{ kali linux pen testing to ensure your security
TRANSCRIPT
{Kali Linux
Pen testing to ensure your security
Penetration Testing Execution Standard (PTES)There are 7 stages of pen testing using the PTES. I
Pre-engagement Intelligence gathering Threat Modeling Vulnerability analysis Exploitation Post-Exploitation Reporting
Penetration Testing: The art of ethical hacking to find and fix vulnerabilities. http://www.pentest-standard.org/index.php/Main_Page
The pre-engagement phase is a very important part of the Penetration test.
Neglecting to properly complete pre-engagement activities could potentially open the penetration tester to a number of issues including legal issues.
The objective of pre-engagement phase is to hash out the details of the testing, such as scope, priorities, how, what and when will the agreed upon systems be tested.
Pre-engagment phase
Intelligence gathering is performing reconnaissance against a target.
There are different levels of information gathering
Level 1: compliance driven. Level 2: Best practice – using automated
tools to find physical location Level 3: Think state sponsored ;) More
advanced pen testing.
Information gathering
Threat modeling is when you gather relevant documentation
Identify primary and secondary assets. Identify threats and categorize threats
and threat communities. Map the threats
Threat Modeling
Vulnerability testing is the process of discovering flaws in systems and applications which can be leveraged by an attacker.
Flaws can range from host and service misconfiguration to insecure design.
Vulnerability Analysis
The exploitation phase of penetration focuses solely on establishing access to a system or resource by bypassing security restrictions.
This should be completed successfully if the vulnerability analysis was properly completed.
Exploitation
The purpose of post exploitation is to determine the value of the asset compromised and maintain control for later use.
Post Exploitation
Reporting is typically broken down into two major sections in order to communicate the objectives, methods, and results of the testing conducted to various audiences.
Various reporting templates can be used. One of the most important parts of the
report is risk and ranking of vulnerabilities.
Reporting
Kali Linux is a Debian-dervived Linux distribution specifically designed for penetration testing and digital forensics, it is a complete rebuild of backtrack.
Kali Linux comprises of more than 300 penetration tools that can be used advanced professionals for corporate security needs, it can also be used by new users individuals for personal network/computer security.
What is Kali
It is maintained and financed by Offensive Security.
Offensive security offers certifications in Kali Linux which are held in high regard within the security community.
Kali Linux is developed in a secure environment, who use secure protocols.
Pen testers often need to do wireless assessments, Kali has the latest injection patches installed.
ALL Kali Linux packages are GPG signed by each individual developer who built and committed packages to the repositories.
Who made Kali? Can it be trusted?
Kali Linux is FREE it will always be free!! Kali Linux has more than 300 penetration
testing tools; it is not a one trick pony. Kali Linux is customizable! Right down to
the kernel Kali Linux has a robust ARM support, this
makes it flexible in being able to install and run on devices such as raspberry pi, Galaxy note, and odroid u2/x2
Last and most certainly not least! It’s pretty awesome!
Why use Kali Linux
In today’s ever connected world security breaches cost companies millions, and consumers their privacy through Identity theft.
It is everyone’s responsibility to be vigilant about security not just security professionals.
Kali Linux is a suite of security tools that can be utilized by professionals in corporate environments, as well as personal use for those proactive in cyber security.
So What?
{
I’ve used Kali to exploit a faux corporations. I use a fully exploitable image containing SQL-Injection vulnerabilities, Web Application Vulnerabilities CGI-BIN File traversal and UNIX Buffer overflow vulnerability. I apply the 7 stages of penetration testing to find, exploit, fix and report using Kali Linux. The image was provided in a Deterlab environment.
Denise’s research
When using Kali make sure to demonstrate and document.
My tool for finding, exploiting and documenting as if I were in a real corporate environment is Kali Linux.
The main vulnerabilities I will focus on are Buffer overflow – Kali offers reverse engineering
suite which I will use for this vulnerability. File traversal – I use different tools withhin Kali
Linux for the file traversal; finding, exploiting, documenting.
SQL Injection – finding the sql injection, I will also demonstrate transferring money to a moc account.
What I focused on in my Paper, and why Pen testing is so important
Ali, S. Kali Linux: Assuring Security by Penetration Testing. S.l.: Packt Limited, 2014. Print.
Beggs, R. Mastering Kali Linux for Advanced Penetration Testing. S.I: Packt Limited, 2014.
"Kali Linux | Rebirth of BackTrack, the Penetration Testing Distribution." Kali Linux. N.p., n.d. Web. 11 Dec. 2014.
"Kali Linux." BlackMORE Ops. N.p., n.d. Web. 12 Dec. 2014.
"Behind the App: The Story of Kali Linux." Lifehacker. N.p., n.d. Web. 12 Dec. 2014.
References