version number.
 OS detection – Determining the operating system and hardware characteristics of network devices.
 Scriptable interaction with the target – using Nmap Scripting Engine (NSE) and Lua programming
language.
Nmap can provide further information on targets, including reverse DNS names, device types, and MAC
addresses.
Typical uses of Nmap:
 Auditing the security of a device or firewall by identifying the network connections which can be made
to, or through it.
 Identifying open ports on a target host in preparation for auditing.
 Network inventory, network mapping, maintenance and asset management.
 Auditing the security of a network by identifying new servers.
 Generating traffic to hosts on a network, response analysis and response time measurement.
 Finding and exploiting vulnerabilities in a network.
 DNS queries and subdomain search.

Output
Nmap provides four possible output formats. All but the interactive output is saved to a file. Nmap output can be
manipulated by text processing software, enabling the user to create customized reports.
 Interactive: Presented and updated real time when a user runs Nmap from the command line. Various
options can be entered during the scan to facilitate monitoring.
 XML: A format that can be further processed by XML tools. It can be converted into a HTML report
using XSLT.
 Grepable: Output that is tailored to line-oriented processing tools such as grep, sed or awk.
 Normal: The output as seen while running Nmap from the command line, but saved to a file.
 Script kiddie: Meant to be an amusing way to format the interactive output replacing letters with their
visually alike number representations. For example, Interesting ports becomes Int3rest1ng p0rtz.

Nmap command examples

Let’s get to know a few useful command-line based scans that can be performed using Nmap.
1. Basic Nmap Scan against IP or host
# nmap 1.1.1.1
Now, if you want to scan a hostname, simply replace the IP for the host, as you see below:
# nmap cloudflare.com
These kinds of basic scans are perfect for your first steps when starting with Nmap.
2. Scan specific ports or scan entire port ranges on a local or remote server
# nmap -p 1-65535 localhost
In this example, we scanned all 65535 ports for our localhost computer.
Nmap is able to scan all possible ports, but you can also scan specific ports, which will report faster results. See
below:
# nmap -p 80,443 8.8.8.8

Rosetta Techonology | offensive security certified professional training 4

 Kali Linux Information Gathering
Rosetta, 2021
3. Scan multiple IP addresses
Let’s try to scan multiple IP addresses. For this you need to use this syntax:
# nmap 1.1.1.1 8.8.8.8
You can also scan consecutive IP addresses:
# nmap -p 1.1.1.1,2,3,4
This will scan 1.1.1.1, 1.1.1.2, 1.1.1.3 and 1.1.1.4.
4. Scan IP ranges
You can also use Nmap to scan entire CIDR IP ranges, for example:
# nmap -p 8.8.8.0/28
This will scan 14 consecutive IP ranges, from 8.8.8.1 to 8.8.8.14.
An alternative is to simply use this kind of range:
# nmap 8.8.8.1-14
You can even use wildcards to scan the entire C class IP range, for example:
# nmap 8.8.8.*
This will scan 256 IP addresses from 8.8.8.1 to 8.8.8.256.
If you ever need to exclude certain IPs from the IP range scan, you can use the ―–exclude‖ option, as you see
below:
# nmap -p 8.8.8.* --exclude 8.8.8.1
5. Scan the most popular ports
Using ―–top-ports‖ parameter along with a specific number lets you scan the top X most common ports for that
host, as we can see:
# nmap --top-ports 20 192.168.1.106
6. Scan hosts and IP addresses reading from a text file
In this case, Nmap is also useful to read files that contain hosts and IPs inside.
Let’s suppose you create a list.txt file that contains these lines inside:
# vi list.txt
192.168.1.106
cloudflare.com
microsoft.com
securitytrails.com
Save and exit.
The ―-iL‖ parameter lets you read from that file, and scan all those hosts for you:
# nmap -iL list.txt
7. Save your Nmap scan results to a file
On the other hand, in the following example we will not be reading from a file, but exporting/saving our results
into a text file:
# nmap -oN output.txt securitytrails.com
Nmap has the ability to export files into XML format as well, see the next example:
# nmap -oX output.xml securitytrails.com
8. Disabling DNS name resolution
If you need to speed up your scans a little bit, you can always choose to disable reverse DNS resolution for all
your scans. Just add the ―-n‖ parameter.
# nmap -p 80 -n 8.8.8.8
See the difference with a normal DNS-resolution enabled scan:
# nmap -p 80 8.8.8.8

Rosetta Techonology | offensive security certified professional training 5

 Kali Linux Information Gathering
Rosetta, 2021
9. Scan + OS and service detection with fast execution
Using the ―-A‖ parameter enables you to perform OS and service detection, and at the same time we are
combining this with ―-T4‖ for faster execution. See the example below:
# nmap -A -T4 cloudflare.com
10. Detect service/daemon versions
This can be done by using -sV parameters
# nmap -sV localhost
11. Scan using TCP or UDP protocols
One of the things we love most about Nmap is the fact that it works for both TCP and UDP protocols. And
while most services run on TCP, you can also get a great advantage by scanning UDP-based services. Let’s see
some examples.
# nmap -sT 192.168.1.1
UDP scanning results using ―-sU‖ parameter:
# nmap -sU localhost
12. Vulnerability detection using Nmap
One of Nmap’s greatest features that not all the network and systems administrators know about is something
called ―Nmap Scripting Engine‖ (known as NSE). This scripting engine allows users to use a pre-defined set of
scripts, or write their own using Lua programming language.
Using NSE is crucial in order to automate system and vulnerability scans. For example, if you want to run a full
vulnerability test against your target, you can use these parameters:
# nmap -Pn --script vuln 192.168.1.105
13. Install Nmap-Vulners (Advance)
# cd /usr/share/nmap/scripts/
# git clone https://github.com/vulnersCom/nmap-vulners.git
14. Install Vulscan
# git clone https://github.com/scipag/vulscan.git
# ls vulscan/*.csv
Vulscan supports a numbered of excellent exploit databases:
 scipvuldb.csv  securitytracker.csv
 cve.csv  xforce.csv
 osvdb.csv  expliotdb.csv
 securityfocus.csv  openvas.csv
To ensure that the databases are fully up to date, we can use the updateFiles.sh script found in the
vulscan/utilities/updater/ directory. Change into the updater directory by typing the below command into a
terminal.
# cd vulscan/utilities/updater/
Then, make sure the file has the proper permissions to execute on your computer with the below chmod
command.
# chmod +x updateFiles.sh
We can then execute and run the script by entering the below command into our terminal.
# ./updateFiles.sh
With that done, we're now ready to start using the NSE scripts.
15. Scan Using Nmap-Vulners
Using NSE scripts is simple. All we have to do is add the --script argument to our Nmap command and tell
Nmap which NSE script to use. To use the nmap-vulners script, we would use the below command.
# nmap --script nmap-vulners -sV -p80 192.168.1.1
16. Scan Using Vulscan
We can use the vulscan NSE script in the same exact way as nmap-vulners:

Rosetta Techonology | offensive security certified professional training 6

 Kali Linux Information Gathering
Rosetta, 2021
# nmap --script vulners -sV -p80 192.168.1.1
I highly recommend querying just one database at a time. We can achieve this by adding the vulscandb
argument to our Nmap command and specifying a database as shown in the below examples.
# nmap --script vulscan --script-args vulscandb=database_name -sV -p80 192.168.1.1
# nmap --script vulscan --script-args vulscandb=scipvuldb.csv -sV -p80 192.168.1.1
# nmap --script vulscan --script-args vulscandb=exploitdb.csv -sV -p80 192.168.1.1
# nmap --script vulscan --script-args vulscandb=securitytracker.csv -sV -p80 192.168.1.1
17. Combine into One Command
NSE scripts significantly improve Nmap's versatility, range, and resourcefulness as a security scanner. To get
the most out of Nmap's version scans, we can use both nmap-vulners and vulscan in one command. To go this,
type the below command into your terminal.
# nmap --script nmap-vulners,vulscan --script-args vulscandb=scipvuldb.csv -sV -p80 192.168.1.1

Stealth Scan
Stealth scan or SYN is also known as half-open scan, as it doesn’t complete the TCP three-way handshake. A
hacker sends a SYN packet to the target; if a SYN/ACK frame is received back, then it’s assumed the target
would complete the connect and the port is listening. If an RST is received back from the target, then it is
assumed the port isn’t active or is closed.

Now to see the SYN scan in practice, use the parameter –sS in NMAP. Following is the full command –

# nmap -PS –p22192.168.1.101 –reason (do it)

# nmap -sT -p22 192.168.1.101 --packet-trace (do it)
# nmap -sS -T4 192.168.1.101

Rosetta Techonology | offensive security certified professional training 7

 Kali Linux Information Gathering
Rosetta, 2021

The following screenshot shows how to use this command:

Bypass Ping Sweep Filter using TCP SYN Ping

Now, we’ll try to bypass the firewall rules by using ping scan with TCP SYN packets, for that we’ll use –PS
attribute. –PS sends TCP SYN packet on port 80 by default; we can change it by specifying the ports with it,
like -PS443.
# nmap -sP -PS 192.168.1.101 --disable-arp-ping

Following table contains detail of Flag, Data length and TTL in different scanning method:

Scan Name Flag Data Length TTL

SYN →

← SYN, ACK
-sT (TCP) 60 64
ACK →

RST, ACK →
SYN →

-sS (Stealth) ← SYN, ACK 44 <64 (Less than 64)

RST
-sF (Finish) FIN → 40 <64 (Less than 64)
-sN (Null) NULL → 40 <64 (Less than 64)
-sX (Xmas) FIN, PSH, URG → 40 <64 (Less than 64)

Rosetta Techonology | offensive security certified professional training 8

 Kali Linux Information Gathering
Rosetta, 2021

Searchsploit
Searchsploit is a tool that helps Kali Linux users to directly search with the command line from Exploit database
archive.

To open it, go to Applications -> 08-Exploitation Tools -> searchsploit, as shown in the following screenshot.

Introduction to SearchSploit
Included in the Exploit Database repository on GitHub is ―searchsploit‖, a command line search tool for
Exploit-DB that also allows you to take a copy of Exploit Database with you, everywhere you go. SearchSploit
gives you the power to perform detailed offline searches through your locally checked-out copy of the
repository. This capability is particularly useful for security assessments on segregated or air-gapped networks
without Internet access.
Since we are using GNOME build of Kali Linux, therefore, the ―exploitdb‖ package is already included by
default, all we need to do, open the terminal and just type ―searchsploit‖ and press Enter. You will welcome by
its help screen.
Kali Linux
If you are using the standard GNOME build of Kali Linux, the exploitdb package is already included by default!
However, if you are using the Kali Light variant or your own custom-built ISO, you can install the package
manually as follows:
# apt update && apt -y install exploitdb
You may wish to install some other related packages: exploitdb-papers and exploitdb-bin-sploits.
# apt -y install exploitdb-bin-sploits exploitdb-papers
Updating SearchSploit
Regardless of how you installed SearchSploit, all you need to do in order to update it is run the following:
# searchsploit -u
If you are using the Kali Linux package and haven’t updated since before 20 September 2016 (shame on you),
you will first need to update the package in the traditional manner:
# apt update && apt -y full-upgrade
Help Screen
By using -h, you can see all the features and options that are available to you:
# searchsploit –h
Basic Search
Simply add any number of search terms you wish to look for:
# searchsploit afd windows local
Title Searching
By default, searchsploit will check BOTH the title of the exploit as well as the path. Depending on the search
criteria, this may bring up false positives (especially when searching for terms that match platforms and version
numbers). Searches can be restricted to the titles by using the -t option:
# searchsploit -t oracle
# searchsploit -t oracle windows
Removing Unwanted Results
We can remove unwanted results by using the --exclude option. We are also able to remove multiple terms by
separating the value with a | (pipe). This can be demonstrated by the following:
# searchsploit linux kernel 3.2 --exclude="(PoC)|/dos/"
Piping Output (Alternative Method of Removing Unwanted Results)
The output from searchsploit can be piped into any other program, which is especially useful when outputting
the results in JSON format (using the -j option). With this, it is possible to remove any unwanted exploits by
using grep. In the following example, we use grep to filter out any "Denial of Service (DoS)" results.
# searchsploit XnView | grep -v '/dos/'

Rosetta Techonology | offensive security certified professional training 9

 Kali Linux Information Gathering
Rosetta, 2021

Colour Output
By default, searchsploit highlights the search terms in the results when they are displayed to the user. This
works by inserting invisible characters into the output before and after the colour changes.
Now, if you were to pipe the output (for example, into grep) and try to match a phrase of both highlighted and
non-highlighted text in the output, it would not be successful. This can be solved by using the --colour option (--
color works as well).
# searchsploit wordpress mail list
Copy To Clipboard
So now that we have found the exploit we are looking for, there are various ways to access it quickly.
By using -p, we are able to get some more information about the exploit, as well as copy the complete path to
the exploit onto the clipboard:
# searchsploit 39446
# searchsploit -p 39446
Copy To Folder
We recommend that you do not alter the exploits in your local copy of the database. Instead, make a copy of
ones that are of interest and use them from a working directory. By using the -m option, we are able to select as
many exploits we like to be copied into the same folder that we are currently in:
# searchsploit MS14-040
# searchsploit -m MS14-040
Examine an Exploit
Using —examine option, enables examine parameter to read the functionality of that exploit with the help of
$PAGER.
# searchsploit 39166 --examine
Examining Nmap result
Using –x option enables the examine parameter as well as –nmap option Checks all results in Nmap XML
output with service version to find out related exploit with it.
# searchsploit –x --nmap result.xml
Case Sensitive
Using –c option enables the ―case-sensitive search‖ parameter to find out exploit related to specific character
mention in the command, by default it makes the insensitive search. You can consider the following example:
# searchsploit xss
# searchsploit –c XSS
Exploit-DB Online
The Exploit Database repository is the main core of Exploit-DB, making SearchSploit efficient and easy to use.
However, some of the exploit metadata (such as screenshots, setup files, tags, and vulnerability mappings) are
not included. To access them, you will need to check the website.
You can quickly generate the links to exploits of interest by using the -w option:
# searchsploit WarFTP 1.65 -w

DNS Tools
we will learn how to use some DNS tools that Kali has incorporated. Basically, these tools help in zone transfers
or domain IP resolving issues.

dnsenum.pl
The first tool is dnsenum.pl which is a PERL script that helps to get MX, A, and other records connect to a
domain
Open the Terminal and Type ―dnsenum domain name‖ and all the records will be shown. In this case, it shows
A records.
# dnsenum –enum google.com

Rosetta Techonology | offensive security certified professional training 10

 Kali Linux Information Gathering
Rosetta, 2021

Enumeration of Subdomain
When we run this command, it with perform brute force search on subdomains along with the custom file passed
as an attribute.
# vi subdomain.txt
# mail
# www
# webmail
# service
# web
Save and exit.
# dnsenum –f subdomain.txt –r google.com

DNSMAP
The second tool is DNSMAP which helps to find the phone numbers, contacts, and other subdomain connected
to this domain, that we are searching. Following is an example.
Click the terminal as in the upper section , then write ―dnsmap domain name‖
# dnsmap google.com

For saving the output for later use in pentesting, rather than just viewing the results on the linux console. For
saving the output in .txt file, type
# dnsmap google.com -r /root/Desktop/dnsmapoutput.txt

Downloads wordlist from the given link and use it with -w option, as mentioned below:
http://www.md5this.com/tools/wordlists.html
Dnsmap command with wordlist:
# dnsmap target-domain.foo -w yourwordlist.txt -r /tmp/domainbf_results.txt

dnstracer
The third tool is dnstracer, which determines where a given Domain Name Server (DNS) gets its information
from for a given hostname.
Click the terminal as in the upper section, then type ―dnstracer domain name‖.
# dnstracer google.com
Dnstracer is a Domain Name Server Information gathering tool, which extract unique DNS information about a
domain. It extracts different types of DNS records like NS, MX, A, AAAA, SOA, NSEC etc.
DNS query for the A records.
# dnstracer -v -o google.com
 -v verbose mode, to show requests and answers going back and forth.
 -a shows the summary of domain scan.
 -o enable overview of received answers
 The above query shows the DNS headers and header fields.
DNS query for the SOA records.
# dnstracer -q soa -o -4 google.com
 -q means DNS record type (here DNS record type is SOA)
 -o print the summary on the console
 -4 means ignore IPv6
DNS query for the NS(Name Server) records.
# dnstracer -q ns -o -4 google.com
DNS query for the MX(Mail Exchange) records.
# dnstracer -q mx -o -4 google.com

Rosetta Techonology | offensive security certified professional training 11

 Kali Linux Information Gathering
Rosetta, 2021

Changing Initial DNS Server.

# dnstracer -o -s . -4 google.com
 -o print the summary on the console
 -4 means ignore IPv6
 -s specify DNS server used for query (here it is ―.‖, it means using system defined or default system
DNS server of system)

LBD Tools
lbd (load balancing detector) detects if a given domain uses DNS and/or HTTP Load-Balancing (via Server: and
Date: header and diffs between server answers).
DNS load balancing
In DNS load balancing, a system has a list of IPs that can respond to requests. When you request a resource, you
hit on one of these IPs, and you need to test further to identify the exact target. If your target is example.com,
and 3 IPs are serving that, when you find a vulnerability, you still have to determine which of these addresses is
the vulnerable one (or if all are).
HTTP load balancing
One of the ways HTTP load balancing can be achieved is through cookies. This comes in handy in online stores
and other such web applications that need to identify a client and send it to the same specific resource.
DNS and HTTP load balancing
# lbd google.com

Hping3
Hping3 is widely used by ethical hackers. It is nearly similar to ping tools but is more advanced, as it can bypass
the firewall filter and use TCP, UDP, ICMP and RAW-IP protocols. It has a traceroute mode and the ability to
send files between a covered channel.
While hping was mainly used as a security tool in the past, it can be used in many ways by people that don’t
care about security to test networks and hosts. A subset of the stuff you can do using hping:
 Firewall testing
 Advanced port scanning
 Network testing, using different protocols, TOS, fragmentation
 Manual path MTU discovery
 Advanced traceroute, under all the supported protocols
 Remote OS fingerprinting
 Remote uptime guessing
 TCP/IP stacks auditing
 hping can also be useful to students that are learning TCP/IP.
1. Testing ICMP: In this example hping3 will behave like a normal ping utility, sending ICMP-echo und
receiving ICMP-reply
# hping3 -1 google.com
2. Traceroute using ICMP: This example is similar to famous utilities like tracert (windows) or traceroute
(linux) who uses ICMP packets increasing every time in 1 its TTL value.
# hping3 --traceroute -V -1 google.com
3. Checking port: Here hping3 will send a Syn packet to a specified port (80 in our example). We can control
also from which local port will start the scan (5050).
# hping3 -V -S -p 80 -s 5050 google.com
4. Traceroute to a determined port: A nice feature from Hping3 is that you can do a traceroute to a specified port
watching where your packet is blocked. It can just be done by adding --traceroute to the last command.
# hping3 --traceroute -V -S -p 80 -s 5050 google.com
5. Other types of ICMP: This example sends a ICMP address mask request ( Type 17 ).
# hping3 -c 1 -V -1 -C 17 google.com

Rosetta Techonology | offensive security certified professional training 12

 Kali Linux Information Gathering
Rosetta, 2021

6. Other types of Port Scanning: First type we will try is the FIN scan. In a TCP connection the FIN flag is used
to start the connection closing routine. If we do not receive a reply, that means the port is open. Normally
firewalls send a RST+ACK packet back to signal that the port is closed..
# hping3 -c 1 -V -p 80 -s 5050 -F google.com
7. Ack Scan: This scan can be used to see if a host is alive (when Ping is blocked for example). This should send
a RST response back if the port is open.
# hping3 -c 1 -V -p 80 -s 5050 -A google.com
8. Xmas Scan: This scan sets the sequence number to zero and set the URG + PSH + FIN flags in the packet. If
the target device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's
TCP port is open, the target discards the TCP Xmas scan, sending no reply.
# hping3 -c 1 -V -p 80 -s 5050 -M 0 -UPF google.com
9. Null Scan: This scan sets the sequence number to zero and have no flags set in the packet. If the target
device's TCP port is closed, the target device sends a TCP RST packet in reply. If the target device's TCP port is
open, the target discards the TCP NULL scan, sending no reply.
# hping3 -c 1 -V -p 80 -s 5050 -Y google.com
10. Smurf Attack: This is a type of denial-of-service attack that floods a target system via spoofed broadcast
ping messages.
# hping3 -1 --flood -a VICTIM_IP BROADCAST_ADDRESS
11. DOS Land Attack:
# hping3 -V -c 1000000 -d 120 -S -w 64 -p 445 -s 445 --flood --rand-source VICTIM_IP
 --flood: sent packets as fast as possible. Don't show replies.
 --rand-dest: random destionation address mode. see the man.
 -V <-- Verbose
 -c --count: packet count
 -d --data: data size
 -S --syn: set SYN flag
 -w --win: winsize (default 64)
 -p --destport [+][+]<port> destination port(default 0) ctrl+z inc/dec
 -s --baseport: base source port (default random)

Rosetta Techonology | offensive security certified professional training 13