Table of Contents for
Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition by Gerard Johansen Published by Packt Publishing, 2016
  1. Cover
  2. Table of Contents
  3. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  4. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  5. Credits
  6. Disclaimer
  7. About the Authors
  8. About the Reviewer
  9. www.PacktPub.com
  10. Preface
  11. What you need for this book
  12. Who this book is for
  13. Conventions
  14. Reader feedback
  15. Customer support
  16. 1. Beginning with Kali Linux
  17. Kali Linux tool categories
  18. Downloading Kali Linux
  19. Using Kali Linux
  20. Configuring the virtual machine
  21. Updating Kali Linux
  22. Network services in Kali Linux
  23. Installing a vulnerable server
  24. Installing additional weapons
  25. Summary
  26. 2. Penetration Testing Methodology
  27. Vulnerability assessment versus penetration testing
  28. Security testing methodologies
  29. General penetration testing framework
  30. Information gathering
  31. The ethics
  32. Summary
  33. 3. Target Scoping
  34. Preparing the test plan
  35. Profiling test boundaries
  36. Defining business objectives
  37. Project management and scheduling
  38. Summary
  39. 4. Information Gathering
  40. Using public resources
  41. Querying the domain registration information
  42. Analyzing the DNS records
  43. Getting network routing information
  44. Utilizing the search engine
  45. Metagoofil
  46. Accessing leaked information
  47. Summary
  48. 5. Target Discovery
  49. Identifying the target machine
  50. OS fingerprinting
  51. Summary
  52. 6. Enumerating Target
  53. Understanding the TCP/IP protocol
  54. Understanding the TCP and UDP message format
  55. The network scanner
  56. Unicornscan
  57. Zenmap
  58. Amap
  59. SMB enumeration
  60. SNMP enumeration
  61. VPN enumeration
  62. Summary
  63. 7. Vulnerability Mapping
  64. Vulnerability taxonomy
  65. Automated vulnerability scanning
  66. Network vulnerability scanning
  67. Web application analysis
  68. Fuzz analysis
  69. Database assessment tools
  70. Summary
  71. 8. Social Engineering
  72. Attack process
  73. Attack methods
  74. Social Engineering Toolkit
  75. Summary
  76. 9. Target Exploitation
  77. Vulnerability and exploit repositories
  78. Advanced exploitation toolkit
  79. MSFConsole
  80. MSFCLI
  81. Ninja 101 drills
  82. Writing exploit modules
  83. Summary
  84. 10. Privilege Escalation
  85. Password attack tools
  86. Network spoofing tools
  87. Network sniffers
  88. Summary
  89. 11. Maintaining Access
  90. Working with tunneling tools
  91. Creating web backdoors
  92. Summary
  93. 12. Wireless Penetration Testing
  94. Wireless network recon
  95. Wireless testing tools
  96. Post cracking
  97. Sniffing wireless traffic
  98. Summary
  99. 13. Kali Nethunter
  100. Installing Kali Nethunter
  101. Nethunter icons
  102. Nethunter tools
  103. Third-party applications
  104. Wireless attacks
  105. HID attacks
  106. Summary
  107. 14. Documentation and Reporting
  108. Types of reports
  109. The executive report
  110. The management report
  111. The technical report
  112. Network penetration testing report (sample contents)
  113. Preparing your presentation
  114. Post-testing procedures
  115. Summary
  116. A. Supplementary Tools
  117. Web application tools
  118. Network tool
  119. Summary
  120. B. Key Resources
  121. Paid incentive programs
  122. Reverse engineering resources
  123. Penetration testing learning resources
  124. Exploit development learning resources
  125. Penetration testing on a vulnerable environment
  126. Online web application challenges
  127. Virtual machines and ISO images
  128. Network ports
  129. Index

Getting network routing information

Network routing information is useful for penetration testers in a number of ways. First, they can identify different devices in between the penetration tester's machine and the target. The penetration tester could also glean information about how the network operates and how traffic is routed between the target and the tester's machine. Finally, the penetration tester would also be able to determine if there was an intermediate barrier such as a firewall or proxy server between the tester and the target.

Kali Linux has a number of tools that provides network routing information.

tcptraceroute

A supplement to the traceroute command found in Linux distributions is the tcptraceroute tool. The normal traceroute command sends either a UDP or ICMP echo request packet to the target house with a Time to Leave (TTL) set to one. This TTL is increased by one for each host it reaches until the packet reaches the target host. The major difference between traceroute and the tcptraceroute tool is that the tcptraceroute tools use a TCP SYN packet to the target host.

The main advantage with using tcptraceroute is when you have the possibility of encountering a firewall between the testing machine and the target. Firewalls are often configured to filter out ICMP and UDP traffic associated with the traceroute command. As a result, the traceroute information will not be useful to you. Using tcptraceroute allows us to use the TCP connection on a specific port, which the firewall will allow you to pass through, thereby allowing you to enumerate the network routing path through the firewall.

The tcptraceroute command makes use of the TCP three-way handshake to determine if the patch through the firewall is allowed. If the port is open, you will receive a SYN/ACK packet. If the port is closed, you will receive a RST packet. To start tcptraceroute, type the following into the command line:

# tcptraceroute

This command will show the different functions related to the command.

The simplest usage is running the command against a domain. For this demonstration, we will run the traceroute command to trace the network route to the domain the example.com:

# traceroute www.example.com

The redacted output for traceroute is as follows:

traceroute to www.example.com (192.168.10.100), 30 hops max, 40 byte packets
 1  192.168.1.1 (192.168.1.1)  8.382 ms  12.681 ms  24.169 ms
 2  1.static.192.168.xx.xx.isp (192.168.2.1)  47.276 ms  61.215 ms  61.057 ms
 3  * * *
 4  74.subnet192.168.xx.xx.isp (192.168.4.1)  68.794 ms  76.895 ms  94.154 ms
 5  isp2 (192.168.5.1)  122.919 ms  124.968 ms  132.380 ms
...
15  * * *
...
30  * * *

As you can see, there are several steps that are indicated and others that appear as ***. If we look at the output, by hop 15, we see that there is no information available. This is indicative of a filtering device between the tester machine and the host, example.com.

To counter this filtering, we will try to determine the route using the tcptraceroute command. As we know that example.com has a web server, we will set the command to try the TCP port 80, which is the HTTP port. Here is the command:

# tcptraceroute www.example.com

The output is as follows:

Selected device eth0, address 192.168.1.107, port 41884 for outgoing packets
Tracing the path to www.example.com (192.168.10.100) on TCP port 80 (www),                 30 hops max
 1  192.168.1.1  55.332 ms  6.087 ms  3.256 ms
 2  1.static.192.168.xx.xx.isp (192.168.2.1)    66.497 ms  50.436                 ms  85.326 ms
 3  * * *
 4  74.subnet192.168.xx.xx.isp (192.168.4.1)  56.252 ms  28.041 ms  34.607 ms
 5  isp2 (192.168.5.1)  51.160 ms  54.382 ms  150.168 ms
 6  192.168.6.1  106.216 ms  105.319 ms  130.462 ms
 7  192.168.7.1  140.752 ms  254.555 ms  106.610 ms
...
14  192.168.14.1  453.829 ms  404.907 ms  420.745 ms
15  192.168.15.1 615.886 ms  474.649 ms  432.609 ms
16  192.168.16.1 [open]  521.673 ms  474.778 ms  820.607 ms

As we can see from the tcptraceroute output, the request has reached our target system and has given us the hops that the request took to get to the target.

tctrace

Another tool that makes use of the same use of the TCP hand-shake is tctrace. Much like tcptraceroute, tctrace sends a SYN packet to a specific host and if the reply is a SYN/ACK, the port is open. A RST packet indicates a closed port.

To start tctrace, enter the following command:

# tctrace -i<device> -d<targethost>

The –i <device> is the network interface on the target and -d <taget host> is the target.

For this example, we are going to run tctrace against the www.example.com domain:

# tctrace -i eth0 -d www.example.com

The following output is obtained:

 1(1)   [172.16.43.1]
 2(1)   [172.16.44.1]
 3(all)  Timeout
 4(3)   [172.16.46.1]
 5(1)   [172.16.47.1]
 6(1)   [172.16.48.1]
 7(1)   []
...
14(1)   [172.16.56.1]
15(1)   [172.16.57.1]
16(1)   [198.148.81.137] (reached; open)