Mastering Kali Linux for Advanced Penetration Testing, Second Edition E-Book

Second Edition

BIRMINGHAM - MUMBAI

Mastering Kali Linux for Advanced Penetration Testing

Second Edition

Copyright © 2017 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the author, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: March 2016 Second edition: June 2017 Production reference: 2191118

www.packtpub.com

Credits

Author

Vijay Kumar Velu

Copy Editor

Laxmi Subramanian

Reviewer

Amir Roknifard

Project Coordinator

Shweta H Birwatkar

Commissioning Editor

Kartikey Pandey

Proofreader

Safis Editing

Acquisition Editor

Chandan Kumar

Indexer

Pratik Shirodkar

Content Development Editor

Deepti Thore

Graphics

Tania Dutta

Technical Editor

Nilesh Sawakhande

Production Coordinator

Shantanu Zagade

About the Author

Vijay Kumar Velu is a passionate information security practitioner, author, speaker, and blogger. He is currently working as associate director in one of the Big 4 based in Malaysia. He has more than 11 years of IT industry experience, is a licensed penetration tester, and specialized in providing technical solutions for a variety of cyber problems, ranging from simple security configuration reviews to cyber threat intelligence and incident response. He also holds multiple security qualifications, including Certified Ethical Hacker, EC-Council Certified Security Analyst, and Computer Hacking Forensics Investigator.

Vijay has been invited to speak at the National Cyber Security Summit (NCSS), Indian Cyber Conference (InCyCon), Open Cloud Conference, and other ethical hacking conferences held in India, and he has also delivered multiple guest lectures and training on the importance of information security at various business schools in India.

He has authored a book entitled Mobile Application Penetration Testing, and has also reviewed Learning Android Forensics, Packt Publishing.

In the information security community, Vijay serves as a member of the board in Kuala Lumpur for Cloud Security Alliance (CSA) and is the chair member of the National Cyber Defense and Research Center (NCDRC) in India. Outside work, he enjoys playing music and doing charity work.

Vijay is an early adopter of technology and always listens to any crazy ideas – so, if you have an innovative idea, product, or service, do not hesitate to drop him a line.

I would like to dedicate this book to the open source community and all security enthusiasts.Special thanks to my mother, sister, brother, and father for believing in me and always encouraging me to do what I like with all my crazy ideas. Not to forget my gang of friends, Hackerz (Mega, Madhan, Sathish, Kumaresh, Parthi,and Vardha), and my colleagues, Rachel Martis and Reny Cheah for their support.

Thanks to Packt Publishing for all the support that they provided throughout the journey of this book, especially Chandan and Deepti for their indubitable coordination!

About the Reviewer

Amir Roknifard is a self-educated cyber security solutions architect with a focus on web application, network, and mobile security. He leads research, development, and innovation at KPMG Malaysia, and is a hobby coder and programmer who enjoys spending his time educating people about privacy and security, so that even ordinary people have the knowledge to protect themselves. He likes automation and developed an integrated platform for cyber defence teams to take care of their day-to-day workflow, from request tickets to final reports.

He has accomplished many projects in governmental, military, and public sectors in different countries, has worked for banks and other financial institutions, and for oil, gas, and telecommunication companies. He also has hours of lecturing on IT and information security topics in his resume.

Amir also founded the Academician Journal, which aims to narrow the gap between academia and the information security industry. It tries to identify the reasons this gap occurs, and to analyze and address them. He picks up new ideas that are possibly able to solve the problems of tomorrow and develops them. That is why like-minded people are always welcome to suggest their ideas for the publication or coauthoring of a piece of research via his handle @roknifard.

www.PacktPub.com

For support files and downloads related to your book, please visit www.PacktPub.com.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at [email protected] for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www.packtpub.com/mapt

Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Customer Feedback

Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review on this book's Amazon page at https://www.amazon.com/dp/1787120236.

If you'd like to join our team of regular reviewers, you can email us at [email protected]. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products!

Table of Contents

Title Page

Second Edition

Copyright

Mastering Kali Linux for Advanced Penetration Testing

Second Edition

Credits

About the Author

About the Reviewer

www.PacktPub.com

Why subscribe?

Customer Feedback

Preface

What this book covers

What you need for this book

Who this book is for

Conventions

Reader feedback

Customer support

Downloading the example code

Downloading the color images of this book

Errata

Piracy

Questions

Goal-Based Penetration Testing

Conceptual overview of security testing

Classical failures of vulnerability scanning, penetration testing, and red team exercises

The testing methodology

Introduction to Kali Linux – history and purpose

Installing and updating Kali

Using Kali from a portable device

Installing Kali into a virtual machine

VMware Workstation Player

VirtualBox

Installing to a Docker appliance

Installing Kali to the cloud – creating an AWS instance

Organizing Kali

Configuring and customizing Kali

Resetting the root password

Adding a non-root user

Speeding up Kali operations

Sharing folders with the host operating system

Using Bash scripts to customize Kali

Building a verification lab

Setting up a virtual network with Active Directory

Installing defined targets

Metasploitable3

Mutillidae

Managing collaborative penetration testing using Faraday

Summary

Open Source Intelligence and Passive Reconnaissance

Basic principles of reconnaissance

OSINT

Offensive OSINT

Maltego

CaseFile

Google caches

Scraping

Gathering usernames and email addresses

Obtaining user information

Shodan and censys.io

Google Hacking Database

Using dork script to query Google

DataDump sites

Using scripts to automatically gather OSINT data

Defensive OSINT

Dark Web

Security breaches

Threat intelligence

Profiling users for password lists

Creating custom word lists for cracking passwords

Using CeWL to map a website

Extracting words from Twitter using Twofi

Summary

Active Reconnaissance of External and Internal Networks

Stealth scanning strategies

Adjusting the source IP stack and tool identification settings

Modifying packet parameters

Using proxies with anonymity networks

DNS reconnaissance and route mapping

The whois command

Employing comprehensive reconnaissance applications

The recon-ng framework

IPv4

IPv6

Using IPv6 - specific tools

Mapping the route to the target

Identifying the external network infrastructure

Mapping beyond the firewall

IDS/IPS identification

Enumerating hosts

Live host discovery

Port, operating system, and service discovery

Port scanning

Writing your own port scanner using netcat

Fingerprinting the operating system

Determining active services

Large-scale scanning

DHCP information

Identification and enumeration of internal network hosts

Native MS Windows commands

ARP broadcasting

Ping sweep

Using scripts to combine Masscan and nmap scans

Taking advantage of SNMP

Windows account information via Server Message Block (SMB) sessions

Locating network shares

Reconnaissance of active directory domain servers

Using comprehensive tools (SPARTA)

An example to configure SPARTA

Summary

Vulnerability Assessment

Vulnerability nomenclature

Local and online vulnerability databases

Vulnerability scanning with nmap

Introduction to LUA scripting

Customizing NSE scripts

Web application vulnerability scanners

Introduction to Nikto and Vega

Customizing Nikto and Vega

Vulnerability scanners for mobile applications

The OpenVAS network vulnerability scanner

Customizing OpenVAS

Specialized scanners

Threat modeling

Summary

Physical Security and Social Engineering

Methodology and attack methods

Computer-based attacks

Voice-based

Physical attacks

Physical attacks at the console

Samdump2 and chntpw

Sticky Keys

Attacking system memory with Inception

Creating a rogue physical device

Microcomputer-based attack agents

The Social Engineering Toolkit (SET)

Using a website attack vector – the credential harvester attack method

Using a website attack vector – the tabnabbing attack method

Using the PowerShell alphanumeric shellcode injection attack

HTA attack

Hiding executables and obfuscating the attacker's URL

Escalating an attack using DNS redirection

Spear phishing attack

Setting up a phishing campaign with Phishing Frenzy

Launching a phishing attack

Summary

Wireless Attacks

Configuring Kali for wireless attacks

Wireless reconnaissance

Kismet

Bypassing a hidden SSID

Bypassing MAC address authentication and open authentication

Attacking WPA and WPA2

Brute-force attacks

Attacking wireless routers with Reaver

DoS attacks against wireless communications

Compromising enterprise implementations of WPA/WPA2

Working with Ghost Phisher

Summary

Reconnaissance and Exploitation of Web-Based Applications

Methodology

Hackers mindmap

Conducting reconnaissance of websites

Detection of web application firewall and load balancers

Fingerprinting a web application and CMS

Mirroring a website from the command line

Client-side proxies

Burp Proxy

Extending the functionality of web browsers

Web crawling and directory brute-force attacks

Web-service-specific vulnerability scanners

Application-specific attacks

Brute-forcing access credentials

OS command injection using commix

Injection attacks against databases

Maintaining access with web shells

Summary

Attacking Remote Access

Exploiting vulnerabilities in communication protocols

Compromising Remote Desktop Protocol (RDP)

Compromising secure shell

Compromising remote access protocols (VNC)

Attacking Secure Sockets Layer (SSL)

Weaknesses and vulnerabilities in the SSL protocol

Browser Exploit Against SSL and TLS (BEAST)

Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH)

Compression Ratio Info-leak Made Easy (CRIME)

Factoring Attack on RSA-EXPORT Keys (FREAK)

Heartbleed

Insecure TLS renegotiation

Logjam attack

Padding Oracle On Demanded Legacy Encryption (POODLE)

Introduction to Testssl

Reconnaissance of SSL connections

Using sslstrip to conduct a man-in-the-middle attack

Denial-of-service attacks against SSL

Attacking an IPSec virtual private network

Scanning for VPN gateways

Fingerprinting the VPN gateway

Capturing pre-shared keys

Performing offline PSK cracking

Identifying default user accounts

Summary

Client-Side Exploitation

Backdooring executable files

Attacking a system using hostile scripts

Conducting attacks using VBScript

Attacking systems using Windows PowerShell

The Cross-Site Scripting Framework (XSSF)

The Browser Exploitation Framework (BeEF)

Configuring BeEF

Understanding the BeEF browser

Integrating BeEF and Metasploit attacks

Using BeEF as a tunneling proxy

Summary

Bypassing Security Controls

Bypassing Network Access Control (NAC)

Pre-admission NAC

Adding new elements

Identifying the rules

Exceptions

Quarantine rules

Disabling endpoint security

Preventing remediation

Adding exceptions

Post-admission NAC

Bypassing isolation

Detecting HoneyPot

Bypassing antivirus using different frameworks

Using the Veil framework

Using Shellter

Bypassing application-level controls

Tunneling past client-side firewalls using SSH

Inbound to outbound

Bypassing URL filtering mechanisms

Outbound to inbound

Defeating application whitelisting

Bypassing Windows-specific operating system controls

Enhanced Migration Experience Toolkit (EMET)

User Account Control (UAC)

Other Windows-specific operating system controls

Access and authorization

Encryption

System security

Communications security

Auditing and logging

Summary

Exploitation

The Metasploit framework

Libraries

REX

Framework – core

Framework – base

Interfaces

Modules

Database setup and configuration

Exploiting targets using Metasploit Framework

Single targets using a simple reverse shell

Single targets using a reverse shell with a PowerShell attack vector

Exploiting multiple targets using Metasploit Framework resource files

Exploiting multiple targets with Armitage

Using public exploits

Locating and verifying publicly available exploits

Compiling and using exploits

Compiling C files

Adding the exploits that are written using Metasploit Framework as a base

Developing a Windows exploit

Identifying a vulnerability using fuzzing

Crafting a Windows-specific exploit

Summary

Action on the Objective

Activities on the compromised local system

Conducting a rapid reconnaissance of a compromised system

Finding and taking sensitive data – pillaging the target

Creating additional accounts

Post-exploitation tools (MSF, the Veil-Pillage framework, scripts)

Veil-Pillage

Horizontal escalation and lateral movement

Compromising domain trusts and shares

PsExec, WMIC, and other tools

WMIC

Lateral movement using services

Pivoting and port forwarding

Using Proxychains

Summary

Privilege Escalation

Overview of common escalation methodology

Local system escalation

Escalating from administrator to system

DLL injection

PowerShell's Empire tool

Credential harvesting and escalation attacks

Password sniffers

Responder

SMB relay attacks

Escalating access rights in Active Directory

Compromising Kerberos – the golden ticket attack

Summary

Command and Control

Using persistent agents

Employing Netcat as a persistent agent

Using schtasks to configure a persistent task

Maintaining persistence with the Metasploit framework

Using the persistence script

Creating a standalone persistent agent with Metasploit

Persistence using social media and Gmail

Exfiltration of data

Using existing system services (Telnet, RDP, and VNC)

Exfiltration of data using the DNS protocol

Exfiltration of data using ICMP

Using the Data Exfiltration Toolkit (DET)

Exfiltration from PowerShell

Hiding evidence of the attack

Summary

Preface

This book is dedicated to the use of Kali Linux to perform penetration tests on networks, systems, and applications. A penetration test simulates an attack against a network or a system by a malicious outsider or insider. Unlike a vulnerability assessment, penetration testing is designed to include the exploitation phase. Therefore, it proves that the exploit is present, and that it is accompanied by the very real risk of being compromised if not acted upon.

In short, this book will take you through penetration testing with a number of proven techniques to defeat the latest defenses on a network using Kali Linux, from selecting the most effective tools, to rapidly compromising network security, to highlighting the techniques used to avoid detection.

What this book covers

Chapter 1, Goal-Based Penetration Testing with Kali Linux, introduces a functional outline based on the penetration testing methodology that will be used throughout the book. It ensures that a coherent and comprehensive approach to penetration testing will be followed.

Chapter 2, Open Source Intelligence and Passive Reconnaissance, provides a background on how to gather information about a target using publicly available sources and tools that can simplify reconnaissance and information management.

Chapter 3, Active Reconnaissance of External and Internal Networks, introduces the reader to stealthy approaches that can be used to gain information about a target, especially information that identifies vulnerabilities that could be exploited.

Chapter 4, Vulnerability Assessment, teaches you the semi-automated process of scanning a network and its devices to locate systems that are vulnerable to attack and compromise, and the process of taking all reconnaissance and vulnerability scan information, assessing it, and creating a map to guide the penetration testing process.

Chapter 5, Physical Security and Social Engineering, demonstrates why being able to physically access a system or interact with the people who manage it provides the most successful route to exploitation.

Chapter 6, Wireless Attacks, provides a brief explanation of wireless technologies, and focuses on common techniques used to compromise these networks by bypassing security.

Chapter 7, Reconnaissance and Exploitation of Web-Based Applications, provides a brief overview of one of the most complex delivery phases to secure web-based applications that are exposed to the public internet.

Chapter 8, Attacking Remote Access, introduces the most common remote access technologies from a security perspective, demonstrates where the exploitable weaknesses are, and explains how to validate the security of the systems during a penetration test.

Chapter 9, Client-Side Exploitation, focuses on attacks against applications on end users' systems, which are often not protected to the same degree as the organization's primary network.

Chapter 10, Bypassing Security Controls, demonstrates the most common security controls in place, identifies a systematic process for overcoming these controls, and demonstrates this using tools from the Kali toolset.

Chapter 11, Exploitation, demonstrates the methodologies that can be used to find and execute exploits that allow a system to be compromised by an attacker.

Chapter 12, Action on the Objective, focuses on immediate post-exploit activities and horizontal escalation—the process of using an exploited system as a starting point to "jump off" to other systems on the network.

Chapter 13, Privilege Escalation, demonstrates how a penetration tester can own all aspects of a system's operations; more importantly, obtaining some access privileges will allow the tester to control all of the systems across a network.

Chapter 14, Command and Control, focuses on what a modern attacker could do to enable data to be exfiltrated to the attacker's location and hide the evidence of the attack.

What you need for this book

In order to practice the material presented in this book, you will need a virtualization tool such as VMware or VirtualBox.

You will need to download and configure the Kali Linux operating system and its suite of tools. To ensure that it is up to date and that you have all of the tools, you will need access to an internet connection.

Sadly, not all of the tools on the Kali Linux system will be addressed, since there are too many of them. The focus of this book is not to overwhelm the reader with all of the tools and options, but to provide an approach to testing that will give them the opportunity to learn and incorporate new tools as their experiences and knowledge develop over time.

Although most of the examples in this book focus on Microsoft Windows, the methodology and most of the tools are transferable to other operating systems, such as Linux and the other flavors of Unix.

Finally, this book applies Kali to complete the attacker's kill chain against target systems. You will need a target operating system. Many of the examples in the book use Microsoft Windows 7 and Windows 2008 R2.

Who this book is for

If you are a penetration tester, IT professional, or a security consultant who wants to maximize the success of your network testing using some of the advanced features of Kali Linux, then this book is for you. Some prior exposure to the basics of penetration testing/ethical hacking would help you make the most out of this title.

Conventions

In this book, you will find a number of text styles that distinguish between different kinds of information. Here are some examples of these styles and an explanation of their meaning.

Code words in text, database table names, folder names, filenames, file extensions, pathnames, dummy URLs, user input, and Twitter handles are shown as follows:

"In this particular case, the VM has been assigned an IP address of 192.168.204.132."

A block of code is set as follows:

[default]f=open('exfiltrated_hex.txt','r')hex_data=f.read()ascii_data=hex_data.decode('hex')print ascii_data

Any command-line input or output is written as follows:

# root@kali~# update-rc.d networking defaults

New terms and important words are shown in bold. Words that you see on the screen, for example, in menus or dialog boxes, appear in the text like this: "Clicking on the Next button takes you to the next screen."

Reader feedback

Feedback from our readers is always welcome. Let us know what you think about this book—what you liked or disliked. Reader feedback is important for us as it helps us develop titles that you will really get the most out of.

To send us general feedback, simply email [email protected], and mention the book's title in the subject of your message.

If there is a topic that you have expertise in and you are interested in either writing or contributing to a book, see our author guide at www.packtpub.com/authors.

Customer support

Now that you are the proud owner of a Packt book, we have a number of things to help you to get the most from your purchase.

Downloading the example code

You can download the example code files for this book from your account at http://www.packtpub.com. If you purchased this book elsewhere, you can visit http://www.packtpub.com/support and register to have the files emailed directly to you.

You can download the code files by following these steps:

Log in or register to our website using your email address and password.

Hover the mouse pointer on the

SUPPORT

tab at the top.

Click on

Code Downloads & Errata

.

Enter the name of the book in the

Search

box.

Select the book for which you're looking to download the code files.

Choose from the drop-down menu where you purchased this book from.

Click on

Code Download

.

Once the file is downloaded, please make sure that you unzip or extract the folder using the latest version of:

WinRAR / 7-Zip for Windows

Zipeg / iZip / UnRarX for Mac

7-Zip / PeaZip for Linux

The code bundle for the book is also hosted on GitHub at the following link:

https://github.com/PacktPublishing/Mastering-Kali-Linux-for-Advanced-Penetration-Testing-Second-Edition

We also have other code bundles from our rich catalog of books and videos available athttps://github.com/PacktPublishing/. Check them out!

Downloading the color images of this book

We also provide you with a PDF file that has color images of the screenshots/diagrams used in this book. The color images will help you better understand the changes in the output. You can download this file from http://www.packtpub.com/sites/default/files/downloads/MasteringKaliLinuxforAdvancedPenetrationTestingSecondEdition_ColorImages.pdf.

Errata

Although we have taken every care to ensure the accuracy of our content, mistakes do happen. If you find a mistake in one of our books—maybe a mistake in the text or the code—we would be grateful if you could report this to us. By doing so, you can save other readers from frustration and help us improve subsequent versions of this book. If you find any errata, please report them by visiting http://www.packtpub.com/submit-errata, selecting your book, clicking on the Errata Submission Form link, and entering the details of your errata. Once your errata are verified, your submission will be accepted and the errata will be uploaded to our website or added to any list of existing errata under the Errata section of that title.

To view the previously submitted errata, go to https://www.packtpub.com/books/content/support and enter the name of the book in the search field. The required information will appear under the Errata section.

Piracy

Piracy of copyrighted material on the Internet is an ongoing problem across all media. At Packt, we take the protection of our copyright and licenses very seriously. If you come across any illegal copies of our works in any form on the Internet, please provide us with the location address or website name immediately so that we can pursue a remedy.

Please contact us at [email protected] with a link to the suspected pirated material.

We appreciate your help in protecting our authors and our ability to bring you valuable content.

Questions

If you have a problem with any aspect of this book, you can contact us at [email protected], and we will do our best to address the problem.

Goal-Based Penetration Testing

Everything starts with a goal to achieve. Remember, there are only two types of people, those who get hacked and those who hack. Therefore, in this chapter, we will discuss the importance of goal-based penetration testing and also how vulnerability scans (Vscans), penetration tests (pentests), and Red Team Exercises (RTEs) typically fail in the absence of a goal. This chapter also provides an overview of security testing and setting up a verification lab, and focuses on customizing Kali to support some advanced aspects of penetration testing. By the end of this chapter, you will have learned about the following:

Security testing

Classical failures of vulnerability scanning, penetration testing, and red teaming exercises

Updating and organizing Kali

Using Bash scripts to customize Kali

Setting up defined targets

Building a verification lab

Conceptual overview of security testing

Every household, individual, and public or private business in the world has several things to worry about when it comes to cyberspace, such as data loss, malware, and cyber terrorism. Everything starts with the concept of protection. If you ask, "What is security testing?" to 100 different security consultants, it is very likely that you will receive varying responses. In the simplest form, security testing is a process for verifying whether an information asset or system is protected and whether its functionality is maintained as intended.

Classical failures of vulnerability scanning, penetration testing, and red team exercises

In this section, we will focus on the limitations of classical Vscanning, pentesting, and red teaming exercises. Let's now discuss the actual meaning of these three methodologies in simple terms and look at their limitations:

Vscanning:

This is the process of identifying vulnerabilities or security loopholes in a system or network. The limitations with Vscanning are

the

potential vulnerabilities, including false positives, which can be confusing to the business owner.

Pentesting

: This is the process of safely exploiting vulnerabilities without much impact to the existing network or business. There are a fewer number of false positives, since the testers will try and simulate the exploit faithfully. A key limitation of pentesting is that the exploits it can detect are only those that are currently known and publicly available exploits. Also, most pentests are project-focused tests. In pentesting, we often hear "Yay, got root!", but we never then hear "What's next?" This could be due to various reasons, such as the project limiting the pentester to reporting only the high-risk issues immediately to the client, or the client being interested only in one segment of the network and wanting the pentester to compromise.

RTEs

: This is the process of evaluating the effectiveness of an organization's defenses against cyber threats and improving them; during RTEs, we notice multiple ways of achieving project goals, such as the complete coverage of all activities under a defined project goal. The key limitations with RTEs are that they are limited in terms of time and can only simulate specific predefined scenarios, and they have an

assumed

rather than a

real

environment.

Often, all three of these testing methodologies refer to the terms hack or compromise. "We will hack your network and show you where its weaknesses are –," but wait: does the client or business owner understand the terms hack or compromise? How do we measure hackorcompromise? What are the criteria? When do we know that a hack or compromise is complete? All these questions point to only one thing: needing to know the primary goal.

The primary goal of pentesting and RTEs is determining the risk, differentiating the risk rating from the scanner, and performing a business risk value assessment of each asset, as well as the brand/image of the organization. It's not about how many threats there are, but how much risk the organization is exposed to. A risk does not really constitute a threat and doesn't necessarily need to be demonstrated. For example, a Cross-Site Scripting (XSS) attack on a brochure website may not have significant impact on the business; however, a client might put in a mitigation plan for the risk using a Web Application Firewall (WAF) to prevent the XSS attacks.

The testing methodology

Methodologies rarely consider why a penetration test is being undertaken or what data is critical to the business and needs to be protected. In the absence of this vital first step, penetration tests lose focus.

Many penetration testers are reluctant to follow a defined methodology, fearing that it will hinder their creativity in exploiting a network. Pentesting fails to reflect the actual activities of a malicious attacker. Frequently, the client wants to see whether you can gain administrative access to a particular system (perhaps they want to see whether you can root the box, for instance). However, the attacker may be focused on copying critical data in a manner that does not require root access or cause a denial of service.

To address the limitations inherent in formal testing methodologies, they must be integrated in a framework that views the network from the perspective of an attacker, the kill chain.

In 2009, Mike Cloppert of Lockheed Martin CERT introduced the concept that is now known as the attacker kill chain. This concept includes the steps taken by an adversary when they attack a network. These attacks do not always proceed in a linear way; some steps may occur in parallel. Multiple attacks may be launched over time against the same target, and stages may overlap.

In this book, we have modified Cloppert's kill chain concept to more accurately reflect how attackers apply these steps when exploiting networks, applications, and data services.

The following diagram shows the typical kill chain of an attacker:

A typical kill chain of an attacker can be described as follows:

The reconnaissance phase

: The adage "

reconnaissance time is never wasted time

," adopted by most military organizations, acknowledges that it is better to learn as much as possible about an enemy before engaging them. For the same reason, attackers will conduct extensive reconnaissance of a target before attacking. In fact, it is estimated that at least 70 percent of the work of a penetration test or attack is spent conducting reconnaissance! Generally, a penetration tester or attacker will employ two types of reconnaissance:

Passive reconnaissance

: In this, the attacker does not directly interact with the target in a hostile manner. For example, the attacker will review the publicly available website(s), assess online media (especially social media sites), and attempt to determine the

attack surface

of the target. One particular task will be generating a list of names of past and current employees. These names will form the basis of attempts to brute-force or guess passwords. They will also be used in social engineering attacks. This type of reconnaissance is difficult, if not impossible, to distinguish from the behavior of regular users.

Active reconnaissance

: This can be detected by the target, but not without some difficulty. Activities occurring during active reconnaissance include physical visits to target premises, port scanning, and remote vulnerability scanning.

The delivery phase

: Delivery entails the selection and development of the weapon that will be used to complete the exploit during the attack. The exact weapon chosen will depend on the attacker's intent as well as the route of delivery (for example, across the network, via wireless, or through a web-based service). The impact of the delivery phase will be examined in the second half of this book.

The exploit or compromise phase

: This is the point

where

a particular exploit is successfully applied, allowing attackers to reach their objective. The compromise may have occurred in a single phase (for example, when a known operating system vulnerability was exploited using a buffer overflow), or it may have been a multiphase compromise. (For example, say an attacker physically accesses premises to steal a corporate phone book. The names could be used to create lists for brute-force attacks against a login portal. In addition, emails could be sent to all employees asking them to click on an embedded link to download a crafted PDF file that compromises their computers.) Multiphase attacks are the norm when a malicious attacker targets a specific enterprise.

Post-exploit (action on the objective)

: This is frequently and incorrectly referred to as the exfiltration phase, because there is a focus on perceiving attacks solely as a

means

to steal sensitive data (such as login information, personal information, and financial information); it is common for an attacker to have a different objective. For example, a business may wish to cause a denial of service in their competitor's network to drive customers to their own website. Therefore, this phase must focus on the many possible actions of an attacker. One of the most common exploit activities is when the attackers attempt to improve their access privileges to the highest possible level (vertical escalation) and to compromise as many accounts as possible (horizontal escalation).

Post-exploit (persistence)

: If there is any value in compromising a network or system, then that value can likely be increased if there is persistent access. This allows attackers to maintain communications with a compromised system. From a defender's point of view, this is the part of the kill chain that is usually the easiest to detect.

Kill chains are metamodels of an attacker's behavior when they attempt to compromise a network or a particular data system. As a metamodel, kill chains can incorporate any proprietary or commercial pentesting methodology. Unlike the aforementioned methodologies, however, it ensures a strategic focus on how an attacker approaches the network. This focus on the attacker's activities will guide the layout and content of this book.

Introduction to Kali Linux – history and purpose

Kali Linux (Kali) is the successor to the BackTrack pentesting platform, which is generally regarded as the de facto standard package of tools used to facilitate pentesting to secure data and voice networks. It was developed by Mati Aharoni and Devon Kearns of Offensive Security. The following details on the history of Kali are from BackTrack:

In March 2013, BackTrack was superseded by Kali, which uses a new platform architecture based on the Debian GNU/Linux operating system.

Kali 1.1.0 (February 9, 2015)

: This was the first dot release in two years, in which the kernel was changed to 3.18, had a patch for wireless injection attacks, and had support for wireless drivers – around 58 bugs were fixed. Other releases, such as Kali 1.1.0a, fixed the inconsistencies in the installers.

Kali 2.0 (August 11, 2015)

: This was a major release – now a rolling distribution – with major UI changes. Kali 2.0 can be updated from the older version to the new version.

Kali 2016.1 (January 21, 2016)

: The first rolling release of Kali. Kernel 4.3 and the latest Gnome 3.18 were updated.

Kali 2016.2 (August 31, 2016)

: The second Kali rolling release. Kernel 4.6 and Gnome 3.20.2 were updated, and there were also some bug fixes.

The other features of Kali 2.0 include the following:

Over 300 pentesting data forensics and defensive tools are included in it. The majority of the tools have now been replaced by similar tools that provide extensive wireless support, with multiple hardware and kernel patches to permit the packet injection required by some wireless attacks.

Support for multiple desktop environments, such as

KDE

,

GNOME3

,

Xfce

,

MATE

,

e17

,

lxde

, and

i3wm

, is available.

Debian-compliant tools are synchronized with Debian repositories at least four times a day, making it easier to update packages and apply security fixes.

There are Secure Development Environment- and GPG-signed packages and repositories.

Support for ISO customizations, allowing users to build their own versions of customized Kali, is available. The bootstrap function also performs enterprise-wide network installs that can be automated using preseed files.

Since increases in ARM-based systems have become more prevalent and less expensive, support for

ARMEL

and

ARMHF

in Kali to be installed on devices such as

rk3306 mk/ss808

, Raspberry Pi, ODROID U2/X2, Samsung Chromebook, EfikaMX, Beaglebone Black, CuBox, and Galaxy Note 10.1 was introduced.

Kali continues to be an open source project that is free. Most importantly, it is well supported by an active online community.

The purpose of Kali is to secure things and bundle all the tools to provide a single platform for penetration testers.

Installing and updating Kali

In the previous edition of this book, we focused on the installation of Kali to VMware only. We will now take a deep dive into the different technologies involved in installing and updating Kali.

Using Kali from a portable device

Installing Kali to a portable device is fairly simple. In some situations, clients do not permit the use of external laptops inside a secure facility; in such cases, typically, a testing laptop is provided by the client to the pentester to perform scans. Running Kali from a portable device has more advantages during a pentest or RTE:

Most portable devices can be kept in the pocket, as in the case of a USB drive or a mobile phone

It can be run live without making any changes to the host operating system

You can customize the build of Kali and even make the storage persistent

There is a simple three-step process to making a USB into a portable Kali from a Windows PC:

Download the official Kali Linux image from the following URL:

http://docs.kali.org/introduction/download-official-kali-linux-images

.

Download

Win32 Disk Imager

from

https://sourceforge.net/projects/win32diskimager/

.

Open

Win32 Disk Imager

as an administrator. Plug the USB drive into the PC's available USB port. You will see something similar to the following screenshot; select the correct drive name and then click on

Write

:

Once complete, exit Win32 Disk Imager and safely remove the USB. Kali is now ready on the portable device and can be plugged into any laptop to be booted up live. If your host operating system is Linux, this can be achieved by two standard commands: sudo fdisk -l, which will display all the disks mounted on the drive, and dd if=kali linux.iso of=/dev/nameofthedrive bs=512k. That's it. The dd command-line utility does the convert and copy if it is used for the input file, where of is for the output file and bs is for the block size.

Installing Kali into a virtual machine

In this section, we will take a deep dive into how to install Kali onto VMware Workstation Player and Oracle VirtualBox.

VMware Workstation Player

Formerly known as VMware Player, VMware Workstation Playeris free for personal use, and it is available as a commercial product for business use from VMware as a desktop application that allows us to run a virtual machine inside our host operating system. This application can be downloaded from the following URL:http://www.vmware.com/products/player/playerpro-evaluation.html

Next, we will see the step-by-step installation of Kali onto VMware Workstation Player.

Once the file is downloaded to your host operating system, you just click on Open the executable and you should be able to see the following:

The next step is to Accept the end user license agreement and click on Next until you get the following screen, which depicts the successful installation of VMware on your host operating system:

The next step to install Kali to VMware, now that we have downloaded the file from the official Kali downloads, is to click on Create a New Virtual machine and select Installer disc image file (iso). Browse to the ISO file that was downloaded and then click on Next; you can now enter the name of your choice (for example, HackBox) and select the custom location where you would like to store your VMware image. Click on Next and then specify the disk capacity at the minimum for running Kali (recommended is 10 GB) and click on Next until you finish. You should be able to see the following screen once all the settings are complete:

You can choose to install Kali to the host operating system or run it as a live image. Once all the steps of installation are complete, you are ready to launch Kali from VMware without any problem, as shown in the following screenshot:

VirtualBox

VirtualBoxis similar to VMware Workstation Player, and is a hypervisor that's an open source and completely free desktop application from which you can run any virtual machine, once it's installed on the host operating system. VirtualBox can be downloaded from this URL:https://www.virtualbox.org/wiki/Downloads

We will now go ahead and install Kali on VirtualBox. Similar to VMware, we will just execute the downloaded executable, which should lead us to the following screen:

Once we click on Next, the VirtualBox should provide options to customize the different ways to store, but by default, we would be selecting VirtualBox Application:

Click on Next; you will be able to see the progress, as shown in the following screenshot:

The following screenshot shows the confirmation message you get on the successful installation of Oracle VirtualBox:

So, the next step is to install Kali onto VirtualBox. Click on New from the menu, which should take us to the following screen, where we can type the name of our choice and select the right version of the platform: for example, 64-bit Debian or 32-bit Debian, as per the ISO image that we downloaded:

Click on Next and provide the amount of RAM required for Kali. We recommend at least 1 GB. By clicking on Next, we will be creating a virtual hard drive for Kali on the host operating system. Click on Next to choose the hard disk file type: mostly, we select VDI (Virtualbox Disk Image), as shown in the following screenshot:

By clicking on Next, we will be creating the size of the HDD, as shown in the following screenshot:

Finally, we have to go to Hackbox | Settings to load the ISO image as an external drive, as shown in the following screenshot:

That's it; we should now be able to see the following screen and install Kali to VirtualBox without any issues:

Installing to a Docker appliance

Docker is an open source project that is designed to automate the deployment of software containers and applications instantly. Docker also provides the additional abstraction and automation layers of operating system-level virtualization on Linux.

Docker is available for Windows, macOS, Linux, Amazon Web Services (AWS), and Azure. For Windows, Docker can be downloaded from this URL:https://download.docker.com/win/stable/InstallDocker.msi

The following steps show how to install Docker on a Windows 10 machine:

Docker for Windows utilizes the Hyper-V feature on Microsoft Windows. If Hyper-V is not enabled, it is very likely that we will be looking at the following screenshot:

Once you click on Ok, Hyper-V will be enabled by the Docker application; we can check that through our Command Prompt by simply typing docker as a command, as shown in the following screenshot:

Now, we have installed the Docker appliance to the Windows host operating system. We will now install Kali using the fairly simple docker pull kalilinux/kali-linux-dockercommands, as shown in the following screenshot:

Once Kali is downloaded to our Docker application, we should now be able to run Bash from the downloaded Kali Docker appliance instantly, without any hassle, by running run -t -i kalilinux/kal-linux-docker /bin/bash, as shown in the following screenshot:

We should be able to run Kali directly from Docker. Also, note that Docker utilizes the VirtualBox environment in the background. So, it is a virtual machine running on VirtualBox through the Docker appliance.

Installing Kali to the cloud – creating an AWS instance

AWS is a cloud-based platform from Amazon, primarily built to offer customers the power of compute, storage, and content delivery anywhere and anytime. As a penetration tester or hacker can utilize AWS to conduct pentesting, in this section, we will go through the easiest ways of installing Kali Linux into AWS, which will be handy in case of external command and control.

First, you will need to have a valid AWS account. You can sign up by visiting the following URL:https://console.aws.amazon.com/console/home

When we log in to the AWS account, we will be able to see all the AWS services, as shown in the following screenshot:

The second step is to launch Kali on AWS as an instance. We will customize Kali by installing a Debian operating system. The open source community has made it very simple to directly launch with preconfigured Kali 2016.2 in the Amazon Marketplace. The following URL will enable us to directly launch Kali within a few minutes:

https://aws.amazon.com/marketplace/pp/B01M26MMTT

When you visit the link, you will be able to see something similar to the following:

Click on the Accept Software Terms & Launch with 1-Click button and go to your AWS console by visiting https://console.aws.amazon.com/ec2/v2/home?region=us-east-1. You should now be able to launch the instance by clicking on Launch Instance by selecting the Instance ID or the row, as shown in the following screenshot:

We will need to create a key-value pair in order to make sure only you can access Kali . You will now be able to log in to your AWS cloud using the private key that you generated during the key-value pair creation. Then, you should be able to log in by entering the following command from your command shell:

ssh -i privatekey.pem ec2-user@amazon-dns-ip

The following screenshot depicts the successful installation of Kali on AWS:

All the terms and conditions must be met in order to utilize AWS to perform pentesting. Legal terms and conditions must be met before launching any attacks from the cloud host.

Organizing Kali

Installation is just the beginning of the setup; organizing Kali is very important. In this section, we will deep dive into the different ways of organizing HackBox through customization.

Configuring and customizing Kali

Kali is a framework that is used to complete a penetration test. However, the tester should never feel tied to the tools that have been installed by default or by the look and feel of the Kali desktop. By customizing Kali, a tester can increase the security of client data that is being collected, and make it easier to do a penetration test.

Common customizations made to Kali include the following:

Resetting the root password

Adding a non-root user

Speeding up Kali operations

Sharing folders with Microsoft Windows

Creating encrypted folders

Resetting the root password

To change a user password, use the following command:

passwd root

You will then be prompted to enter a new password, as shown in the following screenshot:

Adding a non-root user

Many of the applications provided in Kali must run with root-level privileges in order to function. Root-level privileges do possess a certain amount of risk; for example, miskeying a command or using the wrong command can cause applications to fail or even damage the system being tested. In some cases, it is preferable to test with user-level privileges. In fact, some applications force the use of lower-privilege accounts.

To create a non-root user, you can simply use the adduser command from the Terminal and follow the instructions that appear, as shown in the following screenshot:

Speeding up Kali operations

Several tools can be used to optimize and speed up Kali operations:

When using a virtual machine, install the VM's software drive package: Guest Additions (VirtualBox) or VMware Tools (VMware). We need to ensure that we run

apt-get update

before the installation.

When creating a virtual machine, select a fixed disk size instead of the one that is dynamically allocated. It is faster to add files to a fixed disk, and there is less file fragmentation.

The preload application (

apt-get install preload

) identifies a user's most commonly used programs and preloads binaries and dependencies into memory to provide faster access. It works automatically after the first restart following installation.

BleachBit (

apt-get install bleachbit

) frees disk space and improves privacy by freeing the cache, deleting cookies, clearing internet history, shredding temporary files, deleting logs, and discarding other unnecessary files. The advanced features include shredding files to prevent recovery and wiping free disk space to hide traces of files that have not been fully deleted.

By default, Kali does not show all applications that are present in the start-up menu. Each application that is installed during the boot-up process slows the system data and may impact memory use and system performance. Install

Boot Up Manager

(

BUM

) to disable unnecessary services and applications that are enabled during the boot-up process (

apt-get install bum

), as shown in the following screenshot:

Add

gnome-do

(

apt-get install gnome-do

) to launch applications directly from the keyboard. To configure

gnome-do

, select it from

Applications

|

Accessories

. Once launched, select the

Preferences

menu, activate the

Quiet Launch

function, and select a launch command (for example,

Ctrl

+

Shift

). Clear any existing commands and then enter the command line to be executed when the launch keys are selected.

Rather than launching directly from the keyboard, it is possible to write specific scripts that launch complex operations.