Table of Contents for
Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition by Gerard Johansen Published by Packt Publishing, 2016
  1. Cover
  2. Table of Contents
  3. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  4. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  5. Credits
  6. Disclaimer
  7. About the Authors
  8. About the Reviewer
  9. www.PacktPub.com
  10. Preface
  11. What you need for this book
  12. Who this book is for
  13. Conventions
  14. Reader feedback
  15. Customer support
  16. 1. Beginning with Kali Linux
  17. Kali Linux tool categories
  18. Downloading Kali Linux
  19. Using Kali Linux
  20. Configuring the virtual machine
  21. Updating Kali Linux
  22. Network services in Kali Linux
  23. Installing a vulnerable server
  24. Installing additional weapons
  25. Summary
  26. 2. Penetration Testing Methodology
  27. Vulnerability assessment versus penetration testing
  28. Security testing methodologies
  29. General penetration testing framework
  30. Information gathering
  31. The ethics
  32. Summary
  33. 3. Target Scoping
  34. Preparing the test plan
  35. Profiling test boundaries
  36. Defining business objectives
  37. Project management and scheduling
  38. Summary
  39. 4. Information Gathering
  40. Using public resources
  41. Querying the domain registration information
  42. Analyzing the DNS records
  43. Getting network routing information
  44. Utilizing the search engine
  45. Metagoofil
  46. Accessing leaked information
  47. Summary
  48. 5. Target Discovery
  49. Identifying the target machine
  50. OS fingerprinting
  51. Summary
  52. 6. Enumerating Target
  53. Understanding the TCP/IP protocol
  54. Understanding the TCP and UDP message format
  55. The network scanner
  56. Unicornscan
  57. Zenmap
  58. Amap
  59. SMB enumeration
  60. SNMP enumeration
  61. VPN enumeration
  62. Summary
  63. 7. Vulnerability Mapping
  64. Vulnerability taxonomy
  65. Automated vulnerability scanning
  66. Network vulnerability scanning
  67. Web application analysis
  68. Fuzz analysis
  69. Database assessment tools
  70. Summary
  71. 8. Social Engineering
  72. Attack process
  73. Attack methods
  74. Social Engineering Toolkit
  75. Summary
  76. 9. Target Exploitation
  77. Vulnerability and exploit repositories
  78. Advanced exploitation toolkit
  79. MSFConsole
  80. MSFCLI
  81. Ninja 101 drills
  82. Writing exploit modules
  83. Summary
  84. 10. Privilege Escalation
  85. Password attack tools
  86. Network spoofing tools
  87. Network sniffers
  88. Summary
  89. 11. Maintaining Access
  90. Working with tunneling tools
  91. Creating web backdoors
  92. Summary
  93. 12. Wireless Penetration Testing
  94. Wireless network recon
  95. Wireless testing tools
  96. Post cracking
  97. Sniffing wireless traffic
  98. Summary
  99. 13. Kali Nethunter
  100. Installing Kali Nethunter
  101. Nethunter icons
  102. Nethunter tools
  103. Third-party applications
  104. Wireless attacks
  105. HID attacks
  106. Summary
  107. 14. Documentation and Reporting
  108. Types of reports
  109. The executive report
  110. The management report
  111. The technical report
  112. Network penetration testing report (sample contents)
  113. Preparing your presentation
  114. Post-testing procedures
  115. Summary
  116. A. Supplementary Tools
  117. Web application tools
  118. Network tool
  119. Summary
  120. B. Key Resources
  121. Paid incentive programs
  122. Reverse engineering resources
  123. Penetration testing learning resources
  124. Exploit development learning resources
  125. Penetration testing on a vulnerable environment
  126. Online web application challenges
  127. Virtual machines and ISO images
  128. Network ports
  129. Index

OS fingerprinting

After we know that the target machine is alive, we can then find out the operating system used by the target machine. This method is commonly known as Operating System (OS) fingerprinting. There are two methods of doing OS fingerprinting: active and passive.

In the active method, the tool sends network packets to the target machine and then determines the OS of the target machine based on the analysis done on the response it has received. The advantage of this method is that the fingerprinting process is fast. However, the disadvantage is that the target machine may notice our attempt to get its operating system's information.

To overcome the active method's disadvantage, there is a passive method of OS fingerprinting. This method was pioneered by Michal Zalewsky when he released a tool called p0f. The major advantage of passive OS fingerprinting is that it does the work while reducing the interaction between the testing machine and the target, greatly increasing the stealth of the fingerprinting. The most significant disadvantage of the passive method is that the process will be slower than the active method.

In this section, we will describe a couple of tools that can be used for OS fingerprinting.

p0f

The p0f tool is used to fingerprint an operating system passively. It can be used to identify an operating system on the following machines:

  • Machines that connect to your box (SYN mode; this is the default mode)
  • Machines you connect to (SYN+ACK mode)
  • Machines you cannot connect to (RST+ mode)
  • Machines whose communications you can observe

The p0f tool works by analyzing the TCP packets sent during the network activities.Then, it gathers the statistics of special packets that are not standardized by default by any corporations. An example is that the Linux kernel uses a 64-byte ping datagram, whereas the Windows operating system uses a 32-byte ping datagram, or the Time to Leave (TTL) value. For Windows, the TTL value is 128, while for Linux this TTL value varies between the Linux distributions. This information is then used by p0f to determine the remote machine's operating system.

Note

When using the p0f tool included with Kali Linux, we were not able to fingerprint the operating system on a remote machine. We figured out that the p0f tool has not updated its fingerprint database. Unfortunately, we couldn't find the latest version of the fingerprint database. So, we used p0f v3 (Version 3.06b) instead. To use this version of p0f, just download the TARBALL file from http://lcamtuf.coredump.cx/p0f3/releases/p0f-3.06b.tgz and compile the code by running the build.sh script. By default, the fingerprint database file (p0f.fp) location is in the current directory. If you want to change the location, for example, if you want to change the location to /etc/p0f/p0f.fp, you need to change this in the config.h file and recompile p0f. If you don't change the location, you may need to use the -f option to define the fingerprint database file location.

In the following example, we will use p0f to fingerprint a Linux machine:

  1. To access p0f, open a console and type p0f -h. This will display its usage and options' description. Let's use p0f to identify the operating system used in a remote machine we are connecting to. Just type the following command in your console:
    p0f –f /usr/share/p0f/p0f.fp -o p0f.log
  2. This will read the fingerprint database from the usr/share/p0f/p0f.fp file and save the log information to the p0f.log file. It will then display the following information:
    # p0f -f /usr/share/p0f/p0f.fp -o p0f.log
--- p0f 3.07b by Michal Zalewski <lcamtuf@coredump.cx> ---

[+] Closed 1 file descriptor.
[+] Loaded 320 signatures from '/usr/share/p0f/p0f.fp'.
[+] Intercepting traffic on default interface 'eth0'.
[+] Default packet filtering configured [+VLAN].
[+] Log file 'p0f.log' opened for writing.
[+] Entered main event loop.
  3. Next, you need to generate network activities involving a TCP connection, such as browsing to the remote machine or letting the remote machine connect to your machine. For the purposes of this demonstration, a connection to the HTTP site on the Metasploitable 2 machine was established.

Note

If p0f has successfully fingerprinted the operating system, you will see information of the remote machine's operating system in the console and in the log file (p0f.log).

This is the abridged information displayed to the console:

.-[ 172.16.43.150/41522 -> 172.16.43.156/80 (syn+ack) ]-
|
| server   = 172.16.43.156/80
| os       = Linux 2.6.x
| dist     = 0
| params   = none
| raw_sig  = 4:64+0:0:1460:mss*4,5:mss,sok,ts,nop,ws:df:0

The following screenshot shows the content of the log file:

p0f

Based on the preceding result, we know that the target is a Linux 2.6 machine.

The following screenshot shows the information from the target machine:

p0f

By comparing this information, we know that p0f got the OS information correctly. The remote machine is using Linux version 2.6.

You can stop p0f by pressing Ctrl + C.

Nmap

Nmap is a very popular and capable port scanner. Besides this, it can also be used to fingerprint a remote machine's operating system. It is an active fingerprinting tool. To use this feature, you can use the -O option to the nmap command.

For example, if we want to fingerprint the operating system used on the 192.168.56.102 machine, we use the following command:

nmap –O 172.16.43.156

The following screenshot shows the result of this command:

Nmap

Nmap was able to get the correct operating system information after fingerprinting the operating system of a remote machine.

We will talk more about Nmap in a later chapter.