Learning Kali Linux Security Testing, Penetration Testing, and Ethical Hacking Ric Messier GCIH, GSEC, CEH, CISSP Learning Kali Linux by Ric Messier Copyright © 2018 O’Reilly Media All rights reserved Printed in the United States of America Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472 O’Reilly books may be purchased for educational, business, or sales promotional use Online editions are also available for most titles (http://oreilly.com/safari) For more information, contact our corporate/institutional sales department: 800998-9938 or corporate@oreilly.com Acquisition Editor: Courtney Allen Editor: Virginia Wilson Production Editor: Colleen Cole Copyeditor: Sharon Wilkey Proofreader: Christina Edwards Indexer: Judy McConville Interior Designer: David Futato Cover Designer: Randy Comer Illustrator: Melanie Yarbrough Technical Reviewers: Megan Daudelin, Brandon Noble, and Kathleen Hyde August 2018: First Edition Revision History for the First Edition 2018-07-13: First Release See http://oreilly.com/catalog/errata.csp?isbn=9781492028697 for release details The O’Reilly logo is a registered trademark of O’Reilly Media, Inc Learning Kali Linux, the cover image, and related trade dress are trademarks of O’Reilly Media, Inc While the publisher and the author have used good faith efforts to ensure that the information and instructions contained in this work are accurate, the publisher and the author disclaim all responsibility for errors or omissions, including without limitation responsibility for damages resulting from the use of or reliance on this work Use of the information and instructions contained in this work is at your own risk If any code samples or other technology this work contains or describes is subject to open source licenses or the intellectual property rights of others, it is your responsibility to ensure that your use thereof complies with such licenses and/or rights 978-1-492-02869-7 [LSI] Preface A novice was trying to fix a broken Lisp machine by turning the power off and on Knight, seeing what the student was doing, spoke sternly: “You cannot fix a machine by just power-cycling it with no understanding of what is going wrong.” Knight turned the machine off and on The machine worked AI Koan One of the places over the last half century that had a deep hacker culture, in the sense of learning and creating, was the Massachusetts Institute of Technology (MIT) and, specifically, its Artificial Intelligence Lab The hackers at MIT generated a language and culture that created words and a unique sense of humor The preceding quote is an AI koan, modeled on the koans of Zen, which were intended to inspire enlightenment Similarly, this koan is one of my favorites because of what it says: it’s important to know how things work Knight, by the way, refers to Tom Knight, a highly respected programmer at the AI Lab at MIT The intention for this book is to teach readers about the capabilities of Kali Linux through the lens of security testing The idea is to help you better understand how and why things work Kali Linux is a security-oriented Linux distribution, so it ends up being popular with people who do security testing or penetration testing for either sport or vocation While it does have its uses as a general-purpose Linux distribution and for use with forensics and other related tasks, it really was designed with security testing in mind As such, most of the book’s content focuses on using tools that Kali provides Many of these tools are not necessarily easily available with other Linux distributions While the tools can be installed, sometimes built from source, installation is easier if the package is in the distribution’s repository What This Book Covers Given that the intention is to introduce Kali through the perspective of doing security testing, the following subjects are covered: Foundations of Kali Linux Linux has a rich history, going back to the 1960s with Unix This chapter covers a bit of the background of Unix so you can better understand why the tools in Linux work the way they do and how best to make efficient use of them We’ll also look at the command line since we’ll be spending a lot of time there through the rest of the book, as well as the desktops that are available so you can have a comfortable working environment If you are new to Linux, this chapter will prepare you to be successful with the remainder of the book so you aren’t overwhelmed when we start digging deep into the tools available Network Security Testing Basics The services you are most familiar with listen on the network Also, systems that are connected to the network may be vulnerable To be in a better position to perform testing over the network, we’ll cover some basics of the way network protocols work When you really get deep into security testing, you will find an understanding of the protocols you are working with to be an invaluable asset We will also take a look at tools that can be used for stress testing of network stacks and applications Reconnaissance When you are doing security testing or penetration testing, a common practice is to perform reconnaissance against your target A lot of open sources are available that you can use to gather information about your target This will not only help you with later stages of your testing, but also provide a lot of details you can share with the organization you are performing testing for This can help them correctly determine the footprint of systems available to the outside world Information about an organization and the people in it can provide stepping stones for attackers, after all Looking for Vulnerabilities Attacks against organizations arise from vulnerabilities We’ll look at vulnerability scanners that can provide insight into the technical (as opposed to human) vulnerabilities that exist at your target organization This will lead to hints on where to go from here, since the objective of security testing is to provide insights to the organization you are testing for about potential vulnerabilities and exposures Identifying vulnerabilities will help you there Automated Exploits While Metasploit may be the foundation of performing security testing or penetration testing, other tools are available as well We’ll cover the basics of using Metasploit but also cover some of the other tools available for exploiting the vulnerabilities found by the tools discussed in other parts of the book Owning Metasploit Metasploit is a dense piece of software Getting used to using it effectively can take a long time Nearly 2,000 exploits are available in Metasploit, as well as over 500 payloads When you mix and match those, you get thousands of possibilities for interacting with remote systems Beyond that, you can create your own modules We’ll cover Metasploit beyond just the basics of using it for rudimentary exploits Wireless Security Testing Everyone has wireless networks these days That’s how mobile devices like phones and tablets, not to mention a lot of laptops, connect to enterprise networks However, not all wireless networks have been configured in the best manner possible Kali Linux has tools available for performing wireless testing This includes scanning for wireless networks, injecting frames, and cracking passwords Web Application Testing A lot of commerce happens through web interfaces Additionally, a lot of sensitive information is available through web interfaces Businesses need to pay attention to how vulnerable their important web applications are Kali is loaded with tools that will help you perform assessments on web applications We’ll take a look at proxy-based testing as well as other tools that can be used for more automated testing The goal is to help you provide a better understanding of the security posture of these applications to the organization you are doing testing for Cracking Passwords This isn’t always a requirement, but you may be asked to test both remote systems and local password databases for password complexity and difficulty in getting in remotely Kali has programs that will help with password cracking — both cracking password hashes, as in a password file, and brute forcing logins on remote services like SSH, VNC, and other remote access protocols Advanced Techniques and Concepts You can use all the tools in Kali’s arsenal to do extensive testing At some point, though, you need to move beyond the canned techniques and develop your own This may include creating your own exploits or writing your own tools Getting a better understanding of how exploits work and how you can develop some of your own tools will provide insight on directions you can go We’ll cover extending some of the tools Kali has as well as the basics of popular scripting languages along the way Reporting The most important thing you will do is generate a report when you are done testing Kali has a lot of tools that can help you generate a report at the end of your testing We’ll cover techniques for taking notes through the course of your testing as well as some strategies for generating the report Who This Book Is For While I hope there is something in this book for readers with a wide variety of experiences, the primary audience for the book is people who may have a little Linux or Unix experience but want to see what Kali is all about This book is also for people who want to get a better handle on security testing by using the tools that Kali Linux has to offer If you are already experienced with Linux, you may skip Chapter 1, for instance You may also be someone who has done web application testing by using some common tools but you want to expand your range to a broader set of skills The Value and Importance of Ethics A word about ethics, though you will see this come up a lot because it’s so important that it’s worth repeating A lot Security testing requires that you have permission What you are likely to be doing is illegal in most places Probing remote systems without permission can get you into a lot of trouble Mentioning the legality at the top tends to get people’s attention Beyond the legality is the ethics Security professionals who acquire certifications have to take oaths related to their ethical practices One of the most important precepts here is not misusing information resources The CISSP certification has a code of ethics that goes along with it, requiring you to agree to not do anything illegal or unethical Testing on any system you don’t have permission to test on is not only potentially illegal, but also certainly unethical by the standards of our industry It isn’t sufficient to know someone at the organization you want to target and obtain their permission You must have permission from a business owner or someone at an appropriate level of responsibility to give you that permission It’s also best to have the permission in writing This ensures that both parties are on the same page It is also important to have the scope recognized up front The organization you are testing for may have restrictions on what you can do, what systems and networks you can touch, and during what hours you can perform the testing Get all of that in writing Up front This is your Get Out of Jail Free card Write down the scope of testing and then live by it Also, communicate, communicate, communicate Do yourself a favor Don’t just get the permission in writing and then disappear without letting your client know what you are doing Communication and collaboration will yield good results for you and the organization you are testing for It’s also generally just the right thing to do Within ethical boundaries, have fun! WLANs (wireless local area networks), 802.11 word lists, Local Cracking wordlist package, Local Cracking working directory, File and Directory Management WPA (Wireless Protected Access), 802.11, Automating Multiple Tests WPS attacks, WPS Attacks X Xfce, About Linux, Xfce Desktop Xmas scan, High-Speed Scanning XML entity injection, XML Entity Injection XSS (cross-site scripting), Cross-Site Scripting, Proxystrike XXE (XML external entity), XML Entity Injection Y Yellowdog Updater Modified (yum), About Linux Z Z-Wave protocol, Zigbee Zed Attack Proxy (ZAP), Zed Attack Proxy-Zed Attack Proxy, WebBased Cracking Zigbee protocol, Zigbee, Zigbee Testing zone transfers, Automating DNS recon zsh shell, User Management zzuf program, Identifying New Vulnerabilities About the Author Ric Messier, GCIH, GSEC, CEH, CISSP, MS has entirely too many letters after his name, as though he spends time gathering up strays that follow him home at the end of the day His interest in information security began in high school but was cemented as a freshman at the University of Maine, Orono by taking advantage of a vulnerability in a jailed environment to break out of the jail and gain elevated privileges on an IBM mainframe in the early 1980s His first experience with Unix was in the mid-1980s and Linux in the mid-1990s He is an author, trainer, educator, incorrigible collector of letters after his name, and security professional with multiple decades of experience Colophon The animal on the cover of Learning Kali Linux is a bull terrier This breed is a cross between bulldogs and various terriers It was developed in 19th-century England in an effort to create the ultimate fighting pit dog Thanks to the “Humane Act of 1835,” dog fighting was outlawed in England and bull terriers quickly adapted to a lifestyle of ratting and being companions Later these dogs were bred with white terriers, Dalmatians, and border collies; making it a more sophisticated breed than its predecessor A bull terrier’s most recognizable feature is its head, described as “shark-headshaped” when viewed from the front Bull terriers are the only registered breed to have triangle shaped eyes The body is full and round, with strong, muscular shoulders They are either white, red, fawn, black, brindle, or a combination of these Their unusually low center of gravity makes it hard for opponents to knock it down Bull terriers can be both independent and stubborn and, for this reason, are not considered suitable for an inexperienced dog owner Early socialization will ensure that the dog will get along with other dogs and animals Its personality is described as courageous, full of spirit, with a fun-loving attitude, a childrenloving dog, and a perfect family member Many of the animals on O’Reilly covers are endangered; all of them are important to the world To learn more about how you can help, go to animals.oreilly.com The cover image is from British Dogs, 1879 The cover fonts are URW Typewriter and Guardian Sans The text font is Adobe Minion Pro; the heading font is Adobe Myriad Condensed; and the code font is Dalton Maag’s Ubuntu Mono Preface What This Book Covers Who This Book Is For The Value and Importance of Ethics Conventions Used in This Book Using Code Examples O’Reilly Safari How to Contact Us Acknowledgments Foundations of Kali Linux Heritage of Linux About Linux Acquiring and Installing Kali Linux Desktops GNOME Desktop Logging In Through the Desktop Manager Xfce Desktop Cinnamon and MATE Using the Command Line File and Directory Management Process Management Other Utilities User Management Service Management Package Management Log Management Summary Useful Resources Network Security Testing Basics Security Testing Network Security Testing Monitoring Layers Stress Testing Denial-of-Service Tools Encryption Testing Packet Captures Using tcpdump Berkeley Packet Filters Wireshark Poisoning Attacks ARP Spoofing DNS Spoofing Summary Useful Resources Reconnaissance What Is Reconnaissance? Open Source Intelligence Google Hacking Automating Information Grabbing Recon-NG Maltego DNS Reconnaissance and whois DNS Reconnaissance Regional Internet Registries Passive Reconnaissance Port Scanning TCP Scanning UDP Scanning Port Scanning with Nmap High-Speed Scanning Service Scanning Manual Interaction Summary Useful Resources Looking for Vulnerabilities Understanding Vulnerabilities Vulnerability Types Buffer Overflow Race Condition Input Validation Access Control Local Vulnerabilities Using lynis for Local Checks OpenVAS Local Scanning Root Kits Remote Vulnerabilities Quick Start with OpenVAS Creating a Scan OpenVAS Reports Network Device Vulnerabilities Auditing Devices Database Vulnerabilities Identifying New Vulnerabilities Summary Useful Resources Automated Exploits What Is an Exploit? Cisco Attacks Management Protocols Other Devices Exploit Database Metasploit Starting with Metasploit Working with Metasploit Modules Importing Data Exploiting Systems Armitage Social Engineering Summary Useful Resources Owning Metasploit Scanning for Targets Port Scanning SMB Scanning Vulnerability Scans Exploiting Your Target Using Meterpreter Meterpreter Basics User Information Process Manipulation Privilege Escalation Pivoting to Other Networks Maintaining Access Summary Useful Resources Wireless Security Testing The Scope of Wireless 802.11 Bluetooth Zigbee WiFi Attacks and Testing Tools 802.11 Terminology and Functioning Identifying Networks WPS Attacks Automating Multiple Tests Injection Attacks Password Cracking on WiFi besside-ng coWPAtty Aircrack-ng Fern Going Rogue Hosting an Access Point Phishing Users Wireless Honeypot Bluetooth Testing Scanning Service Identification Other Bluetooth Testing Zigbee Testing Summary Useful Resources Web Application Testing Web Architecture Firewall Load Balancer Web Server Application Server Database Server Web-Based Attacks SQL Injection XML Entity Injection Command Injection Cross-Site Scripting Cross-Site Request Forgery Session Hijacking Using Proxies Burp Suite Zed Attack Proxy WebScarab Paros Proxy Proxystrike Automated Web Attacks Recon Vega nikto dirbuster and gobuster Java-Based Application Servers SQL-Based Attacks Assorted Tasks Summary Useful Resources Cracking Passwords Password Storage Security Account Manager PAM and Crypt Acquiring Passwords Local Cracking John the Ripper Rainbow Tables HashCat Remote Cracking Hydra Patator Web-Based Cracking Summary Useful Resources 10 Advanced Techniques and Concepts Programming Basics Compiled Languages Interpreted Languages Intermediate Languages Compiling and Building Programming Errors Buffer Overflows Heap Overflows Return to libc Writing Nmap Modules Extending Metasploit Disassembling and Reverse Engineering Debugging Disassembling Tracing Programs Other File Types Maintaining Access and Cleanup Metasploit and Cleanup Maintaining Access Summary Useful Resources 11 Reporting Determining Threat Potential and Severity Writing Reports Audience Executive Summary Methodology Findings Taking Notes Text Editors GUI-Based Editors Notes Capturing Data Organizing Your Data Dradis Framework CaseFile Summary Useful Resources Index .. .Learning Kali Linux Security Testing, Penetration Testing, and Ethical Hacking Ric Messier GCIH, GSEC, CEH, CISSP Learning Kali Linux by Ric Messier Copyright © 2018 O’Reilly Media... The intention for this book is to teach readers about the capabilities of Kali Linux through the lens of security testing The idea is to help you better understand how and why things work Kali Linux is a security-oriented Linux distribution, so it ends up being popular with people who do security testing or... who helped make the book better — Brandon Noble, Kathleen Hyde, and especially Megan Daudelin! Chapter 1 Foundations of Kali Linux Kali Linux is a specialized distribution of the Linux operating system It is targeted at people who want to engage in security work