Table of Contents for
Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition

Version ebook / Retour

Cover image for bash Cookbook, 2nd Edition Kali Linux 2 – Assuring Security by Penetration Testing - Third Edition by Gerard Johansen Published by Packt Publishing, 2016
  1. Cover
  2. Table of Contents
  3. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  4. Kali Linux 2 – Assuring Security by Penetration Testing Third Edition
  5. Credits
  6. Disclaimer
  7. About the Authors
  8. About the Reviewer
  9. www.PacktPub.com
  10. Preface
  11. What you need for this book
  12. Who this book is for
  13. Conventions
  14. Reader feedback
  15. Customer support
  16. 1. Beginning with Kali Linux
  17. Kali Linux tool categories
  18. Downloading Kali Linux
  19. Using Kali Linux
  20. Configuring the virtual machine
  21. Updating Kali Linux
  22. Network services in Kali Linux
  23. Installing a vulnerable server
  24. Installing additional weapons
  25. Summary
  26. 2. Penetration Testing Methodology
  27. Vulnerability assessment versus penetration testing
  28. Security testing methodologies
  29. General penetration testing framework
  30. Information gathering
  31. The ethics
  32. Summary
  33. 3. Target Scoping
  34. Preparing the test plan
  35. Profiling test boundaries
  36. Defining business objectives
  37. Project management and scheduling
  38. Summary
  39. 4. Information Gathering
  40. Using public resources
  41. Querying the domain registration information
  42. Analyzing the DNS records
  43. Getting network routing information
  44. Utilizing the search engine
  45. Metagoofil
  46. Accessing leaked information
  47. Summary
  48. 5. Target Discovery
  49. Identifying the target machine
  50. OS fingerprinting
  51. Summary
  52. 6. Enumerating Target
  53. Understanding the TCP/IP protocol
  54. Understanding the TCP and UDP message format
  55. The network scanner
  56. Unicornscan
  57. Zenmap
  58. Amap
  59. SMB enumeration
  60. SNMP enumeration
  61. VPN enumeration
  62. Summary
  63. 7. Vulnerability Mapping
  64. Vulnerability taxonomy
  65. Automated vulnerability scanning
  66. Network vulnerability scanning
  67. Web application analysis
  68. Fuzz analysis
  69. Database assessment tools
  70. Summary
  71. 8. Social Engineering
  72. Attack process
  73. Attack methods
  74. Social Engineering Toolkit
  75. Summary
  76. 9. Target Exploitation
  77. Vulnerability and exploit repositories
  78. Advanced exploitation toolkit
  79. MSFConsole
  80. MSFCLI
  81. Ninja 101 drills
  82. Writing exploit modules
  83. Summary
  84. 10. Privilege Escalation
  85. Password attack tools
  86. Network spoofing tools
  87. Network sniffers
  88. Summary
  89. 11. Maintaining Access
  90. Working with tunneling tools
  91. Creating web backdoors
  92. Summary
  93. 12. Wireless Penetration Testing
  94. Wireless network recon
  95. Wireless testing tools
  96. Post cracking
  97. Sniffing wireless traffic
  98. Summary
  99. 13. Kali Nethunter
  100. Installing Kali Nethunter
  101. Nethunter icons
  102. Nethunter tools
  103. Third-party applications
  104. Wireless attacks
  105. HID attacks
  106. Summary
  107. 14. Documentation and Reporting
  108. Types of reports
  109. The executive report
  110. The management report
  111. The technical report
  112. Network penetration testing report (sample contents)
  113. Preparing your presentation
  114. Post-testing procedures
  115. Summary
  116. A. Supplementary Tools
  117. Web application tools
  118. Network tool
  119. Summary
  120. B. Key Resources
  121. Paid incentive programs
  122. Reverse engineering resources
  123. Penetration testing learning resources
  124. Exploit development learning resources
  125. Penetration testing on a vulnerable environment
  126. Online web application challenges
  127. Virtual machines and ISO images
  128. Network ports
  129. Index

Sniffing wireless traffic

When examining techniques for sniffing wireless traffic, there are two types of techniques available. The first is sniffing WLAN traffic while authenticated and connected to the target WLAN. In this instance, there is the ability to utilize a Man in the Middle attack in conjunction with tools such as Ettercap, which forces network traffic through our testing machine.

A second technique is sniffing all the wireless traffic that we can get from a specific wireless network and decrypting it with the WPA or WEP passcode. This may become necessary if we are attempting to limit our footprint by not connecting to the WLAN. By passively sniffing traffic and decrypting it later, we lessen the chance that we will be detected.

Sniffing WLAN traffic

Just as in a wired LAN, on WLAN, we have the ability to sniff network traffic. The following sniffing technique requires that you have been properly authenticated to the wireless network you are testing and have received a valid IP address from the router. This type of sniffing will make use of the tool Ettercap to conduct an ARP poisoning attack and sniff out credentials.

  1. Start EtterCap by going to Applications | Sniffing and Spoofing | Ettercap-gui or by entering ettercap-gui into a command prompt. Navigate to Sniff and click on Unified Sniffing. Once there, you will be given a drop-down list of network interfaces. Choose your wireless interface, in our case, WLAN0:
    Sniffing WLAN traffic
  2. Next, click on Hosts and click Scan for Hosts. After the scanning is complete, hit Hosts List. If it is an active wireless network, you should see a few hosts on there.
  3. Next, click on MiTM and then ARP Poisoning. On the next screen, choose one IP address and click on Target 1, and then a second IP address and click on Target 2:
    Sniffing WLAN traffic
  4. Then click on the Sniff Remote Connections radio button and click OK:
    Sniffing WLAN traffic

    This will start the ARP Poisoning attack whereby we will be able to see all the traffic between the two hosts that we have chosen.

  5. Next, start a Wireshark capture. When you are brought to the first screen, make sure you choose the wireless interface, in this case, WLAN0:
    Sniffing WLAN traffic
  6. When you examine the traffic, we can see a number of types of traffic being captured. Most notable is a Telnet session that has been opened between our two hosts:
    Sniffing WLAN traffic

    If we right-click on the Telnet session and choose Follow TCP Stream, we are able to see the credentials for a Metasploitable instance with the Telnet credentials past in cleartext:

    Sniffing WLAN traffic

Passive sniffing

In passive sniffing, we are not authenticated to the network. If we suspect that there is the possibility of alerting such intrusion prevention controls as rogue host detection, this is a good way to avoid those controls while still gaining potentially confidential information:

  1. The first stage is to passively scan for wireless traffic on a target network. We first start by ensuring we have our wireless card in monitor mode:
    # airmon-ng start wlan0
  2. We then use the Airodump-ng tool to sniff the network traffic, the same way that we did during the WPA cracking section:
    # airodump-ng wlan0mon -c 6 --bssid 44:94:FC:37:10:6E -w wificrack
  3. Run the tool as long as you want. To ensure that we can decrypt the traffic, we will need to ensure we capture the full four-way handshake, if it is a WPA network. Once we have captured enough traffic, hit Ctrl - C.
  4. Navigate to the folder with the capture file and double-click. This should automatically open the capture in Wireshark:
    Passive sniffing

    The capture is encrypted and all that is visible are a number of 802.11 packets.

  5. In Wireshark, navigate to Edit and then to Preferences. A new bow will open up; click on the triangle next to Protocols and then click on 802.11. The following should open, as shown in this screenshot:
    Passive sniffing
  6. Click on Edit. This sill brings you to a screen to enter WEP or WPA decryption keys. Click on New. Under Key Type, enter WPA and then the passcode and SSID. In this case, it will be Induction:Coherer. Click on Apply and OK:
    Passive sniffing
  7. To apply this decryption key to our capture, navigate to View and then down to Wireless Toolbar. Enable the wireless tool bar. In the main screen, you will see the following:
    Passive sniffing
  8. On the wireless toolbar, click on Decryption Keys. A box will appear. In the drop-down menu in the upper left, chose Wireshark for the decryption mode. Make sure the applicable key is selected. Click on Apply and OK:
    Passive sniffing
  9. Wireshark then applies the decryption key to the capture and, where applicable, is able to decrypt the traffic:
    Passive sniffing

As the preceding screenshot demonstrates, it is possible to decrypt traffic that we have captured without having to join the network. It is important to reiterate that this technique requires a full four-way handshake for each session captured.