20 apr 2020

Thousand Ways To Backdoor A Windows Domain (Forest)

When the Kerberos elevation of privilege (CVE-2014-6324 / MS14-068) vulnerability has been made public, the remediation paragraph of the following blog post made some waves:
http://blogs.technet.com/b/srd/archive/2014/11/18/additional-information-about-cve-2014-6324.aspx

"The only way a domain compromise can be remediated with a high level of certainty is a complete rebuild of the domain."

Personally, I agree with this, but .... But whether this is the real solution, I'm not sure. And the same applies to compromised computers. When it has been identified that malware was able to run on the computer (e.g. scheduled scan found the malware), there is no easy way to determine with 100% certainty that there is no rootkit on the computer. Thus rebuilding the computer might be a good thing to consider. For paranoids, use new hardware ;)

But rebuilding a single workstation and rebuilding a whole domain is not on the same complexity level. Rebuilding a domain can take weeks or months (or years, which will never happen, as the business will close before that).

There are countless documented methods to backdoor a computer, but I have never seen a post where someone collects all the methods to backdoor a domain. In the following, I will refer to domain admin, but in reality, I mean Domain Admins, Enterprise Admins, and Schema Admins.


Ways to backdoor a domain

So here you go, an incomplete list to backdoor a domain:

  • Create a new domain admin user. Easy to do, easy to detect, easy to remediate
  • Dump password hashes. The attacker can either crack those or just pass-the-hash. Since KB2871997, pass-the-hash might be trickier (https://technet.microsoft.com/library/security/2871997), but not impossible. Easy to do, hard to detect, hard to remediate - just think about service user passwords. And during remediation, consider all passwords compromised, even strong ones.
  • Logon scripts - modify the logon scripts and add something malicious in it. Almost anything detailed in this post can be added :D
  • Use an already available account, and add domain admin privileges to that. Reset its password. Mess with current group memberships - e.g. http://www.exploit-db.com/papers/17167/
  • Backdoor any workstation where domain admins login. While remediating workstations, don't forget to clean the roaming profile. The type of backdoor can use different forms: malware, local admin, password (hidden admin with 500 RID), sticky keys, etc.
  • Backdoor any domain controller server. For advanced attacks, see Skeleton keys 
  • Backdoor files on network shares which are commonly used by domain admins by adding malware to commonly used executables - Backdoor factory
  • Change ownership/permissions on AD partitions - if you have particular details on how to do this specifically, please comment
  • Create a new domain user. Hide admin privileges with SID history. Easy to do, hard to detect, easy to remediate - check Mimikatz experimental for addsid
  • Golden tickets - easy to do, hard to detect, medium remediation
  • Silver tickets - easy to do, hard to detect, medium/hard remediation
  • Backdoor workstations/servers via group policy
    • HKEY_LOCAL_MACHINE\ Software\ Microsoft\ Windows\ CurrentVersion\ RunOnce,
    • scheduled tasks (run task 2 years later),
    • sticky-keys with debug
  • Backdoor patch management tool, see slides here
[Update 2017.01.10]


Other tricks

The following list does not fit in the previous "instant admin" tips, but still, it can make the attackers life easier if their primary foothold has been disabled:

  • Backdoor recent backups - and when the backdoor is needed, destroy the files, so the files will be restored from the backdoored backup
  • Backdoor the Exchange server - get a copy of emails
  • Backdoor workstation/server golden image
  • Change permission of logon scripts to allow modification later
  • Place malicious symlinks to file shares, collect hashes via SMB auth tries on specified IP address, grab password hashes later
  • Backdoor remote admin management e.g. HP iLO - e.g. create new user or steal current password
  • Backdoor files e.g. on shares to use in SMB relay
  • Backdoor source code of in-house-developed software
  • Use any type of sniffed or reused passwords in new attacks, e.g. network admin, firewall admin, VPN admin, AV admin, etc.
  • Change the content of the proxy pac file (change browser configuration if necessary), including special exception(s) for a chosen domain(s)  to use proxy on malicious IP. Redirect the traffic, enforce authentication, grab password hashes, ???, profit.
  • Create high privileged users in applications running with high privileges, e.g. MSSQL, Tomcat, and own the machine, impersonate users, grab their credentials, etc. The typical pentest path made easy.
  • Remove patches from servers, change patch policy not to install those patches.
  • Steal Windows root/intermediate CA keys
  • Weaken AD security by changing group policy (e.g. re-enabling LM-hashes)
Update [2015-09-27]: I found this great presentation from Jakob Heidelberg. It mentions (at least) the following techniques, it is worth to check these:
  • Microsoft Local Administrator Password Solution
  • Enroll virtual smart card certificates for domain admins

Forensics

If you have been chosen to remediate a network where attackers gained domain admin privileges, well, you have a lot of things to look for :)

I can recommend two tools which can help you during your investigation:

Lessons learned

But guess what, not all of these problems are solved by rebuilding the AD. One has to rebuild all the computers from scratch as well. Which seems quite impossible. When someone is creating a new AD, it is impossible not to migrate some configuration/data/files from the old domain. And whenever this happens, there is a risk that the new AD will be backdoored as well.

Ok, we are doomed, but what can we do? I recommend proper log analysis, analyze trends, and detect strange patterns in your network. Better spend money on these, than on the domain rebuild. And when you find something, do a proper incident response. And good luck!

Ps: Thanks to Andrew, EQ, and Tileo for adding new ideas to this post.

Check out the host backdooring post as well! :)
Continue reading
  1. Tools For Hacker
  2. Hacking Tools Pc
  3. Underground Hacker Sites
  4. Hackers Toolbox
  5. Hacker Tools For Pc
  6. Hacker Tools Mac
  7. Pentest Reporting Tools
  8. Hacking Tools And Software
  9. Hack Tools Pc
  10. Hack And Tools
  11. Hacking Tools Github
  12. Tools 4 Hack
  13. Hack And Tools
  14. Blackhat Hacker Tools
  15. Hack Tools
  16. Hacking Tools Kit
  17. How To Install Pentest Tools In Ubuntu

Linux Command Line Hackery Series - Part 5



Welcome back to the Linux Command Line Hackery series, this is Part-V of the series. Today we are going to learn how to monitor and control processes on our Linux box, so wrap your sleeves up and let's get started.

Command:    ps
Syntax:           ps [options]
Description:  ps displays information about the currently running processes. Some of the common flags of ps are described briefly below
Flags: 
  -A or -e -> select all processes
  -a -> select all processes except both session leaders and processes not associated with a terminal.
  T -> select all processes associated with current terminal
  -u <username or id> -> select all processes of a given user or userlist

Open up a terminal and type ps:

ps

what you'll see is a list of processes currently running in your terminal. One important thing to notice in the output is what's called as PID which stands for process ID. It is the number that uniquely identifies a process. Just keep that PID concept in mind we'll use it soon.

OK I know that's not really what you want to see rather you want to see all the processes that are currently running on your box. Don't worry we have flags to rescue, in order to see all the processes you can use the -e flag like this:

ps -e

Boom! you get a long list of processes currently running on your machine (don't stare at me like that, you asked and I gave you that). If you want to see processes of a particular user you can type the following command in your terminal:

ps -u bob

here "bob" is a username. This command will list all processes of the user with effective user name of bob.

You can do a full-format listing of the processes using the -f flag like this:

ps -fu bob

But the output of the ps command is a snapshot not really a live preview of what is going on in your box. I know your next question is going to be something like this, Isn't there a command in Linux that gives me a live updating information of the processes? Yes, there is a command called top that we'll learn about next.

Command:    top
Syntax:           top [options]
Description:  top gives a dynamic real-time view of a running system. That is, it gives the up-to-date information about all the processes running on your Linux box (sounds fun!). Besides giving information about current processes and threads top also provides a brief system summary.

To start top just type this command:

top

and you'll get a nice and cute looking ugly display :). Well what the heck is going on here you might ask, right? What you get is information about what is going on with your computer. To see what more can you do with top just type <h> within the program window and you'll be given list of options that you can play with.

OK looking at what processes are going on in your box is cool but what if you want to terminate (or close) a process, is there a command line utility for that? Yes, there is and that's what we are going to look at next.

Command:   kill
Syntax:          kill [options] <pid> [...]
Description:  kill is used to send a signal to process which by default is a TERM signal meaning kill by default sends a signal of termination to process (Cruel guy). To list the available signals we can use the -l or -L flag of the kill command.


To simply terminate a process we provide kill command a PID (process ID) and it will send the TERM signal to the process. So to kill a process first we'll list the running processes and then we'll keep the PID of the process in mind that we want to terminate. After that we'll issue the kill command with the PID that we just found.

ps -ax
kill 1153

the above command will send a TERM signal to the process whose PID is 1153, as simple as that.

We can also use our already learned skills to refine the output of ps command. Say we have a xterm terminal running on our box and we want to terminate it. By using ps command all alone we'll get a long listing of all processes running on our box. But we can limit the output of ps command to just those processes that we're interested in by piping ps command with the grep command like this:

ps -ax | grep xterm

wow! that's amazing, we're able to pull out only those results from the ps command that contained xterm in them. Isn't that a cool trick? But what is that vertical bar ( ) doing in the middle, you may be thinking, right? Remember we learned about the input and output re-directors previously, the vertical bar (pipe in geeky terms) is another re-director whose task is to redirect the output of one command as input to another command. Here the pipe redirects the output of ps -ax command as input to grep command and of-course from the previous article you know that grep is used to search for a PATTERN in the given input. That means the above command searches for the xterm word in the output of ps -ax command and then displays just those lines of ps -ax command which contain xterm. Now get that PID and kill that process.

That's it for today, try these commands up on your own box and remember practice is gonna make you master the Linux command line. :)

Related posts


  1. Hack Tools
  2. Hacker Search Tools
  3. Best Hacking Tools 2019
  4. Pentest Tools Apk
  5. Hacking Tools Online
  6. Pentest Tools Port Scanner
  7. Hack App
  8. Hacking Tools Pc
  9. Hacking Tools Windows
  10. Hacker Tools 2020
  11. Tools Used For Hacking
  12. Hacking Tools
  13. Hacker Tools Apk
  14. Best Hacking Tools 2020
  15. Pentest Tools Alternative
  16. Pentest Reporting Tools
  17. Pentest Tools
  18. Pentest Tools Subdomain
  19. Pentest Tools Kali Linux
  20. Pentest Tools Github
  21. Best Hacking Tools 2019
  22. Hack Tools Download
  23. New Hacker Tools
  24. Hacking Apps
  25. Hacking Tools For Pc
  26. Blackhat Hacker Tools

Parrot Security OS 4.7 Released With New Linux Kernel, Menu Structure, Tools Improvements And Many Changes


In Sep 18 2019, Parrot Security OS 4.7 has released, with many new following changes below.

Latest Linux 5.2.x series
   The new ISO files of Parrot 4.7 are being released only now, but we were the first Debian derivative distribution to introduce Linux 5.1 and 5.2 to all our users, and now ParrotSec team is ready to offer it also with our ISO files rebild cycle to support more devices and integrate all the latest linux features from the beginning.

New sandbox behavior (opt-in rather than opt-out)
   Sandboxing is a great thing, and ParrotSec team was in the first line when they introduced our custom Firejail and AppArmor solution for the first time many years ago. We still want to improve such feature and ParrotSec team has a whole team dedicated to improve sandboxing and hardening of the Parrot Security OS system, but ParrotSec team had to face the many users with issues caused by the restrictions of our sandbox.

   In Parrot Security OS 4.7 the sandbox is disabled by default, and users can decide wether to start an application sandboxed or not. You can easily start the sandboxed version of an installed program from the /sandbox/ folder or from a dedicated menu that ParrotSec team plans to improve in the future (meanwhile the search feature of the bottom menu will fit all your needs), or you can re-enable it by default by using the firecfg tool.

New menu structure and tools improvements
   The pentesting menu structure was refactored and re-designed to make tools easier to access in a more logical hierarchical structure. New tools were also added to the project, and ParrotSec team plans to add even more in the future. Not all of them are going to be pre-installed, but a good set of tools in our repository enables pentesters to build up the perfect pentest system for their specific needs, regardless the default package selection picked by ParrotSec team.

Domain changes
   To reflect the neutrality of a distro that started as a pentest-only system and became more general purpose later with Parro Home, the community voted through a democratic process to switch to parrotlinux.org as the new default domain of the project.

   ParrotSec team will still use ParrotSec.org for other things (included the old email addresses), and they introduced other project domains to handle specific parts of the infrastructure.

Repository changes
   ParrotSec team is preparing to integrate a future LTS branch, so they decided to rename the current repository from stable to rolling. Nothing changes for the end user, and the current Parrot Security OS branch will continue to behave the same as before, but now with a different name to better reflect the rolling release nature of the system, waiting for the LTS edition to join the Parrot Security OS family along side the rolling branch in a similar way OpenSUSE does.

New MATE 1.22 release: Parrot Security OS 4.7 ships with the latest MATE 1.22 desktop environment.

Miscellaneous: New Firefox Browser 69, the latest Radare2 and cutter versions and many other important upgrades are all aboard as expected in a properly developed rolling release distro.

How to upgrade to the lastest Parrot Security OS version
   You can update your existing Parrot Security OS system with this command:
sudo parrot-upgrade

   Or use the raw apt command
sudo apt update
sudo apt full-upgrade


   Don't forget to use this command regularly (at least once a week) to receive the latest security updates and bugfixes from the Parrot Security OS repository.

   Or you can download the latest release from official download page.

Related links


  1. New Hacker Tools
  2. Pentest Tools Url Fuzzer
  3. Physical Pentest Tools
  4. Hacker Tools For Pc
  5. Hacker Tools Free Download
  6. Pentest Tools For Mac
  7. Github Hacking Tools
  8. Hacking Tools 2020
  9. Hack Tools Pc
  10. Hacking Tools Name
  11. Hacking Tools Download
  12. Bluetooth Hacking Tools Kali
  13. Pentest Tools Android
  14. Hack Tools
  15. Hacking Tools For Windows
  16. Pentest Tools Open Source
  17. Hacker Tools For Mac
  18. Hacking Tools Windows 10
  19. Hacker Hardware Tools
  20. How To Hack
  21. Hacker Tools Linux
  22. Hacker Tools Apk Download
  23. Hacker Tools
  24. What Is Hacking Tools
  25. Hacking Tools For Beginners
  26. Pentest Tools For Android

AirPods Pro: Unas Pruebas En Casa De Safety & Security (I De III)

A principios de año por fin me pude hacer con mis AirPods Pro para utilizarlos con mi iPhone y mi equipamiento de Apple - que ya sabéis que tengo un MacBook Pro antiguo y un iPad Pro ya que hablo muchas veces de ellos -. La verdad es que costó conseguirlos, pero la verdad es que es un dispositivo fantásticamente cómodo y de una de calidad en el sistema de Cancelación de Ruido que me encanta.

Figura 1: AirPods Pro: Unas pruebas en casa de Safety & Security (I de III)

No os voy a hablar mucho de lo mucho que me gustan, sino de otras cosas. De lo mucho que me preocupan, tanto por perderlos, como de que una niña como Mi Hacker los utilice. Desde el primer momento me preocupó ver que no hay ningún sistema de protección anti-robo aparentemente, y que si te los quitan, los puede utilizar cualquiera.


Esto que os he dicho, aunque aparentemente es cierto, existen un montón de situaciones curiosas que he ido descubriendo y probado - gracias a que a veces le robo a Mi Hacker sus AirPods Pro y su viejo iPhone - al más puro estilo de Big Band Theory. Vale, si no has pillado la referencia, en uno de los capítulos el Doctor Leonard Hofstadter, el Doctor Sheldon Cooper, y  Howard Wolowitz (que al menos tiene un "máster") deciden probar la seguridad de un sistema de reconocimiento de retina en la Temporada 10, episodio 2.

Figura 3: Big Band Theory S10x02

Aunque mi favorita es la parte en la que prueban a darle las retinas al revés, yo no he llegado a tanto, pero sí a hacer pareados dobles, dobles enfundados - al más puro estilo Altered Carbon - y reemplazo de cascos y baterías, e intento de localizar uno de los cascos perdidos. Y os voy a ir contando qué es lo que he ido descubriendo, que es curioso. 

1.- El caso del casco perdido y el punto medio

Este primer incidente me sucedió cuando haciendo mi ruta en bicicleta por la Casa de Campo de Madrid, en un pequeño salto por una piedra mientras descendía a unos 40 kilómetros por hora, el casco de mi oreja izquierda saltó y se me cayó a la pista, rebotando en la bici en el suelo y perdiéndolo de mi vista.

Horror. Con lo que cuestan no estaba dispuesto a perderlo, así que frené la montura, me quité las calas y paré el Endomondo. Batir record era menos importante que encontrar la mitad de mis Air Pods Pro. Así que empecé a buscarlo y nada. Entre la caída del casco y la frenada en mitad de la bajada podia haber fácilmente unos 20 metros y el casco podía haber rebotado y terminado en cualquier sitio.

Después de un rato buscándolo y sin verlo decidí hacer un experimento, me puse el casco que quedaba en la oreja, y le di al Play a Spotify. Y comencé a andar hacia arriba. Hasta que se paró la música. ¿Por qué? Pues porque había detectado la pérdida de conexión BLE con el otro casco. Di marcha atrás unos pasos y volvió la música.

Desde ese punto empecé a andar hacia abajo contando los pasos hasta que la música volvió a pararse. Me había alejado demasiado demasiado por el otro lado y había vuelto a perder la conexión con el casco.Así que desandé la mitad de los pasos y centré mi búsqueda en ese área. Como había sospechado, el casco se encontraba en esa zona.

Ahí aprendí tres cosas:
a.- Prueba de goma: Que antes de usar los AirPods hay que revisar correctamente las gomas de ajuste. Para ello hay una pequeña utilidad en las opciones BlueTooth de los AirPods. 
Figura 4: Probar que te encaja la goma del audífono perfectametne

Yo lo había hecho y llevaba la correcta, pero aún así lo revisé para entender si la caída del casco podía haber sido debido a ello. Quería comprobar si había habido algún cambio en la goma.
 
b.- Protector de Seguridad: Yo vengo de usar los PowerBeats, y estos vienen con unas gomas de sujeción para la oreja. Pues bien, también se pueden comprar para los AirPods Pro. Así que me hice con unos de ellos para cuando salgo con ellos en la bicicleta. 
Figura 5: EarHooks para AirPods. Úsalos si te los llevas a hacer deporte
d.- Detección de eventos: Los AriPods Pro paran la música en el dispositivo cuando notan que te los has quitado de la oreja, pero también, cuando uno de los dos cascos se desconecta. En este caso esta característica me sirvió para encontrar el casco caído.
2.- Doble conexión de audífonos a dos dispositivos en paralelo

Estos días de confinamiento estoy todos los días conectados al ordenador y uso mi AirPods Pro también en el iPhone para hacer algunas llamadas, así que me paso todo el día conectándolos manualmente a uno o a otro según lo necesite. La gracia es que ellos guardan una histórico de la última conexión, por lo que solo se conectan automáticamente al equipo que se conectaron la última vez. Si no, debes hacerlo manualmente.

Esto abrió una pregunta en mi cabeza, ¿podría conectar un audífono al ordenador y otro al iPhone al mismo tiempo y en el mismo espacio de conexión BLE? Al final, la conexión de los cascos es algo que pide inicializar el equipo - ya sea el iPhone o el MacBook Pro - y si el casco ya ha está pareado, se realiza perfectamente.

Para ello primero hay que responder a la pregunta de si funcionan los cascos solos. Y la respuesta es sí. Basta con que guardes un casco en la funda-batería-cargador, y conectes el otro. Podrás escuchar música y usarlo como micrófono. Es decir. si los usas para vídeo conferencias como hago yo, y no te aguantan la batería, podrías utilizar solo uno mientras el otro está cargando y utilizarlos de forma alterna. 

Y ahora, la pregunta,  ¿podría tener los dos cascos conectados por separado cada uno a un dispositivo y cada uno escuchando música distinta y usarlos a la vez? ¿O tener, por ejemplo, el casco izquierdo con audio/micro para el iPhone y el audífono derecho con el altavoz y el micro del MacBook Pro? La respuesta es sí, pero para hacer la prueba tuve que usar un truco de los que ya me conozco tras haber escrito el libro de Hacking iOS: iPhone & iPad (2ª Edición) y de haber hecho nuestro querido DirtyTooth. Jugar con iPhone: "I love it".
Para hacer la prueba use dos iPhones y un audífono para cada uno de ellos. Puse música en uno en una sala y me fui lejos con el otro casco metido en la batería para conectarlo al otro iPhone lejos. Lo conecté y regresé, pero cuando volví a juntarlos, el primer audífono estaba reproduciendo la música que traía en el segundo. ¿Por qué? Pues porque al habérmelo quitado de la oreja se desconectó del primer iPhone y cuando el segundo audífono lo detectó forzó la conexión del primero al primer dispositivo. 

Para solucionarlo, necesitaba otra oreja. Así que nada, con Mi Hacker en un iPhone y yo en el otro, lejos de distancia BLE (BlueTooth Low Energy), cada uno conectamos el audífono de AirPods Pro y nos llamamos por teléfono. Nos fuimos acercando hasta que estuvimos en la misma sala. Sin quitárnoslos de las orejas, pusimos música y me pasó su audífono a mí. Desconecté la llamada y el resultado fue tener cada audífono conectado a un dispositivo escuchando música distinta.

Por supuesto, no parece una gran habilidad, pero tal vez un día quieras dejar un audífono a un hijo, y otro para ti, o dejárselo a dos niños y que cada uno pueda escuchar su música. En ese momento, puede que este truco te sea de utilidad. Con esta prueba aprendí:
e.- Conexión LIFO: Es decir, tus AirPods Pro se conectan al último dispositivo pareado que los ha utilizado y uno conecta al otro cuando aparece en la distancia. 
f.- Se pueden usar individualmente:Si pierdes un casco, siempre podrás utilizar al menos el que te queda como micro y audio para llamadas o vídeo conferencias. No creo que para música sea útil.
f.- Doble conexión: Si lo quieres - o necesitas -, puedes hacer un doble conexión en paralelo entre dispositivos.
En las próximas partes os contaré más experimentos, que me ha dado juego esto de revisar la seguridad del dispositivo, y seguridad personal del dueño haciendo diferentes tests. A mí me han sido muy útiles y sobre todo sirven para terminar con las recomendaciones de Safety & Security que os dejaré en la última parte.

Saludos Malignos!

*****************************************************************************************************
- AirPods Pro: Unas pruebas en casa de Safety & Security (I de III)
- AirPods Pro: Unas pruebas en casa de Safety & Security (II de III)
- AirPods Pro: Unas pruebas en casa de Safety & Security (III de III)
*****************************************************************************************************

Autor: Chema Alonso (Contactar con Chema Alonso)



Related word
  1. Hackrf Tools
  2. Pentest Tools Download
  3. Kik Hack Tools
  4. Pentest Reporting Tools
  5. Hacker Tools For Windows
  6. Hacker Tools 2019
  7. Hack Tools
  8. Hacker Tools
  9. Hack Website Online Tool
  10. Underground Hacker Sites
  11. Hacking Tools For Games
  12. Hacking Tools Software
  13. Hacking Tools Kit
  14. Hacker Tools List
  15. Kik Hack Tools
  16. Tools 4 Hack
  17. Pentest Tools Open Source
  18. Pentest Tools List
  19. Nsa Hacker Tools
  20. Pentest Reporting Tools
  21. Hacking Tools Free Download
  22. Hacker Tools 2019
  23. Hack Tools For Windows
  24. Ethical Hacker Tools

TYPES OF HACKER

7 Types of hacker 

1-Script Kiddies-They are  just download overused software & watch youtube video on how to use it. Script kiddies don't care about hacking.

2-White Hat-They are the good guys of the hacker world. They also known as Ethical Hacker.

3-Black Hat-They finds bank or other companies with weak security and steal money or credit card information. They also known as cracker. They are dangerous because they are illegal to gain unauthorized access.

4-Gray Hat-They don't steal money or information sometimes they deface a website or they don't help people for good.

5-Green Hat-These are the hacker "noobz" but unlike Script Kiddies.They care about Hacking  and strive to become full-blown hacker.

6-Red Hat-These are the vigilantes of the hacker world. They are like White Hats in that they halt Black Hats but these folks are downright SCARY to those who have ever tried so much as penetrest.

7-Blue Hat-If a Script Kiddy took revenge he/she might become a Blue Hat.Most Blue Hats are noobz.They have no desire to learn.

Related posts

Kali Linux VM Installation And Setup

Preface

From time to time I realize that certain tasks that are trivial for me are not necessarily easy for others, especially if they are just getting started with IT security stuff.

As I am going to be a Facilitator at SANS Munich 2015 on SEC 401, plus we have a few people at work who are just dipping their toe into the wonderful world of Kali Linux, it seemed like a good opportunity to make a short getting started / installation guide on the Kali VMWare VMs that you can download and quickly get started.

On top of that, when I check the statistics of the blog, I always see that the most popular posts are the detailed howtos and tutorials and I assume that it is because there is a need for this kind of posts too, so here it goes! :)


Step -1: Check in your BIOS/UEFI if virtualization is enabled

We are going to use virtualization, so it would be nice to enable it, right?

In BIOS/UEFI menus this is somewhere around "Security" and/or "Virtualization" and it is something like "Intel (R) Virtualization Technology" and "Intel (R) VT-d Feature" that needs to be set to "Enabled".


Step 0: Install VMWare Player or VMWare Workstation

The Kali Linux VMs are VMWare-based, so you need to install VMWare Player (free), VMWare Workstation (paid) or VMWare Fusion (paid, for OS-X).

The more desirable choice is to use VMWare Workstation or VMWare Fusion, as they have a Snapshot feature, while with VMWare Player, you are forced to take a full copy in order to have a sort of rollback feature.


Step 1: Download Kali VM

We need to download the Kali VMs from the "Custom Kali Images" download site, where you can find a 64 bit (amd64) and a 32 bit PAE (i686) too.

There are also Torrent files for the images and based on experience, using Torrent is much more faster and reliable than the HTTP download, so if you can, use that!

Once you have downloaded the VMs, do not forget to check their SHA1 hash!!! On Linux, you can simply use the sha1sum command at a terminal. For Windows, you can use something like the MD5 & SHA Checksum Utility.


Step 2: Change Kali VM default root password

The Kali VM comes with a preset root password, which is "toor" (without the quotes), therefore, it has to be changed.

Here is how you do it:
root@kali:~# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully


Step 3: Change Kali VM default SSH keys

The Kali VM also comes with SSH preinstalled, so we need to change the SSH keys to avoid SSH MiTM attacks.
Here is how you do it:
root@kali:~# cd /etc/ssh/
root@kali:/etc/ssh# mkdir default_kali_keys
root@kali:/etc/ssh# mv ssh_host_* default_kali_keys/
root@kali:/etc/ssh# dpkg-reconfigure openssh-server
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Creating SSH2 ECDSA key; this may take some time ...
insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty).

Now we can check if the keys are really changed:

root@kali:/etc/ssh# md5sum /etc/ssh/*key*
md5sum: /etc/ssh/default_kali_keys: Is a directory
6abe210732068fa7ca95854c3078dba5 /etc/ssh/ssh_host_dsa_key
1b5f3c1a1b5c48cc3cce31b116e8b6f8 /etc/ssh/ssh_host_dsa_key.pub
8f0f60855e5ab8cac8103d64faab090f /etc/ssh/ssh_host_ecdsa_key
aace49ae9236815c9a1672f8ecb2b1e2 /etc/ssh/ssh_host_ecdsa_key.pub
cf861a9f743fb4584ab246024465ddf1 /etc/ssh/ssh_host_rsa_key
d5d65d8ad023a6cb1418ae05007bc6d3 /etc/ssh/ssh_host_rsa_key.pub
root@kali:/etc/ssh# md5sum /etc/ssh/default_kali_keys/*key*
c8d5b82320a4ddde59d0e2b6d9aad42a /etc/ssh/default_kali_keys/ssh_host_dsa_key
6b12ddecd463677cde8097e23d0f219a /etc/ssh/default_kali_keys/ssh_host_dsa_key.pub
fecf056571a3dfbf3635fc2c50bf23c5 /etc/ssh/default_kali_keys/ssh_host_ecdsa_key
e44b7c50635de42e89b3297414f5047d /etc/ssh/default_kali_keys/ssh_host_ecdsa_key.pub
e9e0267484e020878e00a9360b77d845 /etc/ssh/default_kali_keys/ssh_host_rsa_key
ceee93d7bbc9f9b9706e18f23d4e81f1 /etc/ssh/default_kali_keys/ssh_host_rsa_key.pub

Step 4: Update Kali VM

Next you need to update your Kali VM so that everything is patched.

Here is how you do it:

root@kali:~# apt-get update
Get 1 http://http.kali.org kali Release.gpg [836 B]
Get:2 http://security.kali.org kali/updates Release.gpg [836 B]
********************************* SNIP *********************************
Fetched 16.7 MB in 14s (1,190 kB/s)
Reading package lists... Done
root@kali:~# apt-get upgrade
eading package lists... Done
Building dependency tree
Reading state information... Done
The following packages have been kept back:
********************************* SNIP *********************************
The following packages will be upgraded:
********************************* SNIP *********************************
241 upgraded, 0 newly installed, 0 to remove and 16 not upgraded.
Need to get 740 MB of archives.
After this operation, 130 MB disk space will be freed.
Do you want to continue [Y/n]? Y
Get:1 http://security.kali.org/kali-security/ kali/updates/main libc6-i386 amd64 2.13-38+deb7u7 [4,044 kB]
Get:2 http://http.kali.org/kali/ kali/main base-files amd64 1:1.1.0 [77.5 kB]
********************************* SNIP *********************************
root@kali:~#


Step 5: Create a Snapshot/Copy the VM

Once you are done with all the above, you can make a Snapshot in case of VMWare Workstation or copy the files of the VM in case of VMWare Player, so that you can roll back to this clean stat in case you misconfigure something.

Hope this was helpful. Happy hacking!


Related word
  1. Best Hacking Tools 2019
  2. Nsa Hack Tools
  3. Pentest Tools List
  4. Hacker Tools For Ios
  5. Pentest Tools For Windows
  6. Pentest Automation Tools
  7. Bluetooth Hacking Tools Kali
  8. Hacker Tools 2020
  9. Best Pentesting Tools 2018
  10. Hacker Tools Free Download
  11. Tools For Hacker
  12. Hacking Tools For Windows 7
  13. Hacker
  14. Hacking Tools For Windows 7
  15. Hacker Techniques Tools And Incident Handling
  16. Game Hacking
  17. Easy Hack Tools
  18. Tools 4 Hack