Kali Linux and Metasploit

Date: 2021-11-17

Difficulty: Beginner to Advanced

Delivered By: Bilaal Rashid

Overview

Kali Linux is a distribution of Linux configured for penetration testing, or pentesting. Kali has a wide variety of tools preinstalled for pentesting. This session's challenges will go through a selection of the tools available in Kali Linux and we will take a big look at one of its built in frameworks, Metasploit. The Metasploit Framework is a collection of tools for finding, configuring and executing exploits and payloads on a target and is hugely useful for attacking the services running on a target's machine.

Prerequisites

This sessions assumes that you are familiar with a Unix shell. If you are not but wish to take part, we highly recommend that you read the first three chapters of this crash course.

This session also requires the use of many tools that are built into Kali Linux. The easiest way to attempt it is to setup a Kali VM (described here). Alternatively, if you have a UNIX based environment, such as Linux, macOS, or Windows Subsystem for Linux, you may be able to download the required tools individually. Some of the tools required are metasploit, nmap, gpg, ssh, curl, mysql and hydra. A list of all tools pre-installed with Kali can be found on their website.

Challenges

This session will comprise of a virtual machine challenge, that has a particular focus on the Metasploit Framework, and a vulnerable network challenge, that will allow you to explore a wider range of tools available in Kali.

You can download the virtual machine image here. The credentials for the VM are user: sucss and password: sucss. You may only log in to run ifconfig to get the IP address of the machine to attack it. You may only use the Metasploit Framework and other tools built into Kali to attack it. Attacking this machine by modifying the start-up script using GRUB is not allowed.

Our network challenge can be accessed by SSHing into [email protected]. Anything on the network 172.19.0.0/24 is fair game to attack EXCEPT for items named sucss-kali - you must NOT attack these.

Useful Resources

Some useful resources for this week include:

• Metasploit Exploit Ranking

• InfosecMatter Metasploit Module Library

• Msfconsole Commands

• SQL Injection Tutorial

• Username List

• Password List

• Base64 Decoder

• Base32 Decoder

• CyberChef