Upgrade ESXi 6.0 to 6.5

METHOD1 via CLI Offline
-download VMware-ESXi-6.5.0-4564106-depot.zip from https://my.vmware.com/group/vmware/get-download?downloadGroup=ESXI650
-enable ssh on ESXi
-scp VMware-ESXi-6.5.0-4564106-depot.zip into ESXi /tmp
-Shutdown all VMs running on your ESXi host machine, put your host into maintenance mode and then connect to your ESXi server via SSH
# cd /tmp
# esxcli software profile update -p ESXi-6.5.0-4564106-standard -d /tmp/VMware-ESXi-6.5.0-4564106-depot.zip

# reboot

METHOD2 via CLI Online
-enable ssh on ESXi
-Shutdown all VMs running on your ESXi host machine, put your host into maintenance mode and then connect to your ESXi server via SSH
# cd /tmp
# esxcli network firewall ruleset set -e true -r httpClient
# esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-6.5
# esxcli software profile update -p ESXi-6.5.0-4564106-no-tools -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
# reboot

-download ESXi iso from https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_5
-burn iso into cd
-set BIOS to boot from CD
-reboot ESXi
-on boot select “Upgrade ESXi, preserve VMFS datastore”

METHOD4 via USB media
-download ESXi iso from https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/vmware_vsphere/6_5

-download and install YUMI Installer

-run YUMI and burn iso into pen drive
-set BIOS to boot from USB
-reboot ESXi
-on boot select “Upgrade ESXi, preserve VMFS datastore”

METHOD5 via Update Manager


-update ESXi to latest patches
METHOD1: CLI Offline
download ESXi latest patches from
scp ESXi650-201704001.zip into ESXi /vmfs/volumes//
# esxcli software vib update -d /vmfs/volumes//ESXi650-201704001.zip

# esxcli network firewall ruleset set -e true -r httpClient
# esxcli software profile install -p ESXi-6.5.0-20170404001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml
-enable nested hypervisor
# echo “vhv.enable = “TRUE”” >> /etc/vmware/config

-enable copy/paste between guest vm
# vi /etc/vmware/config
add these
vmx.fullpath = “/bin/vmx”

-install VMware Host Client
go to https://labs.vmware.com/flings/esxi-embedded-host-client#instructions
download and scp into /tmp
# esxcli software vib install -v /tmp/esxui-signed-5214684.vib

Install VMware Remote Console
go to https://labs.vmware.com/flings/esxi-embedded-host-client#instructions
download and scp into /tmp

# esxcli software vib update -v /tmp/VMware-Remote-Console-9.0.0-Linux.vib
# esxcli software vib install -v /tmp/VMware-Remote-Console-9.0.0-MacOS.vib

# esxcli software vib update -v /tmp/VMware-Remote-Console-9.0.0-Windows.vib

VMware Remote Console 9.0 for Linux
VMware Remote Console 9.0 for Mac

VMware Remote Console 9.0 for Windows

Now you can access ESXi using browser at https://esxserverip/ui

Merge splitted disk into a single disk

SOURCE: https://vmexpo.wordpress.com/2014/04/15/how-to-merge-multiple-vmdks-into-single-vmdk/comment-page-1/

Sometime you got OVA with multiple splitted disk. But I still prefer one big disk because easier to backup.

Here how to do that with VMware Workstation

-cd to your target vm disk location
c:\>cd C:\Users\user1\Documents\Virtual Machines\OWASP
07-Apr-17  11:28 AM    <DIR>          .
07-Apr-17  11:28 AM    <DIR>          ..
03-Aug-15  10:58 AM     1,774,780,416 OWASP Broken Web Apps-cl1-s001.vmdk
03-Aug-15  10:58 AM     1,603,600,384 OWASP Broken Web Apps-cl1-s002.vmdk
03-Aug-15  10:58 AM     1,806,696,448 OWASP Broken Web Apps-cl1-s003.vmdk
03-Aug-15  10:58 AM     1,135,149,056 OWASP Broken Web Apps-cl1-s004.vmdk
03-Aug-15  10:58 AM            65,536 OWASP Broken Web Apps-cl1-s005.vmdk
03-Aug-15  08:47 AM               780 OWASP Broken Web Apps-cl1.vmdk
03-Aug-15  10:54 AM             8,684 OWASP Broken Web Apps.nvram
31-Jul-15  10:25 AM                79 OWASP Broken Web Apps.vmsd
03-Aug-15  10:54 AM             1,582 OWASP Broken Web Apps.vmx
06-May-15  09:30 AM               276 OWASP Broken Web Apps.vmxf
03-Aug-15  10:44 AM             8,306 owaspbwa-release-notes.txt
              11 File(s)  6,320,311,547 bytes
               2 Dir(s)  385,078,714,368 bytes free

>”C:\Program Files (x86)\VMware\VMware Workstation\vmware-vdiskmanager.exe” -r “OWASP Broken Web Apps-cl1.vmdk” -t 0 OWASP.vmdk
Creating disk ‘OWASP.vmdk’

Proxmox Import/Export OVA

Import from OVA
-disk must be single file not splitted

-scp ova into /tmp. In my case I am using dsl-4-4-10.ova
# cd /tmp
# tar xf dsl-4-4-10.ova
# qemu-img convert -f vmdk DSL-4.4.10-disk1.vmdk -O qcow2 DSL-4.4.10.qcow2
-check dsl-4-4-10.ova configuration
# cat DSL-4.4.10.ovf | grep -e “Memory RAMSize” -e “CPU count” -e “Netw” -e “Disk”
What I found only disk size and nic quantity. The rest should be default
-create empty vm with 1 nic. Disk size could be any smallest size because I will overwrite later. Disk type could be vmdk or qcow2
# cp DSL-4.4.10.qcow2 /var/lib/vz/images/100/vm-100-disk-1.qcow2
-start the vm in proxmox

Export to OVA
-let say I already have vm with qcow disk
# cd /var/lib/vz/images/101
# qemu-img convert -f vm-101-disk-1.qcow2 -O /tmp/DSL-4.4.10-disk1.vmdk
-create an empty vm with the same OS, RAM, disk size, nic
-disk must be single file not splitted
-scp DSL-4.4.10-disk1.vmdk into your vm directory in vmware and rename disk name to vmname.vmdk
-click vm Settings
-click Hard Disk, click Remove
-click Hard Disk, click Add
I must choose same disk type as source vm disk. For example IDE or SCSI
Attach vmname.vmdk that we copied before
-click File/Export to OVF menu
name it vmname.ova click Save

TeamViewer installation on Kali

-install sddm as default X windows because default X windows in Kali didn’t allow remote TeamViewer without login GUI first

# apt-get install sddm

# dpkg –add-architecture i386
# apt-get update
# dpkg -i –force-depends teamviewer_i386.deb
# apt-get install -f

# teamviewer –daemon start

-get current TeamViewer id either from GUI or CLI
# teamviewer –info print version, status, id
 TeamViewer                           12.0.71510  (DEB)
 teamviewerd status                   ● teamviewerd.service – TeamViewer remote control daemon
   Loaded: loaded (/etc/systemd/system/teamviewerd.service; enabled; vendor preset: disabled)
   Active: active (running) since Sun 2017-03-19 09:02:02 PDT; 9min ago
  Process: 1140 ExecStart=/opt/teamviewer/tv_bin/teamviewerd -d (code=exited, status=0/SUCCESS)
 Main PID: 1162 (teamviewerd)
    Tasks: 12 (limit: 4915)
   CGroup: /system.slice/teamviewerd.service
           └─1162 /opt/teamviewer/tv_bin/teamviewerd -d
Mar 19 09:02:00 kali2 systemd[1]: Starting TeamViewer remote control daemon…
Mar 19 09:02:02 kali2 systemd[1]: Started TeamViewer remote control daemon.

 TeamViewer ID:                        798024234

-run teamviewer gui
# teamviewer
click Connection/Setup Unattended Access
click Next

click Finish

Now you can remotely connect to your Linux TeamViewer
-every time you adding device or login to new device while login to your TeamViewer a/c. TeamViewer will ask your permission by sending an email with title “Device authorization needed”
Just click a link in that email to add your device into your TV a/c

Installing Wifi Jammer on Kali

Continuously jam all wifi clients and access points within range.

-connect your Atheros or Ralink card
-check wlan0 is on
# ifconfig wlan0
# cd /root
# cd wifijammer/
# ./wifijammer.py
This will find the most powerful wireless interface and turn on monitor mode. If a monitor mode interface is already up it will use the first one it finds instead. It will then start sequentially hopping channels 1 per second from channel 1 to 11 identifying all access points and clients connected to those access points. On the first pass through all the wireless channels it is only identifying targets. After that the 1sec per channel time limit is eliminated and channels are hopped as soon as the deauth packets finish sending. Note that it will still add clients and APs as it finds them after the first pass through.
Upon hopping to a new channel it will identify targets that are on that channel and send 1 deauth packet to the client from the AP, 1 deauth to the AP from the client, and 1 deauth to the AP destined for the broadcast address to deauth all clients connected to the AP. Many APs ignore deauths to broadcast addresses.
# ./wifijammer.py -a 00:0E:DA:DE:24:8E -c 2
Deauthenticate all devices with which 00:0E:DA:DE:24:8E communicates and skips channel hopping by setting the channel to the target AP’s channel (2 in this case)

# ./wifijammer.py -c 1 -p 5 -t .00001 -s DL:3D:8D:JJ:39:52 -d –world
-c, Set the monitor mode interface to only listen and deauth clients or APs on channel 1
-p, Send 5 packets to the client from the AP and 5 packets to the AP from the client along with 5 packets to the broadcast address of the AP
-t, Set a time interval of .00001 seconds between sending each deauth (try this if you get a scapy error like ‘no buffer space’)
-s, Do not deauth the MAC DL:3D:8D:JJ:39:52. Ignoring a certain MAC address is handy in case you want to tempt people to join your access point in cases of wanting to use LANs.py or a Pineapple on them.
-d, Do not send deauths to access points’ broadcast address; this will speed up the deauths to the clients that are found
–world, Set the max channel to 13. In N. America the max channel standard is 11, but the rest of the world uses 13 channels so use this option if you’re not in N. America

# ./wifijammer.py -m 10
The -m option sets a max number of client/AP combos that the script will attempt to deauth. When the max number is reached, it clears and repopulates its list based on what traffic it sniffs in the area

Installing Websploit on Kali

WebSploit Advanced MITM Framework
[+]Autopwn – Used From Metasploit For Scan and Exploit Target Service
[+]wmap – Scan,Crawler Target Used From Metasploit wmap plugin
[+]format infector – inject reverse & bind payload into file format
[+]phpmyadmin Scanner
[+]CloudFlare resolver
[+]LFI Bypasser
[+]Apache Users Scanner
[+]Dir Bruter
[+]admin finder
[+]MLITM Attack – Man Left In The Middle, XSS Phishing Attacks
[+]MITM – Man In The Middle Attack
[+]Java Applet Attack
[+]MFOD Attack Vector
[+]ARP Dos Attack
[+]Web Killer Attack
[+]Fake Update Attack
[+]Fake Access point Attack
[+]Wifi Honeypot
[+]Wifi Jammer
[+]Wifi Dos
[+]Wifi Mass De-Authentication Attack
[+]Bluetooth POD Attack

# cd /root
# cd websploit
# ./wsf-update.py
# ./websploit
         (  (               )             (             )
         )\))(   ‘   (   ( /(             )\     (   ( /(
        ((_)()\ )   ))\  )\()) (   `  )  ((_) (  )\  )\())
        _(())\_)() /((_)((_)\  )\  /(/(   _   )\((_)(_))/
        \ \((_)/ /(_))  | |(_)((_)((_)_\ | | ((_)(_)| |_
         \ \/\/ / / -_) | ‘_ \(_-<| ‘_ \)| |/ _ \| ||  _|
          \_/\_/  \___| |_.__//__/| .__/ |_|\___/|_| \__|
                –=[WebSploit Advanced MITM Framework
        +—**—==[Version :3.0.0
        +—**—==[Codename :Katana
        +—**—==[Available Modules : 20
                –=[Update Date : [r3.0.0-000 20.9.2014]
wsf > help
Commands                Description
—————         —————-
set                     Set Value Of Options To Modules
scan                    Scan Wifi (Wireless Modules)
stop                    Stop Attack & Scan (Wireless Modules)
run                     Execute Module
use                     Select Module For Use
os                      Run Linux Commands(ex : os ifconfig)
back                    Exit Current Module
show modules            Show Modules of Current Database
show options            Show Current Options Of Selected Module
upgrade                 Get New Version
update                  Update Websploit Framework
about                   About US

wsf > upgrade
[*]Checking For New Version, Please Wait …
[*]New Version Not Available, This Is Latest Version Of The WebSploit Framework.

wsf > show modules
Web Modules                     Description
——————-             ———————
web/apache_users                Scan Directory Of Apache Users
web/dir_scanner                 Directory Scanner
web/wmap                        Information Gathering From Victim Web Using (Metasploit Wmap)
web/pma                         PHPMyAdmin Login Page Scanner
web/cloudflare_resolver         CloudFlare Resolver

Network Modules                 Description
——————-             ———————
network/arp_dos                 ARP Cache Denial Of Service Attack
network/mfod                    Middle Finger Of Doom Attack
network/mitm                    Man In The Middle Attack
network/mlitm                   Man Left In The Middle Attack
network/webkiller               TCP Kill Attack
network/fakeupdate              Fake Update Attack Using DNS Spoof
network/arp_poisoner            Arp Poisoner

Exploit Modules                 Description
——————-             ———————
exploit/autopwn                 Metasploit Autopwn Service
exploit/browser_autopwn         Metasploit Browser Autopwn Service
exploit/java_applet             Java Applet Attack (Using HTML)

Wireless / Bluetooth Modules    Description
——————-             ———————
wifi/wifi_jammer                Wifi Jammer
wifi/wifi_dos                   Wifi Dos Attack
wifi/wifi_honeypot              Wireless Honeypot(Fake AP)
wifi/mass_deauth                Mass Deauthentication Attack
bluetooth/bluetooth_pod         Bluetooth Ping Of Death Attack

Installing Discover on Kali Linux

SOURCE: http://www.thegeeky.space/2015/04/how-to-save-time-doing-passive-discovery-in-Kali-Linux-using-discover-or-backtrack-script-framework.html

Configuring recon-ng
-register bing_api*
go to https://azure.microsoft.com/en-us/services/cognitive-services/search/ and sign in using your Hotmail or Skype account or create new account
-register builtwith_api* https://api.builtwith.com
-register facebook_api https://developers.facebook.com
-register fullcontact_api* https://portal.fullcontact.com/signup
-register  github_api*
-register ipinfodb_api http://www.ipinfodb.com/register.php
-register linkedin_api https://developer.linkedin.com
-register shodan_api* https://www.shodan.io//
-register with twitter_api https://dev.twitter.com
-api with * is needed

# recon-ng
  keys add bing_api <value>
  keys add builtwith_api <value>
  keys add fullcontact_api <value>
  keys add github_api <value>
  keys add google_api <value>
  keys add google_cse <value>
  keys add hashes_api <value>
  keys add shodan_api <value>

> keys list
  |       Name       |                Value                 |
  | bing_api         |                                      |
  | builtwith_api    | d7cfa1da-8bc2-46df-816e-e1fbd8884… |
  | censysio_id      |                                      |
  | censysio_secret  |                                      |
  | flickr_api       |                                      |
  | fullcontact_api  | 574dcf32717c8…                     |
  | github_api       |                                      |
  | google_api       |                                      |
  | google_cse       | AIzaSyBDUbBRqbI3Oq3zVY34TiYBzzLGjPFs… |
  | hashes_api       | 0CImE8MxyVI6ZAoldvGdfNcaLds…       |
  | instagram_api    |                                      |
  | instagram_secret |                                      |
  | ipinfodb_api     |                                      |
  | jigsaw_api       |                                      |
  | jigsaw_password  |                                      |
  | jigsaw_username  |                                      |
  | linkedin_api     |                                      |
  | linkedin_secret  |                                      |
  | pwnedlist_api    |                                      |
  | pwnedlist_iv     |                                      |
  | pwnedlist_secret |                                      |
  | shodan_api       | 7Bl9THLHdEEFFyYJy0QOc69CtIEGK…     |
  | twitter_api      |                                      |
  | twitter_secret   |                                      |

Installing Discover
# cd /root
# cd  discover
# ./update.sh
# chmod +x /usr/share/theharvester/theHarvester.py

# ./discover.sh
______  ___ ______ ______  _____  _    _ ______  _____
|     \  |  |____  |      |     |  \  /  |_____ |____/
|_____/ _|_ _____| |_____ |_____|   \/   |_____ |    \_
By Lee Baird
1.  Domain
2.  Person
3.  Parse salesforce

4.  Generate target list
5.  CIDR
6.  List
7.  IP, range, or URL
8.  Rerun Nmap scripts and MSF aux.

9.  Insecure direct object reference
10. Open multiple tabs in Firefox
11. Nikto
12. SSL

13. Crack WiFi
14. Parse XML
15. Generate a malicious payload
16. Start a Metasploit listener
17. Update
18. Exit

1. Passive
2. Active
3. Previous menu
– Passive uses ARIN, dnsrecon, goofile, goog-mail, goohost, theHarvester, Metasploit, URLCrazy, Whois, multiple websites, and recon-ng.
– Active uses Nmap, dnsrecon, Fierce, lbd, WAF00W, traceroute, and Whatweb.
– Acquire API keys for Bing, Builtwith, Fullcontact, GitHub, Google, Hashes, and Shodan for maximum results with recon-ng.

First name:
Last name:
– Combines info from multiple websites.

Parse salesforce
Create a free account at salesforce (https://connect.data.com/login).
Perform a search on your target company > select the company name > see all.
Copy the results into a new file.
Enter the location of your list:
– Gather names and positions into a clean list.

Generate target list
1. Local area network
2. NetBIOS
3. netdiscover
4. Ping sweep
5. Previous menu
– Use different tools to create a target list including Angry IP Scanner, arp-scan, netdiscover and nmap pingsweep.

CIDR, List, IP, Range, or URL
Type of scan:
1. External
2. Internal
3. Previous menu
– External scan will set the nmap source port to 53 and the max-rrt-timeout to 1500ms.
– Internal scan will set the nmap source port to 88 and the max-rrt-timeout to 500ms.
– Nmap is used to perform host discovery, port scanning, service enumeration and OS identification.
– Matching nmap scripts are used for additional enumeration.
– Addition tools: enum4linux, smbclient, and ike-scan.
– Matching Metasploit auxiliary modules are also leveraged.

Insecure direct object reference
Using Burp, authenticate to a site, map & Spider, then log out.
Target > Site map > select the URL > right click > Copy URLs in this host.
Paste the results into a new file.
Enter the location of your file:

Open multiple tabs in Firefox
Open multiple tabs in Firefox with:
1. List
2. Directories from a domain’s robot.txt.
3. Previous menu
– Use a list containing IPs and/or URLs.
– Use wget to pull a domain’s robot.txt file, then open all of the directories.

Run multiple instances of Nikto in parallel.
1. List of IPs.
2. List of IP:port.
3. Previous menu

Check for SSL certificate issues.
Enter the location of your list:
– Use sslscan and sslyze to check for SSL/TLS certificate issues.

Crack WiFi
– Crack wireless networks.

Parse XML
Parse XML to CSV.
1. Burp (Base64)
2. Nessus
3. Nexpose
4. Nmap
5. Qualys
6. Previous menu

Generate a malicious payload
1. android/meterpreter/reverse_tcp
2. cmd/windows/reverse_powershell
3. linux/x64/shell_reverse_tcp
4. linux/x86/meterpreter/reverse_tcp
5. osx/x64/shell_reverse_tcp
6. php/meterpreter/reverse_tcp
7. windows/meterpreter/reverse_tcp
8. windows/x64/meterpreter/reverse_tcp
9. Previous menu

Start a Metasploit listener
Metasploit LISTENERS
1. android/meterpreter/reverse_tcp
2. cmd/windows/reverse_powershell
3. linux/x64/shell_reverse_tcp
4. linux/x86/meterpreter/reverse_tcp
5. osx/x64/shell_reverse_tcp
6. php/meterpreter/reverse_tcp
7. windows/meterpreter/reverse_tcp
8. windows/x64/meterpreter/reverse_tcp
9. Previous menu