Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Kali Linux Intrusion and Exploitation Cookbook
Kali Linux Intrusion and Exploitation Cookbook

Kali Linux Intrusion and Exploitation Cookbook: Powerful recipes to detect vulnerabilities and perform security assessments

Arrow left icon
Profile Icon Ishan Girdhar Profile Icon Dhruv Shah
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.3 (6 Ratings)
Paperback Apr 2017 512 pages 1st Edition
eBook
$27.98 $39.99
Paperback
$48.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon Ishan Girdhar Profile Icon Dhruv Shah
Arrow right icon
$19.99 per month
Full star icon Full star icon Full star icon Full star icon Half star icon 4.3 (6 Ratings)
Paperback Apr 2017 512 pages 1st Edition
eBook
$27.98 $39.99
Paperback
$48.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$27.98 $39.99
Paperback
$48.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing
Table of content icon View table of contents Preview book icon Preview Book

Kali Linux Intrusion and Exploitation Cookbook

Chapter 2. Network Information Gathering

In this chapter, we will cover the following recipes:

  • Discovering live servers over the network
  • Bypassing IDS/IPS/firewall
  • Discovering ports over the network
  • Using unicornscan for faster port scanning
  • Service fingerprinting
  • Determining the OS using nmap and xprobe2
  • Service enumeration
  • Open-source information gathering

Introduction


In this chapter, we will look at how to detect live servers and network devices over the network, and perform service fingerprinting and enumeration for information gathering. Gathering information is of the utmost importance for a successful vulnerability assessment and penetration test. Moving forward, we will run scanners to find vulnerabilities in the detected services. Along with that, we will write bash scripts so that we can speed up the process of discovery-enumerate-scan.

Discovering live servers over the network


In this recipe, we learn how to perform the  of live network devices/machines over the network, using two methods: Passive information gathering and active information gathering.

We will examine the network traffic of our as a part of our passive information gathering, followed by information gathering, in which we will send packets over the network to detect active machines and services running on them.

Getting ready

In order to begin with this recipe, will be using a simple ARP sniffing/scanning tool called netdiscover. It is a net-discovery tool which can be used for active/passive ARP reconnaissance.

How to do it...

Let's start with passive reconnaissance:

  1. To start netdiscover, ensure that you are connected via Wi-Fi with a valid IP address. Open the terminal and enter the following command for passive reconnaissance:
netdiscover - p

The output will be as shown in the following screenshot:

  1. To perform an active scan over the network to discover...

Bypassing IDS/IPS/firewall


In this recipe, we will at a few the switches by nmap that can be used to bypass IDS/IPS/firewalls. Many a time, when we are performing a scan, we come across a firewall. In case the firewall is not configured correctly, we will be able to execute the following firewall-evasion commands of nmap.

Getting ready

We will nmap for this activity. Let's with the we have detected to run a few evasion switches.

How to do it...

For this recipe, we will perform the following steps:

  1. We will use the fragment packet switch to perform the discovery:

Fragment packet switch splits up the TCP header over several packets to make it harder for packet filters, intrusion detection systems, and other annoyances to detect an ongoing active scan. There could be occurrences where this could fail as some programs might not be able to handle tiny packets. For a more detailed understanding visit https://nmap.org/book/man-bypass-firewalls-ids.html.

We will enter the following command:

nmap...

Discovering ports over the network


In this recipe, we will use the list of active IPs we and saved in the file to perform information gathering, the purpose will be to scan them for open ports on those IPs. We will be using nmap and its features to discover open ports.

Getting ready

We will use the nmap tool to detect open ports on the IP. Let's start with the process of detecting the open ports over a specific IP.

How to do it...

For this recipe, you will to perform the steps:

  1. We will run nmap by typing the following command in terminal:
nmap <ip address>

The output will be as shown in the following screenshot:

  1. We can even check what the tool is doing by using the verbose switch, by entering the following command in Terminal:
nmap -v <IP address>

The will be as shown in the screenshot:

  1. By default, it scans only 1,000 well-known sets of ports. If we are interested in setting the scan preference to the top 100 ports, we can run the following command in terminal:
nmap --top...

Using unicornscan for faster port scanning


Unicornscan is another that works very fast, the core reason being the methodology the tool implements. It works with the technique of asynchronous stateless TCP scanning, wherein it makes all possible variations with the TCP flags and the UDP as well. In this recipe, we are going to look at how to make use of unicornscan and its advanced capabilities.

Getting ready

In order to get with unicornscan, we will take an IP from our range of IPs and dig deeper into the tool's capabilities.

How to do it...

Let's work through the following steps:

  1. Open terminal and type the following command for a simple unicornscan:
unicornscan <IP address>

The output will be as shown in the following screenshot:

  1. If you would like to see the details of what it is doing while we execute the command, we can make use of the verbose script by using the following command:
unicornscan -v <IP address>

The will be as shown in the following screenshot:

We can see that...

Service fingerprinting


In this recipe, we will look at how to analyze the open port to determine what kind of service(s) are running on the open port(s). This will help us understand if the target IP is running any vulnerable software. That is why fingerprinting is a necessary and a very important step.

Getting ready

We will use nmap to fingerprint the services of the target IP. Nmap is a multi-functional tool that performs jobs ranging from host discovery to vulnerability assessment; service fingerprinting is also a part of it.

How to do it...

The steps are as follows:

  1. Using nmap, run the following command in terminal to achieve the service enumeration result:
nmap -sV <IP address>

The will be as shown in the following screenshot:

  1. We can even enumerate the UDP services running on the target IP, by using the UDP scan switch along with the service-detection switch:
Nmap -sU -sV <IP address>

The output will be as shown in the following screenshot:

  1. We can speed up the scan using...

Determining the OS using nmap and xprobe2


In this recipe, we will be using tools to what kind of system the target IP is running on. Mapping a target IP with a operating system is necessary to help shortlist and verify vulnerabilities.

Getting ready

In this recipe, we will use the tool to determine the operating system. All we require is an IP address against which we will run the OS enumeration scan. Others tools that can be used are hping and xprobe2.

How to do it...

Let begin by the system:

  1. Open and type the following:
nmap -O <IP address>

The output will be as shown in the following screenshot:

We can use advanced operators to help us find out the operating system in a more aggressive manner. Type the following command in terminal:

nmap O --osscan-guess <IP address>

The will as in the screenshot:

This shows that using additional parameters of the operating system detection in nmap, we can get a probable idea of the best fit.

  1. Xprobe2 uses a different to nmap...

Service enumeration


Once the services have been fingerprinted, we can enumeration. There can be many different sources used to achieve the goal of this recipe. In this recipe, we will look at how to service-discovery scans using various tools, for the following:

  • SMB scan
  • SNMP scan
  • Using the NSE (nmap scripting engine) engine

Nbtscan is a in Kali that enumerates for the NetBIOS name of the target IP. It can be used as the early part of SMB enumeration. It basically requests a status query of the NetBIOS name in a human-readable format.

Getting ready

In this recipe, we will be using tools to enumerate all the mentioned above.

How to do it...

For this recipe, the steps are as follows:

  1. To enumerate the NetBIOS name, we will run the following command in terminal:
nbtscan <IP address>

The output will be as shown in the following screenshot:

  1. You can run the NetBIOS enumeration over a class range as well, using the following command in terminal:
nbtscan -r <IP address>/<class range...

Open-source information gathering


In this recipe, we will look at how to make of tools meant for online information gathering. We will cover tools that serve the purpose of gathering information with respect to Whois, domain tools, and MX mail servers. Shodan is a powerful search engine that locates drives for us over the Internet. With the help of various filters, we can find information about our targets. Among hackers, it is also called the world's most dangerous search engine.

Getting ready

We will make use of tools such as DNsenum for the purpose of Whois enumeration, find out all the IP addresses involved in a domain, and also how Shodan provides us with open-port information of the target searched.

How to do it...

The steps are as follows:

  1. For DNS scan, we will a tool called DNsenum. Let us start by typing the following in terminal:
dnsenum <domainname>

The output will be as shown in the following screenshot:

  1. We can also use the available to search for more subdomains via...
Left arrow icon Right arrow icon

Key benefits

  • Set up a penetration testing lab to conduct a preliminary assessment of attack surfaces and run exploits
  • Improve your testing efficiency with the use of automated vulnerability scanners
  • Work through step-by-step recipes to detect a wide array of vulnerabilities, exploit them to analyze their consequences, and identify security anomalies

Description

With the increasing threats of breaches and attacks on critical infrastructure, system administrators and architects can use Kali Linux 2.0 to ensure their infrastructure is secure by finding out known vulnerabilities and safeguarding their infrastructure against unknown vulnerabilities. This practical cookbook-style guide contains chapters carefully structured in three phases – information gathering, vulnerability assessment, and penetration testing for the web, and wired and wireless networks. It's an ideal reference guide if you’re looking for a solution to a specific problem or learning how to use a tool. We provide hands-on examples of powerful tools/scripts designed for exploitation. In the final section, we cover various tools you can use during testing, and we help you create in-depth reports to impress management. We provide system engineers with steps to reproduce issues and fix them.

Who is this book for?

This book is intended for those who want to know more about information security. In particular, it's ideal for system administrators and system architects who want to ensure that the infrastructure and systems they are creating and managing are secure. This book helps both beginners and intermediates by allowing them to use it as a reference book and to gain in-depth knowledge.

What you will learn

  • Understand the importance of security assessments over merely setting up and managing systems/processes
  • Familiarize yourself with tools such as OPENVAS to locate system and network vulnerabilities
  • Discover multiple solutions to escalate privileges on a compromised machine
  • Identify security anomalies in order to make your infrastructure secure and further strengthen it
  • Acquire the skills to prevent infrastructure and application vulnerabilities
  • Exploit vulnerabilities that require a complex setup with the help of Metasploit

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Apr 21, 2017
Length: 512 pages
Edition : 1st
Language : English
ISBN-13 : 9781783982165
Vendor :
Offensive Security
Category :
Tools :

What do you get with a Packt Subscription?

Free for first 7 days. $19.99 p/m after that. Cancel any time!
Product feature icon Unlimited ad-free access to the largest independent learning library in tech. Access this title and thousands more!
Product feature icon 50+ new titles added per month, including many first-to-market concepts and exclusive early access to books as they are being written.
Product feature icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Product feature icon Thousands of reference materials covering every tech concept you need to stay up to date.
Subscribe now
View plans & pricing

Product Details

Publication date : Apr 21, 2017
Length: 512 pages
Edition : 1st
Language : English
ISBN-13 : 9781783982165
Vendor :
Offensive Security
Category :
Tools :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 158.97
Kali Linux Intrusion and Exploitation Cookbook
$48.99
Kali Linux Network Scanning Cookbook
$54.99
Mastering Kali Linux for Advanced Penetration Testing, Second Edition
$54.99
Total $ 158.97 Stars icon

Table of Contents

10 Chapters
Getting Started - Setting Up an Environment Chevron down icon Chevron up icon
Network Information Gathering Chevron down icon Chevron up icon
Network Vulnerability Assessment Chevron down icon Chevron up icon
Network Exploitation Chevron down icon Chevron up icon
Web Application Information Gathering Chevron down icon Chevron up icon
Web Application Vulnerability Assessment Chevron down icon Chevron up icon
Web Application Exploitation Chevron down icon Chevron up icon
System and Password Exploitation Chevron down icon Chevron up icon
Privilege Escalation and Exploitation Chevron down icon Chevron up icon
Wireless Exploitation Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.3
(6 Ratings)
5 star 66.7%
4 star 16.7%
3 star 0%
2 star 16.7%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Amazon Customer May 04, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Well written Excellent!
Amazon Verified review Amazon
Charles W. Hayes Jun 01, 2017
Full star icon Full star icon Full star icon Full star icon Full star icon 5
A very useful tour of Kali's tools with lab based learning.The author took the time to upload everything you'll need to set up an internal lab, using tools such as Docker, etc to create an attack and vulnerable labs. Learning via reading is only 1/3 of the battle. Everything else, is real world experience, using those tools. You can read about climbing Everest, without stepping foot on any mountain. You can read about using Kali, without ever using it. Neither will give you real world experience until you start doing it.
Amazon Verified review Amazon
Andy Jan 22, 2018
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Brilliant
Amazon Verified review Amazon
Anthony Jan 02, 2019
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Extremely informative
Amazon Verified review Amazon
Alex M. Aug 23, 2017
Full star icon Full star icon Full star icon Full star icon Empty star icon 4
I enjoyed the book. It is accurate and provides for interesting reading. It is detailed and self explanatory. The title explains itself "cookbook" - you will learn from the content and expand your knowledge. Money well spend.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

What is included in a Packt subscription? Chevron down icon Chevron up icon

A subscription provides you with full access to view all Packt and licnesed content online, this includes exclusive access to Early Access titles. Depending on the tier chosen you can also earn credits and discounts to use for owning content

How can I cancel my subscription? Chevron down icon Chevron up icon

To cancel your subscription with us simply go to the account page - found in the top right of the page or at https://subscription.packtpub.com/my-account/subscription - From here you will see the ‘cancel subscription’ button in the grey box with your subscription information in.

What are credits? Chevron down icon Chevron up icon

Credits can be earned from reading 40 section of any title within the payment cycle - a month starting from the day of subscription payment. You also earn a Credit every month if you subscribe to our annual or 18 month plans. Credits can be used to buy books DRM free, the same way that you would pay for a book. Your credits can be found in the subscription homepage - subscription.packtpub.com - clicking on ‘the my’ library dropdown and selecting ‘credits’.

What happens if an Early Access Course is cancelled? Chevron down icon Chevron up icon

Projects are rarely cancelled, but sometimes it's unavoidable. If an Early Access course is cancelled or excessively delayed, you can exchange your purchase for another course. For further details, please contact us here.

Where can I send feedback about an Early Access title? Chevron down icon Chevron up icon

If you have any feedback about the product you're reading, or Early Access in general, then please fill out a contact form here and we'll make sure the feedback gets to the right team. 

Can I download the code files for Early Access titles? Chevron down icon Chevron up icon

We try to ensure that all books in Early Access have code available to use, download, and fork on GitHub. This helps us be more agile in the development of the book, and helps keep the often changing code base of new versions and new technologies as up to date as possible. Unfortunately, however, there will be rare cases when it is not possible for us to have downloadable code samples available until publication.

When we publish the book, the code files will also be available to download from the Packt website.

How accurate is the publication date? Chevron down icon Chevron up icon

The publication date is as accurate as we can be at any point in the project. Unfortunately, delays can happen. Often those delays are out of our control, such as changes to the technology code base or delays in the tech release. We do our best to give you an accurate estimate of the publication date at any given time, and as more chapters are delivered, the more accurate the delivery date will become.

How will I know when new chapters are ready? Chevron down icon Chevron up icon

We'll let you know every time there has been an update to a course that you've bought in Early Access. You'll get an email to let you know there has been a new chapter, or a change to a previous chapter. The new chapters are automatically added to your account, so you can also check back there any time you're ready and download or read them online.

I am a Packt subscriber, do I get Early Access? Chevron down icon Chevron up icon

Yes, all Early Access content is fully available through your subscription. You will need to have a paid for or active trial subscription in order to access all titles.

How is Early Access delivered? Chevron down icon Chevron up icon

Early Access is currently only available as a PDF or through our online reader. As we make changes or add new chapters, the files in your Packt account will be updated so you can download them again or view them online immediately.

How do I buy Early Access content? Chevron down icon Chevron up icon

Early Access is a way of us getting our content to you quicker, but the method of buying the Early Access course is still the same. Just find the course you want to buy, go through the check-out steps, and you’ll get a confirmation email from us with information and a link to the relevant Early Access courses.

What is Early Access? Chevron down icon Chevron up icon

Keeping up to date with the latest technology is difficult; new versions, new frameworks, new techniques. This feature gives you a head-start to our content, as it's being created. With Early Access you'll receive each chapter as it's written, and get regular updates throughout the product's development, as well as the final course as soon as it's ready.We created Early Access as a means of giving you the information you need, as soon as it's available. As we go through the process of developing a course, 99% of it can be ready but we can't publish until that last 1% falls in to place. Early Access helps to unlock the potential of our content early, to help you start your learning when you need it most. You not only get access to every chapter as it's delivered, edited, and updated, but you'll also get the finalized, DRM-free product to download in any format you want when it's published. As a member of Packt, you'll also be eligible for our exclusive offers, including a free course every day, and discounts on new and popular titles.