Posted on

Beginners guide to dirb tool

Hello, aspiring ethical hackers. In one of our previous blogposts, you learnt in detail about website footprinting. In this blogpost, you will learn in detail about dirb tool, a tool often used in website footprinting. DIRB is an open-source web content or directory scanner. It is used to scan for web objects.

DIRB achieves this by using a pre-configured wordlist to perform a dictionary attack on the web server specified as target. The default usage of DIRB is given below.

Dirb 1

Here is its output.

Netdiscover 2
Dirb 3

Ignore the warnings (-w)

By default, while scanning, it avoids going into any directories that are listable. This makes common sense too. It displays the message saying “directories are testable”. If you want it to scan inside such directories, you can use this option (-w).

Dirb 4

Use case-insensitive search (-i)

Usually, DIRB scans uses case-sensitive searches. Setting this option allows to perform case-insensitive searches.

Dirb 5

Saving the output (-o)

You can save the output of this tool to a file using the “-o” option.

Dirb 6
Dirb 7

Scan using a proxy (-p)

For all its awesome features, it produces a lot of noise which can raise suspicions on the target side. To beat this a bit, DIRB provides a option to use a proxy to perform directory busting.

Dirb 8

Don’t perform recursive searches (-r)

Setting this option will stop dirb from performing recursive scan of the directories.

Dirb 9

Interactive recursion (-R)

Similarly, this option is used to set Interactive Recursion while scanning.

Dirb 10

Show pages that don’t exist (-v)

By default, DIRB scans the web server and shows only pages or directories that are found on it. Setting this option will make it show non-existent objects also.

Dirb 11
Dirb 12

Search for files with a specific extension (-X)

You can use this option if you want to search for files with a particular extension. For example, to search for text files (.txt) extension, we can use dirb as shown below.

Dirb 13

You can also search for multiple file extensions using dirb. Just add all the file extensions you want to search for in a text file and use the (-x) option as shown below. For example, to search for all file extensions specified in a file named “ext_text”.

Dirb 14
Posted on

Beginners guide to netdiscover

Hello, aspiring ethical hackers. In one of our previous blogposts, you learnt about network scanning. In this blogpost, you will learn about netdiscover tool. It is an active/passive network address discovering tool that was actually developed to discover wireless networks during wardriving but can also detect addresses on switched networks. It used ARP packets to detect network addresses.

It is mostly used to find the target IP address in hack the box challenges. But it can also be used to scan for network addresses of a network in real-world pen testing. It is installed by default in Kali Linux and we are going to use same for this tutorial.

Netdiscover 1

The simplest way of using netdiscover to find out network addresses is to simply type the command “netdiscover” in the terminal as shown below.

Netdiscover 2

Then it slowly scans for network addresses as shown below. This is how most people use it.

Netdiscover 3

Fast mode

However, you don’t have to wait for netdiscover to finish scanning as long as it takes. You can scan faster with netdiscover too using the “-f” option.

Netdiscover 4
Netdiscover 5

Interface mode

Netdiscover can be set to scan network addresses on a specific network interface you want. For example, on Kali Linux, let’s use the command “ip a” to view all the network interfaces connected to it.

Netdiscover 6

Interface mode can be set with the “-i” option. For example, let’s scan the interface “eth0” as shown below.

Netdiscover 7
Netdiscover 8

Scan a specific range

Similarly, netdiscover can be used to scan a specific range as shown below. For example, let’s scan the range 192.168.248.0/24.

Netdiscover 9
Netdiscover 10
Netdiscover 11

Printable form (-p)

Netdiscover can also display its output in a way easy for printing using the “-p” option.

Netdiscover 12

Posted on

Beginners guide to Zenmap

Hello, aspiring ethical hackers. In one of our previous blogposts, you learnt in detail about Nmap, the popular port scanner. If you are like me, you thought all those commands, types of scans and options are very difficult to grasp. Well, maybe even the makers of Nmap also thought the same. Hence, they release a GUI version of Nmap called Zenmap.

Zenmap is the official GUI version of Nmap security scanner. It works on almost all platforms (Linux, Windows, mac OSX, BSD etc.). Just like Nmap it is also open-source. In this blogpost you will learn in detail about Zenmap. It can be downloaded from here. Kali Linux has Zenmap in its repository as part of kaboxer. For this tutorial, we will be using this only.

In Kali Linux, open a terminal in kali and type the command “Zenmap-kbx”. If Zenmap is not already installed, the system will prompt you if you want to install it.

Zenmap 1
Zenmap 2

Type “y” to install it, Otherwise, it will open Zenmap GUI as shown below.

Zenmap 3

The interface of Zenmap can be divided in to five sections.

  1. Target section
  2. Profile section
  3. Output section
  4. Host / services section
  5. Command section

    The target section is where we specify a target. The target can be specified in all the variety of ways Nmap allows. The profile section allows you to choose a type of scan. There are various scan options available.
Zenmap 4

Let’s select Quick scan for now. The command section shows the command for each scan type you select. Yes, you can type the command also directly and run Zenmap here. But if you want to do it, you would have been content with Nmap only. For now, let’s click on ‘scan’. Very soon, the results will be out and can be seen in output section as shown below.

Zenmap 5
Zenmap 6 1

The output section has many other tabs that provide additional information about the target scanned. The ports/hosts tabs show the open ports, type of protocol it uses and the service running on it separately and clearly.

Zenmap 7

The “Topology” sub-section shows that our attacker machine and target machine in visual form.

Zenmap 8

You can even zoom on the visual representation for a better view.

Zenmap 9

The “Host details” tab shows details about the target host separately.

Zenmap 10

The “scans” section shows all the scans you have performed.

Zenmap 11

Let’s select a “Regular scan” now.

Zenmap 15
Zenmap 16

The “Hosts/services” section provides information about the target host and services running on it.

Zenmap 12
Zenmap 13

That was all about Zenmap. See how simple it is to use Zenmap for port scanning.

Posted on

Nikto vulnerability scanner: Complete guide

Hello, aspiring ethical Hackers. This blogpost is a complete guide to Nikto vulnerability scanner. Nikto is a free command line web vulnerability scanner that scans web servers and detects over 6700 potentially dangerous files/CGIs, outdated server software, other vulnerabilities and misconfigurations. Nikto can also detect the installed software on the target web server. We will be running Nikto on Kali Linux as it is installed by default in Kali Linux. So let’s start.

Let’s start with a version check (-Version)

The “version” option of Nikto checks for the version of the software, plugins and database versions.

Nikto Vulnerability Scanner 37

Checking Database (-dbcheck)

It’s always a good thing to check for any errors in the scan database before scanning. The “-dbcheck” option of Nikto checks the scan databases for any errors.

Nikto Vulnerability Scanner 35
Nikto Vulnerability Scanner 36

The Host option (–host) (-h)

To scan a target using Nikto, first we need to specify a target. To set the target, we need to use the “host” option. This is shown below.

Nikto Vulnerability Scanner 1
Nikto Vulnerability Scanner 23456ab 481x1024

The target can be IP address of the webserver or URL of the website. This scan took 45 seconds to finish.

The Host option (–ssl)

To scan a website with HTTPS enabled with nikto, we can use the “SSL” option.

Nikto Vulnerability Scanner 6

The Port option (–port)

By default, Nikto scans the default HTTP and HTTPS ports when specified. However, if the target web server is running on a custom port you can set Nikto to scan a different port by using the “port” option.

Nikto Vulnerability Scanner 7

Scanning for CGI directories (–Cgidirs)

To scan for the presence of all CGI directories on the target webserver, the “cgidirs” option can be used.

Nikto Vulnerability Scanner 8

You can specify a specific CGI directory to search or you can use “all” value to scan for all CGI directories on the target.

What output you want Nikto to show? (–Display)

To control the type and amount of output Nikto shows after finishing the scan, we can use the “Display” option. Here are the values that can be set for the Display option.

Nikto Vulnerability Scanner 9a
Nikto Vulnerability Scanner 9
Nikto Vulnerability Scanner 10

How much time you want Nikto to spend on a scan? (–maxtime)

Using the “maxtime” option, we can specify the maximum time to spend for scanning a target. This time can be specified in seconds.

Nikto Vulnerability Scanner 11
Nikto Vulnerability Scanner 12

As you can see, the scan ended in 2 seconds while earlier the same scan took 45 seconds.

Don’t look for names (-nolookup)

The “nolookup” option specifies Nikto to not query for names when an IP address is specified.

Nikto Vulnerability Scanner 13

Don’t look for pages that are not there (–no404)

The “no404” option specifies Nikto to disable “file not found” checking. This will reduce the total number of requests made to the target.

Nikto Vulnerability Scanner 14

Just discover the ports (–findonly)

If you want to just find the HTTP(S) ports of a target without performing any security scan, you can use the “–findonly” option. Specifying this option allows Nikto to connect to HTTPS or HTTP ports and report the server header.

Nikto Vulnerability Scanner 15
Nikto Vulnerability Scanner 16

The Timeout option (–timeout)

The “–timeout” option specifies time to wait before timing out a request. The default timeout of Nikto is 10 seconds.

Nikto Vulnerability Scanner 17

The Pause option (–Pause)

By using “–Pause” option of Nikto, we can specify delay between each test Nikto performs.

Nikto Vulnerability Scanner 18

What if we have to authenticate? (–id)

With the “-id” option you can use Nikto to perform basic authentication to the target.

Nikto Vulnerability Scanner 19

The tuning option (–tuning)

With the “-Tuning” option, we can control the test that Nikto will use against a target. It can take the following values.

Nikto Vulnerability Scanner 21 A

For example, this is how we test for misconfigured files on the target.

Nikto Vulnerability Scanner 24

See all Nikto plugins (–list-plugins)

Nikto has lot of plugins that can be used against various targets. To view all these plugins, we can use the “–list-plugins” option.

Nikto Vulnerability Scanner 25

Use a particular plugin (–Plugins)

To use a particular plugin, we can use the “Plugins” option. For example, let’s use the robots plugin as shown below.

Nikto Vulnerability Scanner 26 1

Can Nikto evade detection? (–evasion)

While scanning, Nikto can use various techniques to evade Intrusion Detection System (IDS). The evasion techniques of Nikto are given below.

NIkto Vulnerability Scanner 27a
Nikto Vulnerability Scanner 29
Nikto Vulnerability Scanner 30 3

Saving output (-o)

Nikto can save the output of the scan in a file with the “output(-o)” as shown below.

Nikto Vulnerability Scanner 31 3
Nikto Vulnerability Scanner 32

Formats in which you can save output (-Format)

You can save in different formats you like using the “-Format” option. Valid formats are csv, htm, txt and xml.

Nikto Vulnerability Scanner 33
Nikto Vulnerability Scanner 34

That is the complete guide for Nikto vulnerability scanner. If you have any questions bring them in the comments section.

Posted on

Nessus vulnerability scanner: Beginner’s guide

Hello aspiring ethical hackers. In this blogpost, you will learn about Nessus vulnerability scanner. Nessus is an open-source network vulnerability scanner that uses Common Vulnerabilities and Exposures (CVE) architecture. It is widely used for vulnerability assessment and penetration testing.

Nessus server can be installed on Unix, Linux and FreeBSD whereas Nessus client is available for Unix and Windows based operating systems. For this tutorial, we will be installing Nessus on Kali Linux. Nessus can be downloaded from here. It can also be downloaded using curl as shown below (version may change).

Nessus Vulnerability Scanner 1

Once the latest version of Nessus is downloaded, it can be installed as shown below.

Nessus Vulnerability Scanner 2

Once the installation is finished, enable nessus as shown below.

Nessus Vulnerability Scanner 3

Then start nessus as shown below.

Nessus Vulnerability Scanner 4

Nessus runs on port 8834 by default. It can be viewed in browser.

Nessus Vulnerability Scanner 5

Click on “Accept the risk and continue”.

Nessus Vulnerability Scanner 6

Click on “Continue”. Select the type of Nessus install you want. Since we are using a Free version of Nessus for this tutorial we select “Register for Nessus Essentials”. Click on “continue”.

Nessus Vulnerability Scanner 7

To run Nessus Essentials, you need an activation code. Get the activation code by entering the following details.

Nessus Vulnerability Scanner 8
Nessus Vulnerability Scanner 9

You need a user account to login into Nessus. Create an account and most importantly remember the user account information.

Nessus Vulnerability Scanner 10

Then, Nessus will download all the required plugins. This may take some time (a bit long time sometimes).

Nessus Vulnerability Scanner 11

Once all the plugins are finished downloading, you should see this.

Nessus Vulnerability Scanner 12

The installation is finished. Now, it’s time to start scanning with Nessus. Click on “New scan”. A new popup opens. Assign a target.

Nessus Vulnerability Scanner 13

Click on “Run scan”.

Nessus Vulnerability Scanner 14

The scan will start and take some time to finish. For this tutorial, we are using “Metasploitable 2” as target. See how to install Metasploitable 2 in VirtualBox.

Nessus Vulnerability Scanner 15 1024x618

The vulnerabilities are classified into five categories by Nessus. They are Critical, High, Medium, Low and Information. You can view detailed information about the detected vulnerabilities by clicking on them.

Nessus Vulnerability Scanner 16 1024x618

All the scans you perform are located in “My scans” section.

Nessus Vulnerability Scanner 17 1024x520

Nessus allows different types of scans. All the scans that can be performed using Nessus can be viewed from “All scans” section.

Nessus Vulnerability Scanner 18 1024x615
Nessus Vulnerability Scanner 1920 1024x893
Nessus Vulnerability Scanner 21 1024x349