{Kali Linux

Pen testing to ensure your security

Penetration Testing Execution Standard (PTES)There are 7 stages of pen testing using the PTES. I

Pre-engagement Intelligence gathering Threat Modeling Vulnerability analysis Exploitation Post-Exploitation Reporting

Penetration Testing: The art of ethical hacking to find and fix vulnerabilities. http://www.pentest-standard.org/index.php/Main_Page

The pre-engagement phase is a very important part of the Penetration test.

Neglecting to properly complete pre-engagement activities could potentially open the penetration tester to a number of issues including legal issues.

The objective of pre-engagement phase is to hash out the details of the testing, such as scope, priorities, how, what and when will the agreed upon systems be tested.

Pre-engagment phase

Intelligence gathering is performing reconnaissance against a target.

There are different levels of information gathering

Level 1: compliance driven. Level 2: Best practice – using automated

tools to find physical location Level 3: Think state sponsored ;) More

advanced pen testing.

Information gathering

Threat modeling is when you gather relevant documentation

Identify primary and secondary assets. Identify threats and categorize threats

and threat communities. Map the threats

Threat Modeling

Vulnerability testing is the process of discovering flaws in systems and applications which can be leveraged by an attacker.

Flaws can range from host and service misconfiguration to insecure design.

Vulnerability Analysis

The exploitation phase of penetration focuses solely on establishing access to a system or resource by bypassing security restrictions.

This should be completed successfully if the vulnerability analysis was properly completed.

Exploitation

The purpose of post exploitation is to determine the value of the asset compromised and maintain control for later use.

Post Exploitation

Reporting is typically broken down into two major sections in order to communicate the objectives, methods, and results of the testing conducted to various audiences.

Various reporting templates can be used. One of the most important parts of the

report is risk and ranking of vulnerabilities.

Reporting

Kali Linux is a Debian-dervived Linux distribution specifically designed for penetration testing and digital forensics, it is a complete rebuild of backtrack.

Kali Linux comprises of more than 300 penetration tools that can be used advanced professionals for corporate security needs, it can also be used by new users individuals for personal network/computer security.

What is Kali

It is maintained and financed by Offensive Security.

Offensive security offers certifications in Kali Linux which are held in high regard within the security community.

Kali Linux is developed in a secure environment, who use secure protocols.

Pen testers often need to do wireless assessments, Kali has the latest injection patches installed.

ALL Kali Linux packages are GPG signed by each individual developer who built and committed packages to the repositories.

Who made Kali? Can it be trusted?

Kali Linux is FREE it will always be free!! Kali Linux has more than 300 penetration

testing tools; it is not a one trick pony. Kali Linux is customizable! Right down to

the kernel Kali Linux has a robust ARM support, this

makes it flexible in being able to install and run on devices such as raspberry pi, Galaxy note, and odroid u2/x2

Last and most certainly not least! It’s pretty awesome!

Why use Kali Linux

In today’s ever connected world security breaches cost companies millions, and consumers their privacy through Identity theft.

It is everyone’s responsibility to be vigilant about security not just security professionals.

Kali Linux is a suite of security tools that can be utilized by professionals in corporate environments, as well as personal use for those proactive in cyber security.

So What?

{

I’ve used Kali to exploit a faux corporations. I use a fully exploitable image containing SQL-Injection vulnerabilities, Web Application Vulnerabilities CGI-BIN File traversal and UNIX Buffer overflow vulnerability. I apply the 7 stages of penetration testing to find, exploit, fix and report using Kali Linux. The image was provided in a Deterlab environment.

Denise’s research

When using Kali make sure to demonstrate and document.

My tool for finding, exploiting and documenting as if I were in a real corporate environment is Kali Linux.

The main vulnerabilities I will focus on are Buffer overflow – Kali offers reverse engineering

suite which I will use for this vulnerability. File traversal – I use different tools withhin Kali

Linux for the file traversal; finding, exploiting, documenting.

SQL Injection – finding the sql injection, I will also demonstrate transferring money to a moc account.

What I focused on in my Paper, and why Pen testing is so important

Ali, S. Kali Linux: Assuring Security by Penetration Testing. S.l.: Packt Limited, 2014. Print.

Beggs, R. Mastering Kali Linux for Advanced Penetration Testing. S.I: Packt Limited, 2014.

"Kali Linux | Rebirth of BackTrack, the Penetration Testing Distribution." Kali Linux. N.p., n.d. Web. 11 Dec. 2014.

"Kali Linux." BlackMORE Ops. N.p., n.d. Web. 12 Dec. 2014.

"Behind the App: The Story of Kali Linux." Lifehacker. N.p., n.d. Web. 12 Dec. 2014.

References