Kali Tools: Vega
Kali Tools: Vega
There seem to be a virtually limitless number of free, quality, and open source penetration tools that come with the Kali operating system. Once you’ve learned how to use a few of them, you’ll find working at the command line much less intimidating and start to get the hang of it.
But one of the problems newbies often have is understanding what each tool is used for. There are so many that it may seem like an insurmountable task to learn them all. However, note that many of them perform similar functions (if not the same), albeit with slight variations. For instance, Kali Linux comes packed with a full arsenal of different types of scanners.
And once you’ve learned how to use one scanner, it’s a pretty simple matter to pick up another and start using it in minutes. Today, however, we’re going to be taking a closer look at one such scanner called Vega.
How Is Vega Different from Other Scanners?
Some of the most popular scanners on Kali include NMAP, AngryIPScanner, OS Scanner, OpenVAS, and other similar tools. But each scanner is useful in its own right, though many of them have similar functions.
For instance, both OpenVAS and NMAP are going to be able to detect open ports on the target they scan. However, I’d say that NMAP is more useful when you have direct network access and need to feel around to find hosts, identify them, and start building a reconnaissance profile. Regardless, Vega isn’t quite the same as NMAP.
Vega is extremely useful for testing the security of web servers and web applications specifically. As such, it’s a great tool to use to identify weaknesses that can be exploited with common web attacks like SQLi (SQL Injection) attacks and XSS (Cross-Site Scripting). It can also be used to scan for and discover sensitive information that wasn’t intentionally disclosed on a web service, among other vulnerabilities.
But what’s strange about Vega is that, like OpenVAS, it contains a GUI interface. And that makes it infinitely easier for newbies to start using. If you’re new to Kali and feel intimidated by the command line, I’d recommend starting with a GUI tool. They may not always be as useful, and let’s face it – most of the meat & potatoes of Kali tools operate solely from the command line. Still, it’s more immediately gratifying for newbies, and will help them build confidence and put another tool in their penetration testing tool belt.
Though we focus on penetration tools, Linux, and Kali on this site, note that you do have the option of running Vega in other environments. Since the code was written in Java, it ports well to other operating systems. In fact, you can run it on OS X and even Windows. So if you haven’t built a Kali (or any other flavor of Linux) environment, you can get by on another system.
What Are Vega’s Features?
Not only can Vega perform routine scanning operations to identify holes and security flaws in web applications, but it also has an intercepting proxy tool that allows you to inspect traffic. In addition, it even has a website crawler, that will comb over the website piece by piece to identify flaws and build a profile of the site.
Interestingly enough, it can even be used to attack SSL connections. Though SSL tunnels are secure and adequately protect data if a secure connection is built, there are ways to attack the process and monitor data as the tunnel is negotiated. If it is done correctly, an attacker can perform an MITM attack and intercept data from an SSL connection. However, note that this attack doesn’t truly break SSL encryption. Rather, it takes advantage of a vulnerability during the negotiation process. So don’t worry, SSL isn’t broken like PPTP.
The following outline Vega’s features and capabilities:
- Web vulnerability scanning
- XSS vulnerability identification
- SQLi vulnerability identification
- SSL MITM hacking
- Website crawling operations
- Alerts that can be customized to your choosing
- Stores information in a database
The Same Old Warning, Again!
If I’ve said it once, I’ve said it ten thousand times. I know you probably don’t want a lecture regarding the ethics of hacking. But nevertheless, it can’t be said enough: do not abuse these tools. It’s immoral, unethical, and flat out illegal to start trying to use Kali tools to obtain unauthorized access to computer systems that don’t belong to you.
So naturally, don’t go out into the real world and start scanning everything you can get your hands on. Also consider that doing so might merit unwanted attention, and attract some very uncomfortable allegations and questions.
Installation Process
One of the great things about Vega is that it’s simple to install. It can be downloaded from github for free. The file is zipped, so you’ll want to unpack it in a directory from which you want to run the program. If you’re feeling lazy, you can unpack it in your home directory.
However, I would recommend that you unpack it in a directory where you commonly run other applications to keep things tidy. Barring dependency issues (it would be a good idea to run an update before proceeding), all you have to do to run Vega is change your current working directory to the folder where you unzipped the file, and the run “./vega”.
Remember that you can change your current working directory with the cd command, and you can use the pwd command to print your current working directory in the terminal.
Point and Shoot
It’s pretty simple to run a scan, too. All you have to do is launch the program and click on the “scan” menu in the top left of the window. Then, select “start new scan.” The first paramter you need to enter is the target’s URL. And since you aren’t abusing penetration testing tools, I’ll assume that you’re scanning a server that you own and control.
For instance, in the “base URL” field, you might enter “www.mydomain.com” and then click the “next” button. There are a myriad of modules to choose from that will help you choose what types of flaws the tool will scan for. For your first scan, you can either leave these settings at their default or add/subtract modules as you please.
On the following screen, just click the “next” button since you don’t already have any cookies. Finally, on the next screen, click the “finish” button. The scan will start to execute, so hang on and let Vega work its magic. The scan will continually update you with its progress.
You’ll also notice that threats will pop up in the main window. The threats are ranked as high, medium, low, and informational. The idea here is to find flaws in the site without leaving it to guesswork. So, for example, you could scan a domain and find out whether or not the database is vulnerable to SQLi injection attacks, and proceed from there.
Final Thoughts
Vega is a pretty darn simple tool. Not only is it simple to install and run, but it’s simple to use since it doesn’t rely on background knowledge of the Linux shell – and you can even run it on Mac and Windows systems.
Just remember that this is more of a reconnaissance tool that will help feel out a server’s weak points. In a penetration testing environment, the data can be used to plug up security holes to mitigate the threat of a risk.
Kali is absolutely loaded with tools that each have their own function and role to fulfill. Asleap, however, is essentially specific cracking software that was designed with one sole purpose in mind: to take advantage of vulnerabilities found in LEAP. Furthermore, it can be used to break PPTP (Point-to-Point Tunneling Protocol).
Today, we’re going to be taking a closer look at this command, the vulnerability it was designed to break, its command syntax, and more. But before we begin, note that you are going to need a few things of your own in order to test this command out. First off, you’re going to need to download and run Kali, which is easy to come by since its completely free to use and run.
In addition, you’re going to need a wireless access point capable of running LEAP or a PPTP tunnel. Just remember that whatever device you’re trying to target has to be owned and operate by you. It have to warn you not to try using this tool out on a real-world target, because doing so would be immoral and illegal, and I don’t advocate breaking the law.
With that understanding, let’s take a closer look at the flaw that Asleap targets.
Vulnerabilities, MSCHAPv2, LEAP, and PPTP
LEAP stands for Lightweight Extensible Authentication Protocol, which is used to secure connections on wireless networks. Those of you who have passed the Security+ exam might even already know that LEAP uses a version of the MSCHAPv2 algorithm to authenticate the host at the other end of the connection.
Furthermore, you might have already heard that PPTP only offers weak encryption, and is one of the weakest VPN tunnel options available. You may have also heard that PPTP can be cracked using cheap software. Believe it or not, you can actually use
Asleap to target PPTP, since it uses MSCHAPv2. You see, PPTP was originally developed by a consortium developed by Microsoft Though they didn’t make the protocol proprietary, they did include it on most of their operating systems for free with the release of Windows NT and custom tailored their own version of CHAP to be used with PPTP.
That’s why the first two letters in the acronym stand for Microsoft, and the full names is the Microsoft Challenging Handshake Authentication Protocol. In fact, Asleap can be used to crack any protocol that uses MSCHAPv2 for authentication, and the protocol has been known to suffer from a fatal vulnerability for quite some time now. The world has known about MSCHAPv2 flaws for about 17 years, since the vulnerability was first documented by Bruce Schneier in 1999.
Though the whole flaw, vulnerability details, and inner workings of the protocol are rather complicated, just know that MSCHAPv2 is vulnerable to password attacks such as dictionary based attacks on the packets containing the challenge-response. Using Asleap (as well as other similar tools) makes it possible to form a handshake challenge that manipulates authentication in an unintended manner.
Options, Flags, and Command Syntax
First off, we need to take a look at the command syntax and options that are available for Asleap, then we will look at another tool that needs to be used in conjunction with Asleap. The following lists its syntax and possible flags/options:
Usage: asleap [options]
-r Read from a libpcap file
-i Interface to capture on
-f Dictionary file with NT hashes
-n Index file for NT hashes
-s Skip the check to make sure authentication was successful
-h Output this help information and exit
-v Print verbose information (more -v for more verbosity)
-V Print program version and exit
-C Challenge value in colon-delimited bytes
-R Response value in colon-delimited bytes
-W ASCII dictionary file (special purpose)
The command syntax is relatively simple and straighforward. However, note that we will also need to use genkeys in our demonstration, though genkeys is included in the Asleap package. It’s a pretty simple tool, and only has four options as follows:
genkeys: Must supply -r -f and -n
Usage: genkeys [options]
-r Input dictionary file, one word per line
-f Output pass+hash filename
-n Output index filename
-h Last 2 hash bytes to filter with (optional)
Usage Examples
Furthermore, you’re going to need to be able to run libpcap. You need a libpcap dump file to use as a parameter in the command syntax, which makes sense because you need to have captured data for the software to crack anyway. However, the first thing we need to do is use the genkeys tool as follows:
- genkeys -r /usr/share/my-wordlist-file/nmap.lst -f output-file-name.dat -n output-index-name.idx
This command will simply generate hashes for passwords, making the process of the password attack exponentially faster. After using genkeys, the next thing to do (if you haven’t done it already) is to capture data from a protocol that uses MSCHAPv2, such as PPTP or LEAP.
Then, its finally time to plug the dumpfile and dictionary list into the command syntax for Asleap as follows:
- asleap -r dump-file.dump -f asleap.dat -n asleap.idx -s
Note that the .dat and .idx files were created and custom-named by you in the genkeys step. If you were successful in your cracking attempt, the command promt will recover LEAP and PPTP password information such as its username, challenge key, response data, hash bytes, NT hash, and password.
And believe it or not, with exception to running the packet capture, there’s only two steps to the cracking procedure. However, how long it takes depends a great deal on your dictionary, the complexity of the password, and your hardware. If you’re trying to run Kali on an ancient system that only meets the bare minimum system requirements, things might take longer.
Final Thoughts
Because MSCHAPv2 and LEAP are so insecure, you should avoid them at all costs. In addition, you should avoid using PPTP to secure your VPN connections unless your data is inconsequential, because it’s possible for hackers to break the key in as little as a day.
I would also mention that though Asleap can crack LEAP, there are many other wireless cracking tools on Kali such as Reaver (among several others). Feel free to leave a comment below and let me know if you have any questions.
There are a lot of different scanning tools on Kali Linux, though they each seem to provide a slightly different function. For instance, NMAP is a great tool for feeling out a local network to identify hosts, open ports, and a few other pieces of key information. On the other hand, Cisco-Torch was created with an emphasis on discovering Cisco devices and network devices, and then to run dictionary attacks on the identified targets.
Today, however, we’re going to be looking at a different scanning tool called Amap. Amap is a next-generation scanning tool that has a massive amount of flags and options in its command syntax, and it can even identify processes and applications when they are running on different ports. For example, if a company decided to host an internal web server that accepted connections on port 1253 instead of 80 (I’m just making that up as an example, no one would ever do that), Amap would be able to discover it.
Furthermore, Amap can find applications and services that aren’t based on ASCII. Amap has a lot of interesting tools, too, such as the ability to send specially crafted trigger packets to generate special responses from servers.
Amap’s Tools and Capabilities
Amap is more than a simple scanner designed to ping a local network to identify active hosts. More specifically, we need to identify two main components and features of the Amap program. First off, Amap comes with a module called amapcrap, which sends random and bogus data to a port.
The port can be TCP, UDP, or even SSL, but the idea is to generate a response from the target port.
The second component is the actual Amap core functionality, which is an Application MAPper.
A Tip for Those of You Who Are Curious
If you’re a Linux newbie, you probably don’t know what verbose mode is. If you’re a Linux veteran, feel free to skip this section to avoid any inherent eye-rolling. Nevertheless, verbose mode is a common option for the vast majority of command line programs and tools.
Verbose mode basically allows you to peek under the hood to understand the inner workings of a command. Typically, after entering a command, you’ll wait for a few moments while it ‘does its thing’ in the background, and it will either return a message indicating success or failure. But with verbose mode, the tool will tell you what it’s doing step-by-step.
I’d highly recommend using the -v option with scanners just so you can see how they operate. For instance, you’ll find that NMAP host discovery scans simply have a looping function, whereby they ping one address after the next and increment the host value by one with each iteration.
Amap Command Syntax and Options
Amap seems to be a rather complicated tool when you view its help screen for the first time, but it isn’t as intimidating as it looks. However, I will say that it has a lot more options and flags than most other commands, though you won’t necessarily use them all.
First off, let’s take a look at the amapcrap options and syntax as follows:
Syntax: amapcrap [-S] [-u] [-m 0ab] [-M min,max] [-n connects] [-N delay] [-w delay] [-e] [-v] TARGET PORT
Options:
-S use SSL after TCP connect (not usable with -u)
-u use UDP protocol (default: TCP) (not usable with -c)
-n connects maximum number of connects (default: unlimited)
-N delay delay between connects in ms (default: 0)
-w delay delay before closing the port (default: 250)
-e do NOT stop when a response was made by the server
-v verbose mode
-m 0ab send as random crap:0-nullbytes, a-letters+spaces, b-binary
-M min,max minimum and maximum length of random crap
TARGET PORT target (ip or dns) and port to send random crap
-S use SSL after TCP connect (not usable with -u)
-u use UDP protocol (default: TCP) (not usable with -c)
-n connects maximum number of connects (default: unlimited)
-N delay delay between connects in ms (default: 0)
-w delay delay before closing the port (default: 250)
-e do NOT stop when a response was made by the server
-v verbose mode
-m 0ab send as random crap:0-nullbytes, a-letters+spaces, b-binary
-M min,max minimum and maximum length of random crap
TARGET PORT target (ip or dns) and port to send random crap
/*This tool sends random data to a silent port to illicit a response, which can
then be used within amap for future detection. It outputs proper amap
appdefs definitions. Note: by default all modes are activated (0:10%, a:40%,
b:50%). Mode ‘a’ always sends one line with letters and spaces which end with
\r\n. Visit our homepage at http://gwww.thc.or */
then be used within amap for future detection. It outputs proper amap
appdefs definitions. Note: by default all modes are activated (0:10%, a:40%,
b:50%). Mode ‘a’ always sends one line with letters and spaces which end with
\r\n. Visit our homepage at http://gwww.thc.or */
Next, let’s take a look at the options and flags for the actual Amap portion of the tool. Be forewarned, there are more options for this tool than most other applications:
Syntax: amap [-A|-B|-P|-W] [-1buSRHUdqv] [[-m] -o ] [-D ] [-t/-T sec] [-c cons] [-C retries] [-p proto] [-i ] [target port [port] …]
Modes:
-A Map applications: send triggers and analyse responses (default)
-B Just grab banners, do not send triggers
-P No banner or application stuff – be a (full connect) port scanner
Options:
-1 Only send triggers to a port until 1st identification. Speeeeed!
-6 Use IPv6 instead of IPv4
-b Print ascii banner of responses
-i FILE Nmap machine readable outputfile to read ports from
-u Ports specified on commandline are UDP (default is TCP)
-R Do NOT identify RPC service
-H Do NOT send application triggers marked as potentially harmful
-U Do NOT dump unrecognised responses (better for scripting)
-d Dump all responses
-v Verbose mode, use twice (or more!) for debug (not recommended :-)
-q Do not report closed ports, and do not print them as unidentified
-o FILE [-m] Write output to file FILE, -m creates machine readable output
-c CONS Amount of parallel connections to make (default 32, max 256)
-C RETRIES Number of reconnects on connect timeouts (see -T) (default 3)
-T SEC Connect timeout on connection attempts in seconds (default 5)
-t SEC Response wait timeout in seconds (default 5)
-p PROTO Only send triggers for this protocol (e.g. ftp)
TARGET PORT The target address and port(s) to scan (additional to -i)
amap is a tool to identify application protocols on target ports.
Note: this version was NOT compiled with SSL support!
Usage hint: Options “-bqv” are recommended, add “-1” for fast/rush checks.
Modes:
-A Map applications: send triggers and analyse responses (default)
-B Just grab banners, do not send triggers
-P No banner or application stuff – be a (full connect) port scanner
Options:
-1 Only send triggers to a port until 1st identification. Speeeeed!
-6 Use IPv6 instead of IPv4
-b Print ascii banner of responses
-i FILE Nmap machine readable outputfile to read ports from
-u Ports specified on commandline are UDP (default is TCP)
-R Do NOT identify RPC service
-H Do NOT send application triggers marked as potentially harmful
-U Do NOT dump unrecognised responses (better for scripting)
-d Dump all responses
-v Verbose mode, use twice (or more!) for debug (not recommended :-)
-q Do not report closed ports, and do not print them as unidentified
-o FILE [-m] Write output to file FILE, -m creates machine readable output
-c CONS Amount of parallel connections to make (default 32, max 256)
-C RETRIES Number of reconnects on connect timeouts (see -T) (default 3)
-T SEC Connect timeout on connection attempts in seconds (default 5)
-t SEC Response wait timeout in seconds (default 5)
-p PROTO Only send triggers for this protocol (e.g. ftp)
TARGET PORT The target address and port(s) to scan (additional to -i)
amap is a tool to identify application protocols on target ports.
Note: this version was NOT compiled with SSL support!
Usage hint: Options “-bqv” are recommended, add “-1” for fast/rush checks.
Usage Example
The command syntax looks pretty hairy, but it isn’t after you’ve played around with the tool for only a couple hours. We’re going to go through a short demonstration to highlight applicable command syntax, but first please heed a warning. If you want to test out this tool, only do it on your home network or on devices that you own.
Don’t run around in public or connect to a Wi-Fi hotspot to start scanning other people’s computing devices. It’s illegal and immoral. That said, let’s take a look at an example that scans a single host that is presumed to be a web server:
- amap -bqv 10.1.1.54 80
This command will scan the 10.1.1.54 host on port 80 (HTTP), and will print ASCII banner response, omit closed ports, and print the process in verbose mode.
Final Thoughts
There are a myriad of other options that can be used with Amap, and I encourage you to test it out. However, for simple host discovery and scanning for open ports, I still prefer to use NMAP. It’s just easier to use in my opinion, or perhaps it’s simply because I feel more comfortable using it. At any rate, Amap is another great scanner that can be used to identify hosts and fingerprint systems.
Kali Linux comes preloaded and chock-full of a myriad of useful penetration testing and scanning tools. Some might even argue that it comes with too many, because it can be hard finding the right tool that you want to use – especially if you’ve never heard about it before. Nevertheless, today we’re going to be looking at a tool called Cisco-Torch, which has a variety of applications.
In addition to being an exploitation tool, it can also be used for fingerprinting and reconnaissance. And to be fair, a few of its functions overlap with the functions of other tools. That is, you’ll find that most reconnaissance tools are going to provide some similar mechanisms to scan the local network.
However, I don’t want you to think that this program is identical to another scanner, such as NMAP. In addition to having more features and exploitation tools, Cisco-Torch varies from other simple scanners in that it can launch multiple simultaneous scanning functions at the same time for greater speed and efficiency. It also works well in the Application layer of the OSI model for fingerprinting systems, which is something that NMAP lacks.
And while NMAP is well adept at scanning networks for individual ports and services, Cisco-Torch takes things one step further. Not only can it scan a network for devices accepting Telnet, HTTP, and SSH (these services would likely identify networking devices like routers, switches, firewalls, servers, etc.), but it can even run dictionary attacks against discovered hosts – depending on the device type, OS version, and so on.
What Are Cisco-Torch’s Capabilities?
Sometimes it’s hard to pin down exactly what a tool can be used for – as well as what it can’t be used for. However, Cisco-Torch is pretty straightforward because it has some specific applications. First off, note that Cisco-Torch can scan for the following types of services to better identify hosts that can be attacked:
- Telnet
- SSH
- SNMP
- NTP fingerprinting
- TFTP fingerprinting
- Cisco webservers
- Cisco IOS HTTP Authorization Vulnerability Scan
- Cisco Webserver with SSL support scan
The bottom line is that Cisco-Torch, as the name implies, is tooled to scan for and identify Cisco hosts, though it can also discover other vendors’ networking devices that are accepting certain connections.
And though host identification is a necessary first step in many attacks, it isn’t always the most important function of a tool. After a host has been identified, Cisco-Torch can then launch password attacks against that host.
Cisco-Torch Command Flags and Syntax
Like just about every other command on Linux systems, Cisco-Torch has a help screen. However, unless you have quite a bit of experience in the I.T. industry, some of the options’ functions may not be readily apparent, and bear further discussion. The following outlines the command syntax and available options:
usage: cisco-torch <options> <IP,hostname,network>
or: cisco-torch <options> -F <hostlist>
Available options:
-O <output file>
-t Cisco Telnetd scan
-s Cisco SSHd scan
-u Cisco SNMP scan
-g Cisco config or tftp file download
-n NTP fingerprinting scan
-j TFTP fingerprinting scan
-l <type> loglevel
-c critical (default)
-v verbose
-d debug
-w Cisco Webserver scan
-z Cisco IOS HTTP Authorization Vulnerability Scan
-c Cisco Webserver with SSL support scan
-b Password dictionary attack (use with -s, -u, -c, -w , -j or -t only)
-V Print tool version and exit
Usage Examples
First and foremost, I’d like to point out how powerful this tool is. When you use NMAP, you have to specify each and every type of scan you’d like to do perform. For instance, you might specify the subnet, host, range of hosts, type of scan, port ranges, and other parameters before running a scan.
While you still need to specify the target(s) as a parameter with Cisco-Torch, there is one simple flag that will run all available scans against a host or range. For instance, the following command will run all fingerprint and scan types against the desired host:
- cisco-torch -A 10.1.1.54
The above command scans a single target host. Now let’s pretend that the host was accepting Telnet connections. If you wanted to run a dictionary attack against the host, you could issue the following command:
- cisco-torch -t -b 10.1.1.54
Now, however, let’s pretend that you were doing a real-world host discovery, and not testing tools on your local network (as you should be doing). If you wanted to scan an entire network or subnet, you would simply append the subnet mask to the end of the host, being sure to remember your binary math to appropriately lable the subnet as follows:
- cisco-torch -A 10.1.1.0/24
This command will, of course, run a fingerprint scan types combined against the 10.1.1.0/24 subnet, which is 256 addresses in total. Also note that the result won’t be instantaneous, so babysit your process patiently. Lastly, I’d like to point out that it isn’t possible to run this type of scan using other scanners, such as NMAP.
You’d have to run multiple scans independently, instead of all at once. Doing them individually could take hours, so there is a lot of power in the multi-threaded scan used in Cisco-Torch.
Final Thoughts
I think that NMAP is a more robust scanning tool with more general and flexible options. However, I think that Cisco-Torch is more sophisticated and specialized to identify Cisco hosts (though it can identify other vendors’ equipment) and run fingerprint scans and password attacks against them. And you might be thinking that this tool isn’t worth very much since it specializes in attacks against only one vendor.
But I digress. You see, Cisco Systems is the largest producer of telecommunications and Internet equipment in the Western world. You’re going to find Cisco products (routers, switches, ASAs, etc.) more often than you’re going to find their competitors’ equipment, such as Juniper, Dell, or other runner-ups in the networking world.
And lastly, while I don’t recommend snooping around a corporate network or launching attacks against your ISP, I do highly encourage you to try this tool out on your home network. Remember to use Kali responsibly, because I don’t advocate breaking the law.
No comments