as appearing in Hackin9 IT Security Magazine Vol. 9 No. 1 and PenTest Magazine Vol. 2 No. 3
Kali Linux is the latest version of the BackTrack Linux penetration testing, security auditing, and forensics distribution. It is based on Debian and comes ready to go with all the tools you need to begin an information security engagement.
The amount of tools available in the distribution prevents us from going into depth on each tool, but this tutorial is designed to get you started with some of the most common tools you will use to perform a typical security audit.
For the purposes of this tutorial we will be running a known vulnerable OS called Metasploitable which is available at http://www.offensivesecurity.com/metasploitunleashed/Metasploitable and we are focusing on network penetration testing. Kali however has much more to offer, including application testing via tools such as Burpsuite, and SQL Injection tools such as sqlmap. For Social Engineering engagements it is complete with tools such as Maltego for doing some excellent reconnaissance, BeEF for attacking browsers (think XSS), and it includes the Social Engineering Toolkit.
Many of the tools are command line based and clicking a tool in the menu will open a terminal window and show you the the help for using the tool.
Figure 1. Terminal Window
Let’s begin by using netdiscover to see what is is on the network without being intrusive. We can run it in passive mode so it only sniffs the traffic it sees and doesn’t send anything out. Depending on the rules of engagement, you may want to try to stay hidden during your test and this will get you started identifying machines on the network.
Figure 2. Using as Unknown Vendor
The second entry is our metasploitable instance. This doesn’t give us much to go on but you can see a couple devices on the network and their manufacturer if it’s known. So let’s take a look at the traffic and see what we find.
Watching the Traffic
Wireshark is a fantastic tool for watching, capturing, and analyzing network traffic. I’ve personally used it on very large incident responses to data breaches and used it to track down conversations between exploited systems and the external attackers. It quickly let’s you identify the protocol being used and the IP addresses of the machines communicating. Once you’ve identified something worth investigating you can right click on the capture and set up filters to watch specific conversations, IP addresses, protocols, etc.
Figure 3. Investigating
Wireshark not only shows you the basic information about the traffic, it has two additional sections below that let you analyze each packet and see exactly what is being transmitted. When performing a penetration test it is useful to let it run for a long time and then go back through the data examining protocols used, active IP addresses, etc. Any protocols that can be used to transmit credentials in clear text are a great score such as telnet and http. For example, if you find a network router that has the web interface enabled, it’s certainly worth a look to see if you can catch someone logging in. Depending on your rules of engagement, it may be a little dirty pool, but you could set Wireshark capturing traffic while you call help desk and report some connectivity issues to try to get them to log into the router. Remember that any traffic is worth examining regardless of how mundane it may appear. During an incident response with a live APT in the network I noticed some peculiar DNS traffic and discovered the attackers had been using DNS to exfiltrate data by having the compromised machines look up things such as sensitivecustomerdata.evilattackershost.cc. It wasn’t quite that simple, but that gives you an idea.
Before we start making noise on the network, let’s talk about a tool that can fingerprint passively, p0f. It’s a great tool in general to run to watch your network just to monitor health. It will tell you what devices are live, their OS, what type of connection it has, distance, and uptime. I like to run it in promiscuous mode so executing p0f p gets us identifying systems without making a sound. In our test environment I have found the Metasploitable system in the results.
Figure 4. Fingerprinting
We now know a little bit more about this particular server, for example it’s running Linux 2.6.x. We can start identifying machines in this way to help us zero in our target. For example, if your client is running some old outdated OS (like Windows 2000 for example) this may help you find a vulnerable system without ever having made a noise on the network. So far, we have only been operating in promiscuous mode and not sending any packets out on the network that might trip an IDS. As with all the tools mentioned in this article and all the other tools available on Kali Linux, you can do a little research to find lots of additional features that will help you do your job.
Let’s take a moment and start making a little noise. Of course it is possible to zero in a target without making a wave but for the most part (unless you are intentionally evading the IDS as part of the test) your client is more interested in learning what you can discover in the shortest amount of time to get the biggest bang for their buck. It’s time we break out nmap. Nmap is a network mapping tool that is going to cut right through all the mess and tell us just what is running on our network, what OS, what ports are open, what services and versions are running, etc. It is feature rich and I encourage you to visit nmap.org and learn everything there is about this amazing contribution to security world. There is a wealth of options to run nmap including slowing the scan down to a crawl to help evade detection. Doing so will take a very long time. You can also increase the speed to get the task down as fast as possible. Depending on your engagement, check the options available and run what works best for you. You may find yourself running several scans with various options to help speed along your productivity.
Taking nmap a step further and giving us the benefit of GUI, there is zenmap. Zenmap let’s us quickly use nmap and shows us the results in an easier to digest format. Here we have a sample of the available ports on our metasploitable instance.
Figure 5. Available ports
In addition, the Topology feature of Zenmap gives os a quick glance of some insightful data. The legend is available athttp://nmap.org/book/zenmaptopology.html but generally speaking it’s using a green, yellow, red, color scheme to identify number of open ports. Red being most. If a host is identified as a router or switch it is indicated by square, otherwise it is a circle. We can see our Metasploitable system as a red circle. On a large network this can help you quickly identify a system that may be misconfigured with everything open, or at least we can assume it is something with a lot of roles to fill and we may find some good services ripe for exploiting. Of course, in the case of our example this is obviously true.
Figure 6. Example of network
Nmap/Zenmap gives us a good view of our target and we could do some online research on our services version information to find what vulnerabilities exist and if there are exploits available. Kali Linux even helps us out here by providing a tool to search for exploits, searchsploit.
Using our port information for our Metasploitable instance, we can run through each and see if we find anything. For example, running searchsploit bind 9.4.2 gives us a hit.
Figure 7. Running searchploit bind 9.4.2.
If our engagement involves a vulnerability assessment Kali Linux provides us with a great tool for conducting assessments, OpenVAS. OpenVAS allows you to setup target lists, create schedules, define what sort of tests to be run, and of course execute the test. I’ve run OpenVAS against our Metasploitable instance to see what it finds. To do so, we first setup our target in the Targets tab at the bottom right of the GUI. Next we switch to the Tasks tab and set a task of running the scan against the target. For the purposes of the demo, I set the target to the Metasploitable target and the set the Scan Config option to “Full and very deep ultimate.” Depending on your engagement you can adjust the Scan Config. You can even switch to the Scan Configs tab and define your own scan configs to do things like only run certain types of checks. This may be helpful for doing scans based on compliance guidelines. While we’re exploring some of the options, it’s worth mentioning there is a tab to supply credentials to the scan which will enhance your results. If your client wants a deeper more accurate report they may supply you with domain/root credentials so the scanner can get onto the system and get better results. It may also be the case that while you were watching traffic in Wireshark you managed to get some credentials which you can now enter into the scanner to get more info on that device and quite possibly, if the credentials are used elsewhere you can get into those systems too. Once our scan is complete, OpenVAS presents us with a nice dashboard showing some highlights of the scan results.
Figure 8. OpenVAS dashboard
We can quickly see there are 47 High Risk vulnerabilities found during our scan. Clicking on the Reports tab in the bottom right of the screen and then the magnifying glass button we can see our results. open in a new tab. From here, we can view the results or we can choose various export formats and save the report.
In general, I usually export as PDF to include in my findings document I turn into the client. The reports are not flashy, but they get the data you need.
Figure 9. OpenVAS Results
The layout is pretty self explanatory and the Index included in the PDF can help you navigate right to the vulnerability you want to investigate further. The screenshot shows the first on in the list. In this case we have a backdoor vulnerability in vsftpd. Included in all results is a summary if the issue, a solution to resolve it (if available), and some reference links to learn more about the vulnerability which can be used to find an actual exploit for the vulnerability. Now that we have a vulnerability, let’s go ahead and take a look at an exploit.
Previously, we found a bunch of vulnerabilities on our Metasploitable instance. No surprise considering it’s designed that way. Let’s take a look at the above mentioned issue and see how we can exploit it. In this case, we can do it without any additional tools. There is a simple backdoor that is ready to exploit. Simply putting an emoticon smiley face at the end of the user name opens a listening shell on port 6200. Let’s try.
Figure 10. Port 6200
We open a terminal and telnet to port 21. Once connected we simply enter user oops:) followed by pass with anything you choose as it doesn’t matter. Escape the session and telnet to port 6200 and we are in.
That wasn’t too terribly exciting, but mission accomplished and had we been operating with an effort to remain stealthy we could have discovered that and exploited it all with limited ability to detect our attack. Let’s take a look at an exploit tool. Metasploit. Metasploit is an exploit framework designed for penetration testing. It has several interfaces that use the command line, and the latest version has a web interface. There is also a commercial version, but that is obviously not going to come ready to go with Kali Linux. Armitage is included in Kali Linux and gives us a nice interface for an attack platform.
It uses nmap and other tools to help us find targets. Start Armitage and it will connect to metasploit if you have it running, otherwise it will start the service for you. Additionally, it will provide you with some help when starting such as telling you how to start the database if that is not already running. Once we get it open, we’re ready to begin. Since we are focusing on this single server let’s go ahead and add the host to Armitage. Under the Hosts menu we can click Add Host and enter the IP address of our target.
Once our host is added to Armitage it is represented by a monitor in the main workspace. We can right click on it and select scan to get some more data about it. Doing this opens a new tab on the bottom and we can watch the scan in action. Once complete, we can see what the OS is and the services running on it. Similar to our findings using nmap. Right clicking the server and choosing Services opens us a new tab and lists the available services. You can see the services below and it has given us a visual reference in the workspace identifying the OS of the host. This can help you when looking at a large range of hosts to identify various operating systems you may want to dive into.
Figure 11. Hosts
From here, we can search the upper left area for an exploit to use against the services. For example, going back to the previous exploit which is highlighted in the above screenshot, I have searched for vsftp and found our exploit is available in Metasploit.
Figure 12. Exploits
Double clicking our exploit brings up the ability to launch the exploit. Note that launching an exploit this way does not fill in all the data needed to execute. In this case, we need to supply the IP of our target in RHOST. Once we do that and click the launch button a new tab is opened at the bottom and it shows us our exploit in action. We can see the exploit was successful and notice the icon in the workspace has changed to represent an exploited system.
Figure 13. Icon in the workspace
Right clicking the host in the workspace shows us a new option in the menu. This is is called Shell 1 and going to that we can select Interact which will gives a new tab at the bottom showing us our shell. I have run ifconfig to verify the IP is our target system.
Figure 14. Selecting Interact
We can take advantage of another feature of armitage to help us find exploits. Under the Attack menu there is the option to Find Attacks. Doing this will automate the process of finding an attack suitable for our target and give us a new option in the pop up menu when right clicking our target in the workspace. using this Attack menu, we can launch an attack directly with the attack data prefilled and ready to go.
While we are looking at the main Attack menu, you may have noticed the option called Hail Mary located under the Find Attacks option. This option will launch a flood of attacks trying everything it can to infiltrate the selected targets. Using this option will light up an IDS system so if you haven’t already, make sure you are whitelisted on their IDS system so you don’t overwhelm the system. After launching the Hail Mary option it will open a new tab below and show all the attacks being launched. When it’s complete it will list the shells it opened and right clicking our target in the workspace shows us a list of shells we can then select to interact with.
Figure 15. List of shells
From this point, we can use the compromised machine to pivot and launch attacks against other systems on the network through this compromised host, all while remaining inside our Armitage work environment.
Kali Linux is a versatile tool and should be a part of every penetration testers arsenal. It is a complete attack tool and can be run as a Live CD (which is excellent if you are working on a forensics project), and be installed directly to a machine or virtual machine. Of course, you can always add any other tools you come across that are not part of Kali. I have been in this business for years, and BackTrack/Kali is my OS of choice on all my penetration testing engagements. We’ve only scratched the surface of what it has to offer and I hope you’ve enjoyed this introduction and I encourage you to dive in and learn every tool it has to offer.