Defensive Security with Kali Purple E-Book

Defensive Security with Kali Purple

Cybersecurity strategies using ELK Stack and Kali Linux

Karl Lane

Defensive Security with Kali Purple

Copyright © 2024 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any damages caused or alleged to have been caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

Group Product Manager: Pavan Ramchandani

Publishing Product Manager: Neha Sharma

Book Project Manager: Ashwini Gowda

Senior Editor: Runcil Rebello

Technical Editor: Yash Bhanushali

Copy Editor: Safis Editing

Proofreader: Runcil Rebello

Indexer: Rekha Nair

Production Designer: Gokul Raj S.T.

DevRel Marketing Coordinator: Marylou De Mello

First published: July 2024

Production reference: 2061124

Published by Packt Publishing Ltd.

Grosvenor House

11 St Paul’s Square

Birmingham

B3 1RB, UK

ISBN 978-1-83508-898-2

www.packtpub.com

To my loving wife, Britni, who once again has sacrificed too much to make someone else’s dreams come true. You are my biggest dream!

To our son, Douglas, who is serving in the United States Air Force – may you continue to see your dreams of becoming a mechanic come true.

To our son, Dominyck, who continues to make us proud as he pursues a cybersecurity career of his own and dreams of being a professional chef.

To our daughter, Natalie AdahRose, whose dream is to be an actress.

To our daughter, Willow Anne, whose dream is to become a beautician and own her own beauty salon.

To our son, Lincoln Helo, whose dream is to be the first person to play the electric guitar… in space!

To our son, Oliver Emmett, whose dream is to work with sea animals.

To our son, Memphis Law, who is looking down from above and was cheated out of Earthly dreams. Not a day goes by that your mama and I don’t think about you.

To our son, Sullivan Elias, who is non-verbal and dreams of being a dancer.

To our son, Maxwell Severus, whose dream is to be a paleontologist

To our son, Odin Black, whose dream appears to be a career as a chemist given the concoctions he’s always mixing together.

To our daughter, Mila Belle, whose dream is to be a medical doctor.

To our son, Maverick Brooks, whose dream is to be legally adopted by us.

To foster children everywhere – may all your dreams come true!

– Karl Lane

Contributors

About the author

Karl Lane is a Security Operations Center (SOC) team lead for AT&T/LevelBlue through contractor Pinnacle Group in support of the state of Texas. He leads a team of mid-career cybersecurity analysts protecting many agencies across multiple cybersecurity environments. Karl holds the Certified Ethical Hacker (CEH) and Cybersecurity Analyst (CySA+) certifications covering both offensive and defensive security. He is a strong advocate for education and training through practical experience and personal mentorship.

Karl’s tech journey began when serving in the United States Army in the late 1990s and early 2000s. While stationed at the NATO HQ in Brussels, Belgium, one of his colleagues developed an appreciation for his writing style and asked him to help create the content for a text-based game. To do so, he needed to learn how to use the Linux OS and how to write code in the legacy C programming language. This influenced him to pursue an undergraduate degree in information technology upon completing his military service. In the course of his studies, he gained a supplementary technical aid position at the world HQ for 3M Corporation – a multinational innovation company in St. Paul, Minnesota. It was there that he learned to break things through software testing, which led to application penetration testing and, eventually, a cybersecurity career.

Today, Karl lives very close to Disney World in central Florida with his wife, Britni, and a dynamically changing number of kids because they are foster parents.

Repetition is the mother of all learning and practical application is the father. Reference materials are great learning support but not a substitute for the learning process. Drinking from the fire hose is not learning.

About the reviewers

Joe Kramer has worked in cybersecurity since 2016 and is currently a Tier 3 security analyst with The Judge Group and LevelBlue, supporting over 200 state-level agencies’ cybersecurity requirements. He previously worked for 22nd Century Technologies as a weapons and tactics analyst and assistant program manager, where he learned about, operated, and taught tools such as BlueCoat, Paloalto, Fidelis, TippingPoint, Niksun, Elastic, Splunk, ArcSight, Devo, McAfee, Remedy, ServiceNow, and various additional bespoke applications. Prior to civilian life, Joe served in the United States Navy as a cryptologic technician for nine years, operating global-scale sensor networks to provide fleet and national customers with relevant time-sensitive reporting.

Deepanshu Khanna is an hacker appreciated by the Indian defense, Indian government, Ministry of Home Affairs, police departments, and many other institutes, universities, globally renounced IT firms, magazines, newspapers, and so on. He started his career by presenting a popular hack of GRUB at HATCon, and some of the popular research he did in the field of IDS, AIDE, practically showcasing collisions in MD5, Buffer overflows, and many more, were published in various magazines such as PenTest, Hackin9, eForensics, SD Journal, Hacker5, and so on. He has been invited to public conferences such as DEF CON, ToorCon, OWASP, HATCon, and H1hackz, as well as many universities and institutes as a guest speaker.

Table of Contents

Preface

Part 1: Introduction, History, and Installation

1

An Introduction to Cybersecurity

How we got here

Stuxnet

The Target cyberattack of 2013

Offensive security

Nmap

Metasploit Framework

Burp Suite

Wireshark

Aircrack -ng

John the Ripper

Hydra

SQLmap

Maltego

Social Engineering Toolkit (SET)

Defensive security

Confidentiality

Integrity

Availability

Summary

Questions

Further reading

2

Kali Linux and the ELK Stack

The evolution of Kali Linux

Elasticsearch, Logstash, and Kibana (ELK stack)

Elasticsearch

Logstash

Kibana

Agents and monitoring

Beats

X-Pack

Summary

Questions

Further reading

3

Installing the Kali Purple Linux Environment

Technical requirements

Acquiring the Kali Purple distribution

Linux backup

Windows backup

macOS backup

Linux

Mac

Windows

The installation of a VM

Windows users

macOS users

Linux users

Linux VirtualBox installation

macOS VirtualBox installation

Windows VirtualBox installation

Setting the environment PATH variable in Windows

Setting the environment PATH variable in macOS or Linux

The installation of Kali Purple

The installation of the Java SDK

Summary

Questions

Further reading

4

Configuring the ELK Stack

Technical requirements

Elasticsearch

Kibana

Logstash

Summary

Questions

Further reading

5

Sending Data to the ELK Stack

Technical requirements

Understanding the data flow

Filebeat

Linux and macOS download and installation

Types of Beats

Elastic Agent

Logstash and filters

Summary

Questions

Further reading

Part 2: Data Analysis, Triage, and Incident Response

6

Traffic and Log Analysis

Technical requirements

Understanding packets

Malcolm

Arkime

CyberChef and obfuscation

Summary

Questions

Further reading

7

Intrusion Detection and Prevention Systems

Technical requirements

IDS

Traffic monitoring

Anomaly detection

Signature-based detection

Real-time alerts

Log and event analysis

Network and host-based detection

Response and mitigation

Regulatory compliance

Integration with security infrastructure

IPS

Real-time threat prevention

Automated response

Policy enforcement

Inline protection

Application layer protection

Performance optimization

Suricata

Zeek

Summary

Questions

Further reading

8

Security Incident and Response

Technical requirements

Incident response

Docker

Cortex

TheHive

Challenge!

Summary

Questions

Further reading

Part 3: Digital Forensics, Offensive Security, and NIST CSF

9

Digital Forensics

Technical requirements

Digital forensics and malware analysis

Portable Executable Identifier (PEiD)

PEScan

IDA Pro

Volatility3

ApateDNS

SET

BeEF

Maltego

Summary

Further reading

10

Integrating the Red Team and External Tools

Technical requirements

OWASP ZAP

Mozilla Firefox

Google Chrome

Wireshark

Metasploit

Scanners

Nmap

SQLmap

Nikto

Nessus

Greenbone Vulnerability Management and OpenVAS

Password cracking

Hydra

Medusa

John the Ripper

Burp Suite integration

Summary

Questions

Further reading

11

Autopilot, Python, and NIST Control

Technical requirements

Autopilot

Python

NIST Control

Identify

Protect

Detect

Respond

Recover

Govern

Summary

Questions

Further reading

Appendix: Answer Key

Index

Other Books You May Enjoy

Part 1:Introduction, History, and Installation

In this part, you’ll gain an understanding of how we got to be where we are today in the realm of cybersecurity. You’ll get a very brief history of technology developing alongside threats as well as solutions to those threats, resulting in the need for the cybersecurity toolsets we have today.

You’ll learn how to isolate a portion of your device (on any operating system) by using virtualization, so that you can set up your own Kali Purple instance and then install and configure your very own miniature SIEM with the ELK stack.

This part has the following chapters:

1

An Introduction to Cybersecurity

If you’re reading this book, there’s a great chance you’re already familiar with cybersecurity. You might even already have some experience with Linux or even the Kali variant of the Linux operating system (OS). It’s a popular tool used by offensive security people who are typically referred to as red teamers. Offensive security is when users simulate attacks to discover potential vulnerabilities within an organization’s technology. However, where there’s offense, there most assuredly is defense. In the world of computers and technology, people working on defensive security teams are typically referred to as blue teamers. If you’re familiar with the color wheel, then you know that when red is combined with blue, you get purple. Take the utilities of both offense and defense, bundle them as a software application suite added to a popular Linux OS, and there you have it. Welcome to Kali Purple!

In this chapter, we’re going to cover the following main topics:

You will get a very brief history of cybersecurity as it relates to the need for such services and how those services relate to Kali Purple. Having this understanding will lay the groundwork for the tool structures and purposes of the utilities commonly found in the Purple distribution. Along the way, you will begin to recognize the revolutionary power of this suite of tools.

Those already familiar with the Kali Linux OS will have an idea of some offensive cybersecurity utilities that it contains. For those who don’t, that’s okay! While those with prior Linux experience will more easily recognize some of the concepts that will be talked about, those of us working professionally in the field can attest to several folks who’ve succeeded in the field of cybersecurity with only Windows experience. If that’s you, take comfort in knowing that we will provide a high-level overview in the Offensive security section, which should provide enough of a foundation for you to easily navigate the rest of this book. How to integrate some of these offensive tools will be discussed much later in this book.

Throughout the bulk of the introduction to Kali Purple, the emphasis will be on the blue team tools that have been added to this specific distribution of Linux. As we will with the red team utilities, we will provide a high-level overview up front in this first chapter. You will then see the uniqueness of Kali Purple and be able to visualize how this tool can be used to set up a fully functioning defensive security operations center (SOC).

By the end of this chapter, you’ll have a well-rounded perspective of how Kali Purple can be used to train analysts within your organization. You will also start to see how this tool can be used for small and at-home businesses or even personal setups to provide a layer of security that otherwise would only be available as a subscription from a professional managed security services provider (MSSP).

How we got here

The need for a technologically advanced set of computer security tools in the world today is not something that just popped up overnight. There weren’t a couple of college students who decided to hone their coding skills out of boredom between classes. No – the idea of security for computing technology is a concept that evolved in parallel with the technologies themselves.

If you wanted to, you could probably find some historical parchment with ancient hieroglyphics or other language painted on it telling stories of the abacus. It might detail how someone, somewhere, managed to trick the ancient Mesopotamians by some art of visual misdirection toward the accountants and then move a bead or two on the abacus. We’ll let the historians determine and tell those stories. We are going to focus on the security of modern computing.

During the 1960s and 1970s, computer security was mostly security in the traditional sense of physical protection – that is, security mostly revolved around restricting physical access to mainframe computers. It included access controls such as keypads and locked rooms. Oftentimes, these systems were standalone. They weren’t networked with other systems. When the networking of computer systems began to unfold, it was usually part of a larger project to create the widespread interconnectivity we see in the world today by an American government agency known as the Defense Advanced Research Projects Agency (DARPA) Sometimes, the D is dropped, and you’ll see it informally referred to as ARPA. This organization is part of the Department of Defense (DOD) and has earned a reputation for working on super-secret and interesting projects often dramatized in pop culture. The organization has led research projects leading to cutting-edge advancements in technology. Linking computer systems together is included in those achievements, with what became known as the ARPANET. The primary purpose of this style of security was to prevent unauthorized individuals from accessing and stealing sensitive information.

This began to evolve in the 1980s with the advent and marketing of personal computers. Though born in the 1970s, Steve Jobs, Steve Wozniak, and Ronald Wayne’s Apple Computer rapidly rose to fame in the early 1980s with the commercial release of their legendary MacIntosh personal computer. It was the first to feature a couple of pieces of technology that we now know as a graphical user interface (GUI) and a mouse. Also gaining popularity at the time was computer networking and the ability for machines to communicate with each other. During this era, the focus of computer security shifted from physical access restriction toward securing data transmission, establishing secure communication protocols, and data encryption. The first iteration of the Data Encryption Standard (DES) was introduced within this period to protect data from interception.

Apple Computer – now Apple Inc. – was one of the first companies to succeed at the widespread distribution of a personal computer product. However, it was Microsoft Windows’ rise to stardom in the 1990s that dominated the market and made personal computing a household activity. Windows was born in the 1980s, but it was the aptly named Windows 95, released in 1995, that brought forth many of the creature comforts of personal computing we still enjoy today. The exponentially increasing popularity of personal computing during this era gave birth to exponential new challenges and brought forth the roots of cybercrime as we know it today. The term hacker, once a positive term used to describe the process of making innovative changes to a product, became a negative term associated with miscreants wishing to use technology for their mischief. While there were isolated incidents of mischief and malware in the 1960s and 1970s, not to mention the infamous Morris Worm of 1988, it was during the 1990s that hackers began to seek out and exploit vulnerabilities within software applications and network architecture on a grander and more mainstream scale. Hackers with coding skills began to use their abilities to create software that caused harm, acted as a nuisance, or did some other dirty deed. While the first antivirus software was created in 1986 by John McAfee, this resulted in the advancement of those earliest versions of antivirus software to become widespread commercially available products. Firewalls were developed to prevent unauthorized access to endpoints and the earliest versions of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) were released.

As the world moved into the 21st century, rapidly advancing computer and network technology gave way to e-commerce. This beginning of online shopping and other business transactions created a need for secure payment systems. Afterall, if the bad actors could cause mischief in other areas, anything that might give them access to business or individual’s finances would be ripe for taking! As a result, the major credit card companies at the time worked to create what is known as the Payment Card Industry-Data Security Standard (PCI-DSS). This standard was meant to create a framework that assisted credit and debit card stakeholders in protecting against fraud. The SSL and TLS from the 1990s became more robust with greater acceptance and more widespread use in the community. Those security principles were designed to encrypt data during communication while covering the confidentiality and integrity aspects of the Information Security Triad, sometimes called the confidentiality, integrity, and availability (CIA) triad. If you’re not familiar with this foundational framework of cybersecurity, we will talk about it later in this chapter in the Defensive security section.

By the mid-2000s, cyberattacks and data breaches became much more frequent. They were also much more sophisticated. This is where the fun begins. It is the actions of cybercriminals during this era that directly led to the advancement of some of the technologies you will experience in Kali Purple and learn about in this book. There became a greater need to respond to security incidents in real time. Though there were already technologies in place to address this, they were rudimentary at best. Gaining prominence in the information security community were concepts such as the intrusion detection system (IDS), intrusion prevention system (IPS), and security information and event management (SIEM) system, among other things. Each of these concepts is a part of Kali Purple and we will go over them in detail throughout this book.

The 2010s improved mobile device and cloud computing technologies by degrees of magnitude. Guess what else grew by degrees of magnitude? You guessed it: new security challenges. Hopefully, you’re beginning to see the trend by now if you haven’t already. There is a parallel between new and emerging technologies and new and emerging threats in the cyber landscape. The security of mobile devices was straightforward, centering around protecting user data, preventing unauthorized access, and securing mobile applications; pretty much the same as it is today. The security of cloud computing was more focused on access controls, data storage, and protecting virtual machines (VMs). As you navigate the world of Kali Purple, you will see how the tools you’ll learn about are valuable assets for those areas as well.

Let’s look at the transition from physical protection of mainframes to handheld devices:

Figure 1.1 – The evolution of modern cybersecurity

Up until this point, most of the security in the world of technology was an area of emphasis that generally fell under the greater information technology (IT) umbrella. Standalone security specialists existed but were much more of a rarity than we see today. It was a series of highly publicized cyberattacks post-2010 that caused the field of cybersecurity to be born as a mainstream career unto itself. Since the entirety of Kali Purple is a suite of tools based upon protecting against cyberattacks, we will briefly look at some of the more prominent attacks so that – as we learn these tools throughout this book – we can refer to this section and mentally paste together the value, need, and –above all – purpose of the utilities we are about to experience.

Stuxnet

Before delving into the post-2010 blitz of cyberattacks, we will briefly discuss one of the most famous attacks of all time and one that is considered in some circles to be the catalyst for cybersecurity to evolve into a self-contained career field. This is an attack that involves an exterior device: a USB drive. While it might seem like this attack could not have been prevented by the tools we’ll be talking about in this book, remain vigilant and open-minded. Not only does Kali Purple have the tools to identify and help stop these types of attacks, but the Kali side of the family also has the tools to create them! The attack we’re talking about here is the famous Stuxnet worm that was discovered in 2010.

Stuxnet is also one of the first examples of governments utilizing cyber technology for offensive purposes. Some consider it The Original Sin of Cyberwarfare. While there is no definitive answer as to who was responsible for the attack, the consensus throughout the cybersecurity community is that it was a likely joint effort between the United States and Israel against Iran’s nuclear program.

The complex attack occurred in six stages:

Siemens, a multinational conglomerate company of innovation and technology, produces what is known as a programmable logic controller (PLC) that is used to manage industrial control systems (ICSs). These are systems that are usually considered to be critical infrastructure. They can include energy, sewer, and water systems for cities, towns, and major metropolis populations. In this case, the target was Iran’s nuclear program, and the catalyst was to intentionally corrupt the Siemens PLC that was used to manage components of the program.

It’s important to note that this attack was highly sophisticated and likely involved a large degree of intelligence gathering by clandestine agents. It involved developing zero-day exploits for both Windows as well as the software used in Siemens PLCs. Then, these zero-day malicious exploits were placed onto several auto-run USB drives. The drives were accidentally dropped into the parking lot of Iran’s nuclear enrichment facilities – and by accidentally, we mean intentionally – with the hope that an unsuspecting employee might pick one up and insert it into their work computer to see what was on it – a classic case of curiosity killed the cat. It worked. The Stuxnet action involved exploits that were covertly modifying the highly specialized code within the Siemens PLCs that managed the centrifuges within Iran’s nuclear facilities. This code caused the centrifuges to run at improper levels, resulting in physical sabotage of the centrifuges and significant damage to Iran’s nuclear enrichment capabilities while also causing significant delays in Iran’s development of nuclear technology.

Part of Stuxnet’s success is the extreme lengths its architects went to so that the attack could remain stealthy and evade detection. So, as Iran’s nuclear capabilities were being sabotaged, so was the fact that sabotage was occurring at all initially and then eventually how the sabotage occurred once it was discovered. Since Stuxnet was presented in the form of a worm on a USB drive, it meant the malicious code contained therein could self-replicate and independently spread itself across network devices. Some might consider this a bit of a backfire if the United States and/or Israel were responsible for the initial release of Stuxnet. The reason is that strongly allied nations such as India and Indonesia ended up with this worm in their environments.

Thus began the modern era of government weaponization of computing technology. Stuxnet caused a lot of reflection by security staff worldwide. However, it wasn’t quite personal enough yet for the everyday average Joe to take notice. To get there, we needed individual citizens to be affected. That happened just 3 years later.

The Target cyberattack of 2013

Perhaps one of the most individually impactful cyberattacks of the 21st century is what is known as the Target Cyberattack of 2013. Target is a large and well-known retail chain based in Minneapolis, Minnesota, that operates primarily in the United States, though it does have some international endeavors. The store is famous for its mascot, Bullseye, an all-white bull terrier with a literal bullseye painted around one of its eyes. It is also famous for something else: top-notch security. The retail store, wanting to put an end to shoplifting, spent years and years developing state-of-the-art security systems so potent that they would sometimes lend their forensic experts and teams to local law enforcement to assist in solving complicated criminal cases as a measure of social responsibility. To crack Target’s security would be like a boxer defeating Muhammad Ali. So, when it happened, it was a huge deal.

In 2013, Target’s cyber defenses were successfully compromised in what had become one of the largest data breeches in history. Cybercriminals were able to access tens of millions of customer records, including credit and debit card numbers! It is now well-known that the success of this breech was ultimately attributed to lax security with third-party vendors. However, the full picture is often overlooked. There were a great number of errors in this scenario and had any one of them been different, this attack probably wouldn’t have succeeded. Some of the elements of this cyberattack are directly addressed by the tools and training offered by Kali Purple.

We’re not going to address every issue associated with this cyberattack or every fix that might have prevented it, such as a lack of proper access controls and network segmentation allowing attackers to easily make lateral movements. While those items may be addressable using a Linux distribution that is used for network and/or user administration and analyzing them would be fun, they are outside the scope of Kali Purple. There are, however, several issues related to the Target attack that directly correlate with Purple’s toolset.

One of the most important is basic threat monitoring – what an intrusion detection or prevention system does. It is rumored that the attackers were able to successfully install trojans within the retail giant’s point of sale (POS) systems. These are the systems that will collect and process debit or credit card information after the customer’s items for purchase have been scanned, taxed, and totaled in price. That would periodically grab the sensitive financial data scanned, even on systems with no internet access, and transfer it to other devices within the company’s network. This type of activity would surely be identified by today’s IDS and SIEM technologies. Of course, that’s only valuable if the analyst believes what they see and acts on it. This brings us to our next scenario.

Note

Before unpacking this story further, let’s get one very important fact straight. Target’s security was – and still very much is – industry leading. It’s the best any organization could have. The company is very much worthy of respect in the cybersecurity community. One of the unintended consequences of being among the best there is in any area of life means you have a literal target – no pun intended – painted across your back. It’s why Microsoft’s Windows is statistically more likely to fall victim to a virus or other malware and the Mac or Linux systems are sometimes erroneously referred to as being immune to such things. Anybody who is properly informed knows that Apple and Linux are indeed not immune to malicious activity, including viruses. Those systems simply don’t have the same public hype and market share that Windows does. While that is slowly changing over time, as you learn about the fantastic cybersecurity defenses offered by Kali Purple, it’s critical to understand that nothing is ever truly immune. Anything in life that can be engineered, tangible or virtual, can also be reverse-engineered… anything! Do keep that critical fact in mind throughout your security career.

That said, let’s continue to break down the theories of the Target attack – concerning the company’s superior security – and learn how Kali Purple can act as a useful suite of tools to protect against such attacks in the future. One unconfirmed rumor is that Target was in the process of installing a new IDS/IPS system alongside their existing one and until the new system was fully operational, the old system was allowed to remain active. If true, that’s fantastic! Another version of this story is that the highly reputable security firm FireEye had developed a malware detection tool, and it was that tool that was in place instead of a new IDS/IPS system. It’s unknown what happened. However, even when proposed answers are placed into a hypothetical situation, there are lessons to be learned here regarding Kali Purple.

In the first proposed scenario of a new IDS/IPS, it’s been said that the new system did indeed detect malicious activity (or FireEye’s product) and did indeed report on it – supposedly to an annoying level! However, the old system was still operational, and the old system wasn’t reporting on it. That caused the technicians to incorrectly assume the new system was malfunctioning, so they manually closed the alerting process, choosing instead to believe the old technology. Now, even if this isn’t true, anybody who’s ever worked in a SOC before knows that alert fatigue is a real thing and it’s very easy for a technician or analyst, especially at the end of their shift, to fall victim to taking unnecessary shortcuts. Anytime you or an organization you are working for is conducting an upgrade or improvement to the security defenses, keep in mind that there’s a reason you’re upgrading your technology. If the new technology sounds an alarm, believe it folks! As we work through Kali Purple’s defensive tools, take note of whether something obnoxious alerts you. If it does, believe it! Even if it ends up being incorrect the first hundred times, it only takes the one time, right?

Another takeaway from the Target hack is the level of security training offered to the people working with the systems. It would be a fair assumption to think that proper training might have encouraged those dismissing the alarms to realize they could’ve been legitimate, and the older technology was simply not catching what the new stuff was. One of Kali Purple’s most spectacular benefits is its ability to create live scenarios for testing and proof-of-concept purposes that can then be used to train technicians and analysts firsthand! Training in any technology-based field is critical. When you can add the element of practical application and live examples, that helps the learners visualize and better understand the concepts that need to be conveyed.

A couple of additional features of the Target attack to keep in mind are insufficient data encryption and slow incident response. In the case of encryption, we will talk more about that later when we deal with some of the tools that are available alongside Kali Purple, such as CyberChef – a very robust encryption/decryption tool that is often considered to be a requirement to survive in the world of cybersecurity. In the case of incident response, there are a few tools we can consider, such as Synapse and TheHive. We will devote Chapter 8 to security incident response while looking at the utilities offered by Kali Purple.

The 21st century continued to bring an influx of widespread high-profile cyberattacks:

Figure 1.2 – Snapshot of major cyberattacks since 2010

Now that we’ve covered a very brief history and the evolution of events that created the state of cybersecurity as we know it today, let’s examine some of the tools that have been developed and honed because of that evolution. In the next section, you’re going to get a glimpse of some of the most powerful offensive security (red team) tools in use today. They are part of the Kali Linux OS, which means they’re part of Kali Purple.

Offensive security

The offensive security aspect hails from the red team side of the Purple family. Because it is the defensive toolset that sets Kali Purple apart from the rest, we will only highlight the offensive portion as it relates to use cases and testing the defensive setup of Purple. You will want to learn or at least have a basic understanding of offensive security to get the most robust rewards from Kali Purple. You will gain an understanding of enough offensive security and red team tools and techniques that you’ll be able to effectively test your defensive setup. That will also allow you to develop live presentations and proof-of-concept activities that you can use to train others or even play with yourself. This, by far, is not an exhaustive instruction or reference point for anyone who is exclusively or primarily interested in offensive security. It has only been included to make your Kali Purple journey proper and complete.

It’s expected that most who are reading this book already have a certain level of understanding or at least a foundation for the Kali Linux OS. However, not everyone interested in or working in cybersecurity has taken the time to work with and appreciate the full value of Linux. The Kali Purple hype has created a renewed interest in working with Linux for some who otherwise have limited exposure or experience with the OS. For that reason, we’re going to provide you with enough information throughout this book so that you can successfully understand and use Kali Purple, even if you have no Linux experience. However, let’s be honest – we techies do tend to be rather addicted to our craft, don’t we? You may be tempted to stray from Kali Purple if you have limited Linux experience. While that’s truly not necessary to appreciate Purple, Vijay Kumar Velu has produced a masterpiece that will satisfy your curiosities. You’ll find that golden nugget at the end of this chapter in the Further reading section; it will help pacify your thirst for those Kali Linux OS skills.

Note

As we look at some of the red team tools and methods found within the Kali Linux distribution, it is mission-critical that we understand that these tools and methods are very dangerous. They can do real and significant damage – criminal levels of damage. Therefore, you should never use any of these tools and/or methods without first making absolutely, indisputably, certain that you have permission to do so. Of course, if you’re attacking your own system and later argue that you didn’t give yourself permission, you likely have larger issues to deal with. Joking aside, there are a plethora of publicly available testing sites and applications that were specifically engineered for hands-on practice. However, those resources are not applicable here because we are using these tools to test our very own defenses.

Some tools that are available in the Kali Linux distribution that are used by offensive operators, both hackers and security teams alike, include the following:

Let’s look at these in detail.

Nmap

Short for Network Mapper, Nmap is popularly used by operators to discover the setup and layout of any network, allowing users to draw a physical map if they so choose. By mapping a network, the operator can then get a visual with which to analyze the network so that they can examine potential vulnerabilities or points of exploitation. Nmap accomplishes this goal by sending information packets to targets and making assumptions based on whether there is a response and if so, what that response looks like. Here’s an example Nmap scan:

Figure 1.3 – Example Nmap scan

Nmap can be used to scan an entire network or a range of IP addresses. When used in this manner, it is usually to identify any actively operating hosts within the network. After sending probing packets, the Nmap operator will be able to deduce that a host is online if there is a response of any kind. That will enable any attacker to create a topology of the network and list potential targets available for further probing and/or exploitation.

As individual hosts are selected for further penetration, Nmap can then be used to run a port scan, which is used to determine if any ports are open for connections and communication. Not only does this technique help in identifying potential points of entry for an attacker, but it can also give insight into the functions of the device as specific port numbers might reveal specific types of activities. Ports 80 and 443 being open, for example, could tell the user that website and secure website activity is occurring with such a device.

By analyzing responses to probes, Nmap can also assist the offensive operator in determining which OS is active on a host. That would significantly reduce the ambiguity of attack vectors and help them narrow the attack tools and methods most likely to be successful against that device. This process is known as OS fingerprinting.

As it relates to Kali Purple, Nmap activity can be detected and analyzed by the Elasticsearch, Logstash, and Kibana (ELK) stack, which we will begin to discuss in Chapter 2. It can also be detected by traffic and log analysis tools such as Arkime and Malcolm as well as intrusion detection utilities such as Suricata and Zeek, provided those tools are configured to do so. All of those tools are part of the Kali Purple distribution.

Metasploit Framework

The Metasploit Framework is one of the most comprehensive open source exploit development platforms available. It is likely to be available by default with any Linux OS that focuses on penetration testing and that includes Kali Linux. Here’s the Metasploit console:

Figure 1.4 – Metasploit’s default console

Originally created by a fellow named Harley David (HD) Moore, Metasploit is now owned and maintained by a company called Rapid7. The framework includes an exhaustive supply of tools, exploits, and payloads. In addition to the community framework, which is freely available, there is a paid pro edition, so you can rest at ease knowing you have professional support with advanced automation and reporting abilities.

At a high level, exploits are simply pieces of code that are designed and written to take advantage of vulnerabilities in targeted information system endpoints. Metasploit includes exploits that are designed to gain unauthorized access, escalate privileges, and establish backdoors, as well as deliver and remotely execute malicious payloads.

Even better, the Metasploit Framework allows customized payloads to be created and provides access to a library of pre-built payloads. A payload is any application or piece of code that is delivered to a compromised system. The framework also includes what are known as post-exploitation modules, which are more like level two exploits or exploits that can only be used after the successful execution of a previous exploit. This can help operators continue to remorselessly explore deeper into a system and network to gain access to sensitive data for exfiltration or other malicious purposes.

Metasploit can also be used to launch social-engineering-based attacks and generate reports of actions taken. Just like Nmap, Metasploit activity can be detected by the tools included with the Kali Purple distribution, especially Suricata and Zeek. The ELK stack would require some customizations, but you’ll understand why that’s a good thing before all is saidand done.

Burp Suite

Developed by a company called PortSwigger, Burp Suite is the leading cybersecurity utility used for web application security (and attacks). It is highly unlikely you’ll find a professional penetration tester doing web application tests who isn’t using Burp Suite. There are several unique components – Burp Suite calls them modules – to a Burp Suite installation, each designed to work with the other components if the user wishes. Most of these modules can be found for free within the Community edition of this product. However, some features of Burp Suite are only available in the paid Pro version. Don’t discount this product, however! The free Community edition provides a substantial toolset that’s very useful! Here’s the Burp Suite lobby:

Figure 1.5 – Burp Suite’s default lobby

Burp Suite has a proxy module that serves as a sort of intermediary between a web browser and the target of operations. This proxy allows for man-in-the-middle style of attacks by providing an avenue for the operators to intercept HTTP/S traffic and modify its requests and responses.

There is a scanner module in the paid Pro version that provides automation for identifying security vulnerabilities in the targeted web application. Like Nmap for web applications, this scanner operates by sending information to the target. The difference is whereas Nmap sends communication packets, Burp Suite sends attack payloads to target web applications and then analyzes the responses to those payloads to help identify potential vulnerabilities. Some of the vulnerabilities the scanner is looking for include opportunities for SQL injection, cross-site scripting (XSS), and server-side request forgery (SSRF). It then highlights these prospective points of attack for further analysis.

Ever wanted to run a web crawler or spider? Now you can! One of Burp Suite’s modules is exactly that, a spider. As you might have guessed, the spider module will crawl the target application, where it will then attempt to map the functionality of the application for further investigation. The purpose of the spider is to help identify vulnerable areas that might not be so easily discovered from browsing.

Burp Suite allows for attacks called brute-force attacks, which is where the user tries all possible username and password combinations. As you might imagine, doing this manually could take forever (literally!). Burp Suite automates this process and works at unthinkable speeds to attempt these attacks on your behalf. This action is done in the Intruder module. Within this module, the user can determine the parameters they’d like the brute-force attack to use.

You can also import something called rainbow lists into this module. When a password is created in a computer system, the computer will try to encode that password using a hypothetical one-way mathematical formula. This means the computation – in theory – cannot be reversed. In truth, anything that can be engineered can also be reverse-engineered. However, these mathematical processes’ purpose is to make such an endeavor as close to impractical as possible. The result of these one-way mathematical processes is called a hash.

Over time, hackers and offensive security personnel have gathered the hashes of known and commonly used passwords and stored them in files along with the passwords they represent. These files are called rainbow tables or rainbow lists. The intruder module will allow you to import such a list so that it can attempt to apply the encoded hashes to break in.

The intruder module can also be used for fuzz testing, which is popular with software test engineers and parameter manipulation. Also known as fuzzing, it involves injecting random or unexpected data into an application or system. It can be a form of blind shooting or taking a stab in the dark. It can also be organized with precomputed groups of data involving random characters or excessively large character inputs. You can use it to test how a web application might handle various inputs. This module makes that easy by allowing the user to define custom lists, payloads, and other attack scenarios. The primary purpose of the intruder module is to help the operator gain access by uncovering weak passwords or injection flaws or even identifying areas where too much information (TMI) was shared.

Sometimes, attackers accomplish their objective by utilizing a method known as a replay attack. Burp Suite offers a module known as the Repeater that exists to make these sorts of attacks possible. Like all Burp Suite modules, this one allows for customizations and offers great flexibility. It also allows the operator to take existing web application responses and alter them before replaying them to help determine where any application’s thresholds might be.

The Sequencer is a module that Burp Suite has for analyzing the randomness and quality of session tokens and what would otherwise be unguessable data. It evaluates the strength of cryptographic algorithms and the level of randomness used within the target application. This module does not necessarily offer an activity that would be directly detected by any of Kali Purple’s included utilities. However, the information an operator gleans from the sequencer can lead to attacks based on the weaknesses it discovers and those attacks most assuredly can be detected by the ELK stack, Suricata, Zeek, and other tools.

What is modern technology without having the ability to make it extensible? The final module in Burp Suite is the Extender. It’s an API that allows users to develop and integrate custom plugins into the Burp Suite application. It allows Burp Suite users to custom-tailor the utility to their organization’s needs so that it includes automation. While it’s not directly going to be interacting with any Kali Purple distributions, there’s a large repository that the Burp Suite community has created with user-submitted plugins and any of those items will have the potential to generate activity recognized by the Purple set of tools.

The vastness of Burp Suite cannot be overstated. Like all the tools mentioned in this section, it can be used to cause harm or for good by testing for vulnerabilities to rebuff. Burp Suite is based around web application hacking, and you can safely fly to Vegas and bet the ranch any such activity will be looked at with Kali Purple’s defensive toolset.

Wireshark

The Kali Purple distribution adds some tools for traffic and log analysis, and we will go over those in this book. However, we’d be remiss to ignore the grand-daddy of all protocol analyzers – Wireshark. It was part of the Kali Linux package even before the Purple variety was released. Wireshark is an open source application that’s widely used and often referred to as the gold standard for protocol analyzers. You’ll find it used for network troubleshooting, packet analysis, and security vulnerability testing. It operates by capturing network traffic packets for operators to review and analyze. Here’s an example of a Wireshark packet capture:

Figure 1.6 – Wireshark example packet capture

Wireshark works by grabbing network packets as they flow across a network interface. It is typically used to capture and monitor traffic from protocols aligning with Ethernet, TCP/IP, HTTP, DNS, HTTP/S, and others. By grabbing these packets, analysts can look at the headers, payload, and other relevant information data that is being transmitted to help determine if unwanted activity is occurring.

Wireshark identifies and examines the protocols being used and then provides a very detailed analysis for human eyes to help determine the intended behavior and structure of the various protocols. By examining the messages and interactions this tool identifies, analysts can help uncover anomalous behavior or even simple security misconfigurations.

Wireshark can sometimes be used by bad actors for network reconnaissance in a similar fashion to Nmap. In this case, the operator can map the target network by evaluating the information contained in the packets instead of direct responses – or lack thereof – from the devices themselves. Through packet evaluation, the analyst should be able to identify the hosts on the network, detect open ports, and observe communications for any odd or unusual patterns. This will help to visualize the actual infrastructure of the target network.

This style of analysis helps operators to investigate sessions for anomalous behavior. That, in turn, should show authentication mechanisms and see if any unusual activity is occurring there. Overall, weaknesses in data exchange or session management should be visible. Using these methods, Wireshark can then look for areas of potential traffic manipulation or opportunities to manipulate traffic via injection methods, payload modification, or network protocol manipulation, which is sometimes utilized by bad actors to bypass network security measures such as flood attacks to cause protective devices to fail open, for example.

Like the previous tools listed, Wireshark activity can be detected by Suricata, Zeek, and the ELK stack, among other tools found with the Kali Purple distribution. Due to its popularity with penetration testers and attackers alike, we are going to include it in our process.

Aircrack -ng

Aircrack -ng is a suite of software tools that are typically used for network security testing. However, unlike other network testing tools we’ve covered, this suite generally specializes in wireless communications. It is most frequently used to test against the strength of Wi-Fi encryption protocols and passwords. The following screenshot shows some of Aircrack -ng’s Wi-Fi options:

Figure 1.7 – Aircrack -ng Wi-Fi options

Airodump -ng is one of the tools in this package and its purpose is to capture and analyze Wi-Fi traffic similar to how Wireshark does. One of its unique aspects is that it focuses on collecting information about nearby Wi-Fi networks, any access points associated with them, and any devices connected to them at the time of the scan. It also looks for any encryption protocols that have been used.