Table of Contents for
Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition
Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition
Published by
Packt Publishing, 2016
- Cover
- Table of Contents
- Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
- Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
- Credits
- Disclaimer
- About the Authors
- About the Reviewer
- www.PacktPub.com
- Preface
- What you need for this book
- Who this book is for
- Conventions
- Reader feedback
- Customer support
- 1. Beginning with Kali Linux
- Kali Linux tool categories
- Downloading Kali Linux
- Using Kali Linux
- Configuring the virtual machine
- Updating Kali Linux
- Network services in Kali Linux
- Installing a vulnerable server
- Installing additional weapons
- Summary
- 2. Penetration Testing Methodology
- Vulnerability assessment versus penetration testing
- Security testing methodologies
- General penetration testing framework
- Information gathering
- The ethics
- Summary
- 3. Target Scoping
- Preparing the test plan
- Profiling test boundaries
- Defining business objectives
- Project management and scheduling
- Summary
- 4. Information Gathering
- Using public resources
- Querying the domain registration information
- Analyzing the DNS records
- Getting network routing information
- Utilizing the search engine
- Metagoofil
- Accessing leaked information
- Summary
- 5. Target Discovery
- Identifying the target machine
- OS fingerprinting
- Summary
- 6. Enumerating Target
- Understanding the TCP/IP protocol
- Understanding the TCP and UDP message format
- The network scanner
- Unicornscan
- Zenmap
- Amap
- SMB enumeration
- SNMP enumeration
- VPN enumeration
- Summary
- 7. Vulnerability Mapping
- Vulnerability taxonomy
- Automated vulnerability scanning
- Network vulnerability scanning
- Web application analysis
- Fuzz analysis
- Database assessment tools
- Summary
- 8. Social Engineering
- Attack process
- Attack methods
- Social Engineering Toolkit
- Summary
- 9. Target Exploitation
- Vulnerability and exploit repositories
- Advanced exploitation toolkit
- MSFConsole
- MSFCLI
- Ninja 101 drills
- Writing exploit modules
- Summary
- 10. Privilege Escalation
- Password attack tools
- Network spoofing tools
- Network sniffers
- Summary
- 11. Maintaining Access
- Working with tunneling tools
- Creating web backdoors
- Summary
- 12. Wireless Penetration Testing
- Wireless network recon
- Wireless testing tools
- Post cracking
- Sniffing wireless traffic
- Summary
- 13. Kali Nethunter
- Installing Kali Nethunter
- Nethunter icons
- Nethunter tools
- Third-party applications
- Wireless attacks
- HID attacks
- Summary
- 14. Documentation and Reporting
- Types of reports
- The executive report
- The management report
- The technical report
- Network penetration testing report (sample contents)
- Preparing your presentation
- Post-testing procedures
- Summary
- A. Supplementary Tools
- Web application tools
- Network tool
- Summary
- B. Key Resources
- Paid incentive programs
- Reverse engineering resources
- Penetration testing learning resources
- Exploit development learning resources
- Penetration testing on a vulnerable environment
- Online web application challenges
- Virtual machines and ISO images
- Network ports
- Index
Aside from routing and domain information, Kali Linux has other tools that can provide a great deal of OSINT to penetration testers. These tools act as search engines that have the ability to cull a variety of resources such as Google or social networking sites for e-mail addresses, documents, and domain information. One of the advantages of using these tools is that they do not directly search websites, but rather use other search engines to provide OSINT. This limits the penetration tester's fingerprints on a target system.
Some of these tools are built in to Kali Linux and others have to be installed. The following present a good subset of the tools that will aid you in the vast majority of information collection cases.
theharvester is an information gathering tool that has the ability to search the Internet for e-mail addresses, domains, and hostnames. As of version 2.6, the harvester is able to gather open source information from the following sites:
- Google profiles
- GoogleCSE
- GooglePlus
- Bing
- Bingapi
- pgp
- people123
- jigsaw
theharvester is accessed through the Kali Linux command line by entering the following command:
# theharvester
Let's say, for example, I want find all the available e-mail addresses for the www.example.com domain. In addition, I want all the host names that are associated with that domain. We can input the following into the command line:
# theharvester -d example.com -l 100 -b google
–d denotes the domain name we are searching, –l limits the amount of information to 100 lines (very helpful if you are just doing a limited scope to demonstrate the amount of OSINT an organization has out on the Internet) and finally, –b is the search engine we want to use. In this example, we limited our search to Google. In the event that you want to use all available resources, use the –b all command.
theharvester produces the following output:
* TheHarvester Ver. 2.6 * Coded by Christian Martorella * Edge-Security Research * cmartorella@edge-security.com [-] Searching in Google: Searching 0 results... Searching 100 results... [+] Emails found: ------------------ @example.com john@example.com july@example.com user@example.com you@example.com account@example.com recipient@example.com example@example.com admin@example.com shimul_you@example.com fail2ban@example.com postmaster@example.com someone@example.com alguien@example.com 0199@example.com address@example.com sample@example.com name@example.com bar@example.com mozilla@example.com virusalert@example.com nobody@example.com invalid@example.com noreply@phabricator.example.com bob@test.example.com webmaster@example.com Abc.@example.com Abc..123@example.com mark@example.com hollie@example.com reply@example.com Marianne@example.com friend@example.com baz@example.com alice@example.com mylist@example.com [+] Hosts found in search engines: ------------------------------------ [-] Resolving hostnames IPs... 93.184.216.34:www.example.com 93.184.216.34:Www.example.com
From the preceding result, we notice that we are able to get several e-mail addresses and hostnames from the Google search engine.
If we want to gather more information, let's say we want to collect the username from the target, we can use linkedin.com to do this. The following is the command for that:
# theharvester -d example.com -l 100 -b linkedin
The following is the result:
[-] Searching in Linkedin.. Searching 100 results.. Users from Linkedin: ==================== John Example David Example Judy Example Michael Example Forrest Example Luke Example
The preceding list of usernames collected from LinkedIn will be useful in a penetration testing step later if we want to do an attack, such as a social engineering attack.
theharvester is a handy tool to aggregate e-mail addresses and other information that a target may leak. Another tool, SimplyEmail, takes not only e-mail addresses and other information, but also scrubs domains for documents such as text, Word, or Excel spreadsheets. In addition, there are a wide range of different websites and search engines that can be used. These include Reddit, Pastebin, and CanaryBin. One of the best features is that the tool creates a report in HTML, which comes in handy when you are preparing your report.
SimplyEmail is a Python script that has a number of modules. Installing it is fairly easy.
Go through the following steps to install SimplyEm
ail:
- Navigate to the GitHub site, https://github.com/killswitch-GUI/SimplyEmail.
- In the upper-right-hand corner is a box to download the file package as a zip.
- Once it is downloaded, extract the files to a file called
SimplyEmail. For ease of use, you can put this file on the desktop. - Navigate to the folder via the command line and run the startup script by typing the following command:
#sh Setup.sh - Once the startup script has completed, you can execute the scripts.
The help menu can be accessed by typing the following command:
#./SimplyEmail.py –h Curent Version: v1.0 | Website: CyberSyndicates.com ============================================================ Twitter: @real_slacker007 | Twitter: @Killswitch_gui ============================================================ [-s] [-v]
E-mail enumeration is an important phase of so many operations that a penetration tester or Red Teamer goes through. There are tons of applications that do this, but I wanted a simple yet effective way to get what Recon-Ng gets and theharvester gets (you may want to run -h):
optional arguments: -all Use all non API methods to obtain Emails -e company.com Set required email addr user, ex ale@email.com -l List the current Modules Loaded -t html / flickr / google Test individual module (For Linting) -s Set this to enable 'No-Scope' of the email parsing -v Set this switch for verbose output of modules
To start a search, type in the following command:
#./SimplyEmail –all –e example.com
The script then runs. Beware that if there is no information, there will be errors in the return. This does not mean you have made an error, but rather that there are no results for the search. While the tool runs, you will see the following output on your screen:
[*] Starting: PasteBin Search for Emails [*] Starting: Google PDF Search for Emails [*] Starting: Exalead DOCX Search for Emails [*] Starting: Exalead XLSX Search for Emails [*] Starting: HTML Scrape of Taget Website [*] Starting: Exalead Search for Emails [*] Starting: Searching PGP [*] Starting: OnionStagram Search For Instagram Users [*] HTML Scrape of Taget Website has completed with no Email(s) [*] Starting: RedditPost Search for Emails [*] OnionStagram Search For Instagram Users: Gathered 23 Email(s)! [*] Starting: Ask Search for Emails
After the searches have been conducted, you will receive a request to verify e-mail addresses. This verification process can take some time, but in a targeted attack where you want to socially engineer or phish specific individuals, it may be prudent. A simple Y/N will suffice:
[*] Email reconnaissance has been completed: Email verification will allow you to use common methods to attempt to enumerate if the email is valid. This grabs the MX records, sorts and attempts to check if the SMTP server sends a code other than 250 for known bad addresses [>] Would you like to verify email(s)?:
After the verification question, the final question is the report generation phase:
[*] Email reconnaissance has been completed: File Location: /root/Desktop/SimplyEmail Unique Emails Found: 246 Raw Email File: Email_List.txt HTML Email File: Email_List.html Domain Performed: example.com [>] Would you like to launch the HTML report?:
The report output is an HTML file with the types of search that have been conducted and the data that has been found. If you are good at HTML, you can even brand this report with your own logo and include it in the final penetration test report.