grep
command to filter out the root account, and finally, we use the cut
command to extract the password:
root@kali:/# cat /etc/shadow | grep "root" | cut -d ":" -f 2 $6$uf2Jy/R8HS5Tx$Vw1wHuBV7unq1hImYGTJdNrRwMwRtf0yd/aSH0zOhhdzWofAT5WUSduQTjWj8AbdmT62rLbcs6kP3xwdiLk.
Remote Connections in Kali
There are two common ways to connect remotely to other operating systems. For Windows, it is the Remote Desktop Protocol (RDP), and for Linux, it's the Secure Shell (SSH). In the next sections, I will explain how to use each protocol to connect remotely to an OS (Windows or Linux).
Remote Desktop Protocol
RDP is used to connect remotely to a Windows OS. Let's suppose that during your engagement you encountered a remote desktop port 3389 open on a Windows host (e.g., during your port scanning phase). Then, you will need to try to connect to it with some basic credentials (e.g., a username of Administrator and a password of password123). There are many times during your engagements where you want to connect remotely to a Windows system to get the job done (from Kali Linux). In this case, you will need to use the rdesktop
command.
$rdesktop [Windows host IP address] -u [username in windows] -p [password in windows]
You can also omit the password and enter it later. See the example in Figure 1.9.
Figure 1.9 “Windows Login”
Secure Shell
The SSH protocol is a secure connection that allows you to execute commands remotely on a Linux host (in this case, Kali). By default, the SSH is a TCP protocol that works on port 22 by default. There are two ways to connect to a remote SSH server:
Using a username/password credentials
Using public/private keys (passwordless)
SSH with Credentials
Let's start first with the method that uses the password. By default, all the user accounts except the root account can log in remotely to SSH:
$ssh username@kaliIP
Figure 1.10 shows a root user who is not allowed to log in to Kali Linux remotely as well as a regular user ( kali
) who is able to log in remotely using SSH. In Figure 1.10, I'm using MobaXterm on Windows OS to connect remotely using SSH to the Kali VM.
Figure 1.10 SSH with MobaXterm on Windows
To allow the root user to log in remotely to SSH, you will need to edit the configuration file of SSH under this directory:
/etc/ssh/sshd_config
Make sure to add the following line to the SSH configuration file:
PermitRootLogin Yes
Now, we can try to connect to our Kali host remotely using the root account (it should work this time after the latest changes):
Figure 1.11 SSH Root Connection
Before you start using the SSH service on your Kali Linux, you will need to start the SSH service first. To do this, you will need to execute the following command:
$service ssh start
If you want to stop it later, use the following command:
$service ssh stop
If you want the SSH server to persist (automatically start) even after you reboot your system, then you will need to execute the following command:
$systemctl enable ssh
If you forgot the status (started or stopped) of your SSH server, then execute the following command to get the results shown in Figure 1.12:
$service ssh status
Figure 1.12 SSH Service Status
By default, the port number of SSH is 22, and if the remote Linux server has changed to another port, then you will need to specify it in your connection command:
$ssh username@kaliIP -p [port number]
Passwordless SSH
Using a public key and a private key, a remote user can log in using SSH. This method is more secure than the password way because no one will be able to use the brute‐force technique to enter your server remotely.
There is a lot of misconception when it comes to the public/private keys mechanism. In the next steps, I developed an example from scratch so you can visualize how things happen in reality:
Here's the client machine information:
OS: Ubuntu Desktop Linux V20
IP:10.0.0.186
Here's the Kali Linux SSH Server host information:
OS: Kali Linux 2020.1
IP:10.0.0.246
First, we will generate a public key and a private key on our client host (Ubuntu). Why? The goal is to perform the following steps:
1 Generate a private key ( /home/[username]/.ssh/id_rsa ) on the client machine because it's the one that can decrypt the public key. If someone steals your public key, they can't hack into the remote host since they don't have the private key file.
2 Generate a public key ( /home/[username]/.ssh/id_rsa.pub ) on the client machine. We need to send a copy of the public key to the server. After that, the server will store the client's public key in a file called authorized_keys .
Let's start! On our client Ubuntu host, generate the public and private keys (Figure 1.13):
$ssh-keygen -t rsa -b 4096
The previous command used two arguments:
‐t rsa : The t stands for the type of the key to generate. RSA is the most common one, but you have other options as well ( dsa , ecdsa , ecdsa‐sk , ed25519 , ed25519‐sk , and rsa ).
‐b 4096 : The b option specifies the number of bits in the key to create. In our case (RSA key), the minimum size is 1,024 bits, and the default is 3,072 bits.
Take note that while performing the earlier steps, we've been asked to enter a passphrase. This password will be used to add more security when you log in remotely to SSH.