Table of Contents for
Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition by Gerard Johansen Published by Packt Publishing, 2016
  1. Cover
  2. Table of Contents
  3. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  4. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  5. Credits
  6. Disclaimer
  7. About the Authors
  8. About the Reviewer
  9. www.PacktPub.com
  10. Preface
  11. What you need for this book
  12. Who this book is for
  13. Conventions
  14. Reader feedback
  15. Customer support
  16. 1. Beginning with Kali Linux
  17. Kali Linux tool categories
  18. Downloading Kali Linux
  19. Using Kali Linux
  20. Configuring the virtual machine
  21. Updating Kali Linux
  22. Network services in Kali Linux
  23. Installing a vulnerable server
  24. Installing additional weapons
  25. Summary
  26. 2. Penetration Testing Methodology
  27. Vulnerability assessment versus penetration testing
  28. Security testing methodologies
  29. General penetration testing framework
  30. Information gathering
  31. The ethics
  32. Summary
  33. 3. Target Scoping
  34. Preparing the test plan
  35. Profiling test boundaries
  36. Defining business objectives
  37. Project management and scheduling
  38. Summary
  39. 4. Information Gathering
  40. Using public resources
  41. Querying the domain registration information
  42. Analyzing the DNS records
  43. Getting network routing information
  44. Utilizing the search engine
  45. Metagoofil
  46. Accessing leaked information
  47. Summary
  48. 5. Target Discovery
  49. Identifying the target machine
  50. OS fingerprinting
  51. Summary
  52. 6. Enumerating Target
  53. Understanding the TCP/IP protocol
  54. Understanding the TCP and UDP message format
  55. The network scanner
  56. Unicornscan
  57. Zenmap
  58. Amap
  59. SMB enumeration
  60. SNMP enumeration
  61. VPN enumeration
  62. Summary
  63. 7. Vulnerability Mapping
  64. Vulnerability taxonomy
  65. Automated vulnerability scanning
  66. Network vulnerability scanning
  67. Web application analysis
  68. Fuzz analysis
  69. Database assessment tools
  70. Summary
  71. 8. Social Engineering
  72. Attack process
  73. Attack methods
  74. Social Engineering Toolkit
  75. Summary
  76. 9. Target Exploitation
  77. Vulnerability and exploit repositories
  78. Advanced exploitation toolkit
  79. MSFConsole
  80. MSFCLI
  81. Ninja 101 drills
  82. Writing exploit modules
  83. Summary
  84. 10. Privilege Escalation
  85. Password attack tools
  86. Network spoofing tools
  87. Network sniffers
  88. Summary
  89. 11. Maintaining Access
  90. Working with tunneling tools
  91. Creating web backdoors
  92. Summary
  93. 12. Wireless Penetration Testing
  94. Wireless network recon
  95. Wireless testing tools
  96. Post cracking
  97. Sniffing wireless traffic
  98. Summary
  99. 13. Kali Nethunter
  100. Installing Kali Nethunter
  101. Nethunter icons
  102. Nethunter tools
  103. Third-party applications
  104. Wireless attacks
  105. HID attacks
  106. Summary
  107. 14. Documentation and Reporting
  108. Types of reports
  109. The executive report
  110. The management report
  111. The technical report
  112. Network penetration testing report (sample contents)
  113. Preparing your presentation
  114. Post-testing procedures
  115. Summary
  116. A. Supplementary Tools
  117. Web application tools
  118. Network tool
  119. Summary
  120. B. Key Resources
  121. Paid incentive programs
  122. Reverse engineering resources
  123. Penetration testing learning resources
  124. Exploit development learning resources
  125. Penetration testing on a vulnerable environment
  126. Online web application challenges
  127. Virtual machines and ISO images
  128. Network ports
  129. Index

Appendix A. Supplementary Tools

This chapter will briefly describe several additional tools that can be used as extra weapons while conducting the penetration testing process. For each tool, we will describe the following aspects:

  • The tool's function
  • The tool's installation process if the tool is not included in Kali Linux
  • Some examples of how to use the tool

The tools described in this chapter may not be included by default in a Kali Linux rolling distribution. You need to download them from the Kali Linux repository as defined in the /etc/apt/sources.lst file, using the apt-get command, or you can download them from each tool's website.

We will loosely divide the tools into the following categories:

  • The reconnaissance tool
  • The vulnerability scanner
  • Web application tools
  • The network tool

Let's look at several additional tools that we can use during our penetration testing process.

Reconnaissance tool

One of the tools that can be used to help us with reconnaissance is recon-ng. It is a framework to automate reconnaissance and discovery processes. If you are familiar with the Metasploit interface, you should feel at home when using recon-ng—the interface is modeled after the Metasploit interface.

Kali Linux has already included recon-ng version 4.7.2. If you want a newer version, you can download it from https://bitbucket.org/LaNMaSteR53/recon-ng/overview.

The recon-ng tool comes with modules for the reconnaissance and discovery processes. The following are the module categories are included in recon-ng version 4.7.2:

  • Reconnaissance modules
  • Seven Reporting modules
  • Two Import modules
  • Two Exploitation modules
  • Two Discovery modules

To use the recon-ng tool, you can type the following command:

# recon-ng

After running this command, you will see the recon-ng prompt. It is very similar to the Metasploit prompt:

Reconnaissance tool

To find out the commands supported by recon-ng, you can type help at the prompt; the following screenshot will be displayed:

Reconnaissance tool

The following are several commands that you will use often:

  • use or load: This loads the selected modules
  • reload: This reloads all the modules
  • info: This displays module information
  • run: This runs the selected module
  • show: This shows the various framework items
  • back: This exits the current prompt level

To list the available modules, you can type show modules, as shown in the following screenshot:

Reconnaissance tool

To gather information about the available hosts in a target domain, you can use the Bing search engine. First, we need to load the specific module. In this case, we are going to utilize the bing_domain_web module. Type the following:

> load recon/domains-hosts/bing_domain_web

Next we set the domain. In this case, we are going to use the domain www.hackthissite.org as our target. Type the following:

> set SOURCE hackthissite.org

Then, type this:

>run

The output shows a number of different hosts associated with the domain www.hackthissite.org:

Reconnaissance tool

This is just one example of recon-ng's capabilities; you can consult the recon-ng website (https://bitbucket.org/LaNMaSteR53/recon-ng/wiki/Home) to get more information about other features.

Vulnerability scanner

Kali Linux does not come with a vulnerability scanner by default. In the previous chapter, we discussed the installation and usage of the vulnerability scanner Nessus. Although it is a very powerful tool, as a penetration tester we can't rely only on one tool; we have to use several tools to give us a more thorough and complete picture of the target environment.

As an additional vulnerability scanner, we will briefly describe the NeXpose Vulnerability Scanner Community Edition from Rapid7.

NeXpose Community Edition

NeXpose Vulnerability Scanner Community Edition (NeXpose CE) is a free vulnerability scanner from Rapid7 that scans devices for vulnerabilities. It can also be integrated with the Metasploit exploit framework.

Following are several NeXpose Community Edition features:

  • Vulnerability scanning for up to 32 IP addresses
  • Regular vulnerability database updates
  • Ability to prioritize risk assessment
  • Guide to the remediation process
  • Integration with Metasploit
  • Community support at http://community.rapid7.com
  • Simple deployment
  • No-cost start-up security solution

The commercial edition of NeXpose includes additional features, such as no limitation of the IP addresses that can be scanned, distributed scanning, more flexible reporting, web and database server scanning, and technical support.

NeXpose consists of the following two main parts:

  • NeXpose scan engine: This performs asset discovery and vulnerability detection operations. In the community edition, there is only one local scan engine.
  • NeXpose security console: This console will communicate with NeXpose scan engines to start scans and retrieve scan information. The console also includes a web-based interface to configure and operate the NeXpose scan engine.

Now that we have looked at the features of NeXpose Community Edition, let's install it.

Installing NeXpose

Following are the steps that can be used to install NeXpose Community Edition in Kali Linux:

  1. Complete the download form at http://www.rapid7.com/products/nexpose/nexpose-community.jsp. You need to provide your official e-mail address to register. After that, you will be sent an e-mail containing the license key and download instructions to get NeXpose CE.
  2. Download the NeXpose CE installer from the location mentioned in the e-mail. As an example, I am downloading the NeXposeSetup-Linux64.bin file for the 64-bit Linux operating system.
  3. Open a terminal, then go to the directory that contains the downloaded NeXpose installer.
  4. Once in the folder, set permissions for the installer by typing the following:
    # chmod u+x ./NexposeSetup-Linux64.bin
  5. The current version of Kali Linux 2016.1 has issues with the NeXpose Installer. As a workaround, type the following:
    ./NeXposeSetup-Linux64.bin -q -overwrite -Vfirstname='Nexpose' -Vlastname='VA' -Vcompany='Rapid7' -Vusername='nxadmin' -Vpassword1='nxpassword' -Vpassword2='nxpassword' -Vsys.component.typical\$Boolean=true -Vsys.component.engine\$Boolean=false -VinitService\$Boolean=false

In the command, make sure you change the first name, last name, and company, and set a proper username and password. Then hit the Enter key. The installer will take some time to run through a number of tasks.

Starting the NeXpose community

After the installation process is complete, you can start NeXpose by going to the directory containing the script that starts NeXpose. The default installation directory is /opt/rapid7/nexpose. The command for starting the NeXpose community is as follows:

# cd /opt/rapid7/nexpose/nsc

Run the following script to start NeXpose:

# ./nsc.sh

The startup process will take several minutes because NeXpose is initializing its vulnerabilities database. After this process is finished, you can log on to the NeXpose security console web interface.

If you want to install NeXpose as a daemon, you can start it automatically when the machine starts; it will continue running even if the current process user logs off. You can do this with the following steps:

  1. Go to the directory containing the nexposeconsole.rc file using the following command:
    # cd [installation_directory]/nsc
  2. Open that file and make sure that the line containing NXP_ROOT is set to the NeXpose installation directory.
  3. Copy that file to the /etc/init.d directory and give it the desired script name, such as nexpose, using the following command:
    # cp [installation_directory]/nsc/nexposeconsole.rc /etc/init.d/nexpose
  4. Set the executable permission for the startup script file using the following command:
    # chmod +x /etc/init.d/nexpose
  5. Make NeXpose start when the operating system starts by using the following command:
    # update-rc.d nexpose defaults
# /etc/init.d/nexpose <start|stop|restart>

You can manage NeXpose to start, stop, or restart the daemon using the following command:

Logging in to the NeXpose community

Following are the steps must be performed to log in to the NeXpose community console's web interface:

  1. Open your web browser. Then, go to this URL: https://127.0.0.1:3780. If there are no errors, you will be greeted with the login screen. You will see the Untrusted Connection message. After verifying the certificate, you can confirm whether or not to store the exception permanently, so you will not see the error message in future.
  2. After the first login, the security console will initialize; it will also download updates from the Rapid7 server. This process will take some time.
  3. After the initialization has finished, you can log in, using the username and password that you specified during the installation process, then click on the LOG ON button, as shown in the following screenshot:
    Logging in to the NeXpose community
  4. The console will display the Activate License dialog box. Enter the product key in the textbox and then click on ACTIVATE WITH KEY to complete this step, as shown in the following screenshot:
    Logging in to the NeXpose community

The first time you log in to the console, you will see the NeXpose news page, which lists all of the updates and improvements in the installed NeXpose system. If you can see this page, it means that you have successfully installed NeXpose Community Edition to your Kali Linux system.

Note

I found out that you may need to use the Firefox web browser instead of the Iceweasel web browser to successfully log in to the NeXpose security console. You can find references on how to install Firefox in Kali at:

http://kali4hackers.blogspot.com/2013/05/install-firefox-on-kali-linux.html

Using the NeXpose community

In our exercise, we will do a simple scan against our local network:

  1. On the NeXpose dashboard, click on Home; to scan a site, click on Create Site:
    Using the NeXpose community
  2. We will then be brought to the General information screen where we put the particulars for our site. First, we will give our site name. In this case, our target is the Metasploitable2 system we have used in the past. We enter the name and a description, if needed:
    Using the NeXpose community
  3. Click the Assets tab and under the Assets area type in the IP address of the Metasploitable2 installation. Bear in mind that, in the NeXpose Community Edition, you are limited to scanning only 32 IP addresses. In this case, we use the IP address of 172.16.122.193:
    Using the NeXpose community
  4. There are a number of options to tune the scan, including using credentials (which is usually reserved for vulnerability scanning as part of normal operations,) as well as the different templates for scanning. In this case, we will stick with a simple scan and simply save our configuration by hitting the Save button.
  5. Now we can see the Metasploitable2 target under the sites section of the home page. To the right, we start our scan by clicking on the Scan icon:
    Using the NeXpose community
  6. The scan will run and you can monitor the progress on the same screen:
    Using the NeXpose community

Depending on the number of hosts that are being scanned, as well as their location on the network, the scan may take several minutes. On completion of the scan, NeXpose provides some scan information. The following screenshot shows the vulnerabilities report for the target machine:

Using the NeXpose community

To see a detailed audit report, you need to run the Report Generator option, made accessible by clicking on Reports, on the top menu. In that screen, you are able to access the reports. The output will be a PDF, which can be included as part of the overall penetration testing report:

Using the NeXpose community

That's all for a very brief overview of NeXpose Community Edition. Having an additional vulnerability scanner is a good way to validate whether a finding is possibly a false positive. In the next section, we will describe two web application tools.