Nikto is a
website scanner that scan websites for outdated server, dangerous files,
directories, etc. It performs many tests against a website to gather and report
back security vulnerabilities that can be exploited. It is a popular tool among
system admin and security professionals as it can detect difficult problems.
To scan a
target website, use the command in kali linux: nikto -host <target>. In
the target space, it can either be a domain or an IP address.
Example : nikto -host pentest.id
In this example, we are able to find information regarding the server which is cloudflare, and multiple IP addresses are found.
A method to
get access into someone’s account is to brute force the username and passwords.
However, we need a real and valid username first before brute force the
password. Hence, we use WPS enumerate user
The command
in kali linux : wpscan –url target –enumerate u
We will test on pentest.id
On the above example, there are some usernames found such as admin-2.
CUPP or
Common User Passwords Profiler is a wordlist generator for all passwords
possible by asking for basic information about the target such as their first
name, last name, birthday, spouse, children, pets, occupation, etc.
To use CUPP, run the command in kali linux : cupp -i
Enter information about the target: full name, birthdays, company name, etc. You can press enter if you do not want to fill a specific field.
After you fill the information, CUPP will generate you a file ‘john.txt; that contains the wordlist for all possible passwords. This word list can be used for brute force password.
Social
engineering is the act of manipulating people so they give up confidential
information. These information could be in the form of bank account
information, website passwords, and other sensitive information.
There are a lot of methods to do Social Engineering, and even a phone call can get sensitive information. In this example, we will use setoolkit in kali linux, which is social engineering tool kit. We will be cloning a website that looks similar to the real website in an attempt to get the user to input their account credentials.
To start, open kali linux terminal, and type ‘setoolkit and choose the option number 1.
Then , choose option number 2.
Then, choose option number 3.
Then, choose option number 2.
Next, enter the IP address of the attacking virtual machine. IP address can be found by using ifconfig command. Then, enter the website you want to clone, in which in this example is https://facebook.com/
Next, a clone of facebook.com will be shown and displayed via the IP address. If you type the IP address in the virtual machine now, a clone website of facebook.com will appear.
If you input email and password and submit, the credentials will be shown on your kali linux terminal.
This is an example of the website attack vector, part of the social engineering attack. Users who visit this cloned website will not be aware and assume this is the real website, and input their credentials, not knowing that it will be sent to attackers.
Google had
become a popular search engines. However, not only you can search for photos,
videos, websites, and other information in google, but also google can be used
as a hacking tool.
The act of
using google as a hacking tool is called ‘Google Dorking’. Google Dorking has a
lot of queries that you can type in the google search engine and can display
sensitive information a normal search query will not.
For
example, typing ‘ index of /ktp’ will show a lot of websites containing a
person’s ID card.
When you
are performing interception of network using BurpSuite, users may receive an
error message stating that the connection is not secure. Websites may partially
load or may not even load at all, and the padlock beside the URL may have a
warning sign. In order to prevent this from happening, you can create a
self-made certificate that appear as a legitimate certificate.
To create a self-made certificate, there are three main commands to run on the kali linux terminal:
In this
command, openSSL will ask you to enter a few information regarding the
certificate, such as country name, state/province name, locality name,
organization name (in this case Verisign Corp), organizational unit name,
common name, and email address. After those field have been filled , there are
two more commands to run:
Second
command is :
openssl rsa -in server.key -inform pem -out server.key.der -outform der
Third
command is :
openssl pkcs8 -topk8 -in server.key.der -inform der -out server.key.pkcs8.der -outform der -nocrpyt
Now when you see the file manager, these files should appear:
Now open BurpSuite and under Proxy -> Intercept click on import/export CA Certificate and then select Import certificate and private key in DER Format.
Select ca.der as the CA certificate and server.key.pkcs8.der for the private key.
Now open your browser (preferably Mozilla Firefox) and then open preferences, and search “cert” and select “view certificates”
Next, import CA Certificate and choose the previous ca.der file and tick on “Trust this CA to identify websites.
Now you will see Verisign Corp is part of trusted certificates:
Lastly, now when you open websites the certificate will be Verisign Corp:
Maltego is a built in application in kali linux.
Maltego focuses on providing a library of transforms for discovery of data from
open sources, such as information from a data and visualizing that information
in a graph format, suitable for link analysis and data mining.
In this example, we will be using maltego to
find information about a website pentest.id.
First, open and sign up to maltego if you have not made an account.
On the top left, click on the add sign button.
On the left side of the app, search for ‘domain’ at entity palette and then click and drag to the empty white screen on the middle.
A globe shaped figure should appear on the white
screen. Next, you can change the word ‘paterva.com’ to any website that you
want to find information. In this example, we will be changing it to
pentest.id.
Next, right click on the figure , and click on the double arrow on the word all transforms.
Next, it will show information about the website.
It shows you the domain, subdomains, the same domain name but with different extensions, location of the server, mail sever, and the DNS security which is cloudflare.
Cloudflare
is a website-security company that provides content-delivery-network services,
DDoS mitigation, Internet security, and distributed DNS servers. It provides
security for the website, and also prevents the user from accessing it directly
from a known IP address.
For example , we will execute nmap findip.kurniawan.ceo
It reveals the IP address 104.18.44.14. However, when we type it in the browser, it will display cloudflare error.
There is a way, using censys.io to search for real IP address behind cloudflare. Go to https://censys.io/ipv4 and then search for findip.kurniawan.ceo.
The results show 35.193.199.39. To check the result, type the IP address in web browser, and compare the result with https://findip.kurniawan.ceo.
As shown above, the results are the same. Hence, 35.193.199.39 is the real IP address.