the password of the root in the /etc/shadow file (you can print the whole thing first so you can visualize the difference of before and after):
root@kali:/# awk '/root/' /etc/shadow root:$6$uf2Jy/R8HS5Tx$Vw1wHuBV7unq1hImYGTJdNrRwMwRtf0yd/aSH0zOhhdzWofAT5WUSduQTjWj8AbdmT62rLbcs6kP3xwdiLk.:18414:0:99999:7::: root@kali:/# awk -F ':' '/root/{print $2}' /etc/shadow $6$uf2Jy/R8HS5Tx$Vw1wHuBV7unq1hImYGTJdNrRwMwRtf0yd/aSH0zOhhdzWofAT5WUSduQTjWj8AbdmT62rLbcs6kP3xwdiLk.
We know that the shadow file is using the : delimiter to separate the sections, so we use ‐F ':' to get the job done. Then, we tell the tool to print only the second part of the delimiter {print $2} , which is the hashed password contents.
Another popular way to extract substrings is the cut command. In the following example, we use the cat command to open the shadow file; then we use the grep command to filter out the root account, and finally, we use the cut command to extract the password:
root@kali:/# cat /etc/shadow | grep "root" | cut -d ":" -f 2 $6$uf2Jy/R8HS5Tx$Vw1wHuBV7unq1hImYGTJdNrRwMwRtf0yd/aSH0zOhhdzWofAT5WUSduQTjWj8AbdmT62rLbcs6kP3xwdiLk.
Remote Connections in Kali
There are two common ways to connect remotely to other operating systems. For Windows, it is the Remote Desktop Protocol (RDP), and for Linux, it's the Secure Shell (SSH). In the next sections, I will explain how to use each protocol to connect remotely to an OS (Windows or Linux).
Remote Desktop Protocol
RDP is used to connect remotely to a Windows OS. Let's suppose that during your engagement you encountered a remote desktop port 3389 open on a Windows host (e.g., during your port scanning phase). Then, you will need to try to connect to it with some basic credentials (e.g., a username of Administrator and a password of password123). There are many times during your engagements where you want to connect remotely to a Windows system to get the job done (from Kali Linux). In this case, you will need to use the rdesktop command.
$rdesktop [Windows host IP address] -u [username in windows] -p [password in windows]
You can also omit the password and enter it later. See the example in Figure 1.9.
Figure 1.9 “Windows Login”
Secure Shell
The SSH protocol is a secure connection that allows you to execute commands remotely on a Linux host (in this case, Kali). By default, the SSH is a TCP protocol that works on port 22 by default. There are two ways to connect to a remote SSH server:
Using a username/password credentials
Using public/private keys (passwordless)
SSH with Credentials
Let's start first with the method that uses the password. By default, all the user accounts except the root account can log in remotely to SSH:
$ssh username@kaliIP
Figure 1.10 shows a root user who is not allowed to log in to Kali Linux remotely as well as a regular user ( kali ) who is able to log in remotely using SSH. In Figure 1.10, I'm using MobaXterm on Windows OS to connect remotely using SSH to the Kali VM.
Figure 1.10 SSH with MobaXterm on Windows
To allow the root user to log in remotely to SSH, you will need to edit the configuration file of SSH under this directory:
/etc/ssh/sshd_config
Make sure to add the following line to the SSH configuration file:
PermitRootLogin Yes
Now, we can try to connect to our Kali host remotely using the root account (it should work this time after the latest changes):
Figure 1.11 SSH Root Connection
Before you start using the SSH service on your Kali Linux, you will need to start the SSH service first. To do this, you will need to execute the following command:
$service ssh start
If you want to stop it later, use the following command:
$service ssh stop
If you want the SSH server to persist (automatically start) even after you reboot your system, then you will need to execute the following command:
$systemctl enable ssh
If you forgot the status (started or stopped) of your SSH server, then execute the following command to get the results shown in Figure 1.12:
$service ssh status
Figure 1.12 SSH Service Status
By default, the port number of SSH is 22, and if the remote Linux server has changed to another port, then you will need to specify it in your connection command:
$ssh username@kaliIP -p [port number]
Passwordless SSH
Using a public key and a private key, a remote user can log in using SSH. This method is more secure than the password way because no one will be able to use the brute‐force technique to enter your server remotely.
There is a lot of misconception when it comes to the public/private keys mechanism. In the next steps, I developed an example from scratch so you can visualize how things happen in reality:
Here's the client machine information:
OS: Ubuntu Desktop Linux V20
IP:10.0.0.186
Here's the Kali Linux SSH Server host information:
OS: Kali Linux 2020.1
IP:10.0.0.246
First, we will generate a public key and a private key on our client host (Ubuntu).
