In this tutorial, we will demonstrate how to connect to a Debian virtual machine (VM) from a Kali Linux VM using SSH. We will then use Netcat to establish a reverse TCP connection and extract sensitive information from the Debian VM.
1. Setting Up the Listener on Kali VM
First, we need to set up a listener on Kali VM. To do so, we will listen on port 1234
using Netcat:
This command will make Kali VM listen for incoming connections on port 1234.
2. Establishing a Reverse TCP Connection on Debian VM
Next, on the Debian VM (IP: 192.168.83.128
), we will execute the following Netcat command to create a reverse TCP connection back to Kali VM:
This command connects to the Kali VM (with IP 192.168.83.129
) on port 1234
and provides a remote shell.
3. Confirming the Connection
Once the reverse connection is established, you should see a new connection appear in the Netcat listener on Kali. To confirm that you are connected to the Debian host, run the following command on the Debian VM:
This will display the version of Debian running on the system.
4. Stealing Password Data
Now that we have a shell on the Debian VM, let’s gather some sensitive data. First, we’ll retrieve the contents of the /etc/passwd
file, which contains user account information. We can save this data to a file called stolendata.txt
:
To verify that the data has been saved, we can open the file with the following command:
In the file, we’ll see two user accounts with /bin/bash
shell access: root
and password
.
5. Stealing the Syslog
Next, we’ll capture system log information. The syslog
file can provide valuable insights into system activities and events. Let’s steal the contents and store them in a file called stolenlog.txt
:
6. Analyzing the Stolen Log File
Once we have the log file, let’s check the contents. We can use the following commands to inspect the first few lines and the last few lines of the file.
To view the first 10 lines:
To view the last 10 lines:
7. Sorting the Data
The log file may contain some numeric data, potentially including IP addresses or other identifiers. To sort the file based on numeric values (such as IP addresses), use the following command:
This will help you organize the data for easier analysis.
8. Counting Lines in the File
If the log file is too large to sift through manually, you can check the number of lines in the file with the following command:
9. Extracting Specific IP Address
If you're specifically looking for an IP address or any specific numeric data within the log file, you can use grep
to filter the data. For instance:
This command will display any IP addresses found in the stolenlog.txt
file.
Discussion Questions
1. What is an issue with this IP address search pattern?
The pattern used to search for IP addresses with three digits only (e.g., ([0-9]{1,3}\.){3}[0-9]{1,3}
) will fail to capture IP addresses that contain two-digit segments (such as 192.168.12.1
). To account for two-digit and one-digit segments, you can modify the regular expression to use {1,3}
to allow for 1 to 3 digits. For example:
This works only for IPv4 addresses, so for IPv6 addresses, additional adjustments to the regex would be required.
2. How would being able to search for IP addresses in logs be useful in security?
Logs are essential in tracking system activities. They provide valuable information on what services were running, what actions were executed, which ports were in use, and much more. Being able to search for IP addresses in logs is crucial in security for identifying suspicious activities or unauthorized access. For example, if an IP address appears repeatedly in error logs, or if a new IP is seen accessing sensitive files, security teams can investigate further to mitigate any potential threat.
3. What other numbers may be important to search for on a computer?
Besides IP addresses, other numbers that are important to search for include:
Port Numbers: Port numbers indicate which services or applications are running on specific ports. Monitoring port activity helps identify unauthorized or malicious services.
MAC Addresses: These are unique identifiers assigned to network interfaces, essential for identifying devices within a network. MAC addresses can be crucial in tracking the physical devices involved in network activities.
By searching for these and other key identifiers, security professionals can better understand what is happening on a system and take appropriate action when needed.
Conclusion
In this article, we demonstrated how to connect to a Debian VM from Kali Linux via SSH, set up a reverse TCP connection using Netcat, and extract sensitive data such as the system’s user information and logs. While this exercise showcases how attackers might operate, it’s important to always secure systems and networks to prevent unauthorized access and protect sensitive information.
ConversionConversion EmoticonEmoticon