LLearningKaliLinux
earningKaliLinux
Security Testing, Penetration Testing, and Ethical Hacking
Ric Messier
Ric Messier
GCIH, GSEC, CEH, CISSP
GCIH, GSEC, CEH, CISSP
LLearningKaliLinux
earningKaliLinux
by Ric Messier
Copyright © 2018 O’Reilly Media. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North,
Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales
promotional use. Online editions are also available for most titles
(http://oreilly.com/safari). For more information, contact our corporate/
institutional sales department: 800-998-9938 or corporate@oreilly.com .
Acquisition Editor: Courtney Allen
Editor: Virginia Wilson
Production Editor: Colleen Cole
Copyeditor: Sharon Wilkey
Proofreader: Christina Edwards
Indexer: Judy McConville
Interior Designer: David Futato
Cover Designer: Randy Comer
Illustrator: Melanie Yarbrough
Technical Reviewers: Megan Daudelin, Brandon Noble, and Kathleen Hyde
August 2018: First Edition
RRevisionHistoryfortheFirstEdition
evisionHistoryfortheFirstEdition
2018-07-13: First Release
See http://oreilly.com/catalog/errata.csp?isbn=9781492028697 for release
details.
The O’Reilly logo is a registered trademark of O’Reilly Media, Inc.
Learning Kali Linux, the cover image, and related trade dress are
trademarks of O’Reilly Media, Inc.
While the publisher and the author have used good faith efforts to ensure
that the information and instructions contained in this work are accurate,
the publisher and the author disclaim all responsibility for errors or
omissions, including without limitation responsibility for damages
resulting from the use of or reliance on this work. Use of the information
and instructions contained in this work is at your own risk. If any code
samples or other technology this work contains or describes is subject to
open source licenses or the intellectual property rights of others, it is
your responsibility to ensure that your use thereof complies with such
licenses and/or rights.
978-1-492-02869-7
[LSI]
PPreface
reface
A novice was trying to fix a broken Lisp machine by turning the power
off and on.
Knight, seeing what the student was doing, spoke sternly: “You cannot
fix a machine by just power-cycling it with no understanding of what is
going wrong.”
Knight turned the machine off and on.
The machine worked.
AI Koan
One of the places over the last half century that had a deep hacker
culture, in the sense of learning and creating, was the Massachusetts
Institute of Technology (MIT) and, specifically, its Artificial
Intelligence Lab. The hackers at MIT generated a language and culture that
created words and a unique sense of humor. The preceding quote is an AI
koan, modeled on the koans of Zen, which were intended to inspire
enlightenment. Similarly, this koan is one of my favorites because of what
it says: it’s important to know how things work. Knight, by the way,
refers to Tom Knight, a highly respected programmer at the AI Lab at MIT.
The intention for this book is to teach readers about the capabilities of
Kali Linux through the lens of security testing. The idea is to help you
better understand how and why things work. Kali Linux is a security-
oriented Linux distribution, so it ends up being popular with people who
do security testing or penetration testing for either sport or vocation.
While it does have its uses as a general-purpose Linux distribution and
for use with forensics and other related tasks, it really was designed
with security testing in mind. As such, most of the book’s content
focuses on using tools that Kali provides. Many of these tools are not
necessarily easily available with other Linux distributions. While the
tools can be installed, sometimes built from source, installation is
easier if the package is in the distribution’s repository.
WWhatThisBookCovers
hatThisBookCovers
Given that the intention is to introduce Kali through the perspective of
doing security testing, the following subjects are covered:
Foundations of Kali Linux
Linux has a rich history, going back to the 1960s with Unix. This
chapter covers a bit of the background of Unix so you can better
understand why the tools in Linux work the way they do and how best
to make efficient use of them. We’ll also look at the command line
since we’ll be spending a lot of time there through the rest of the
book, as well as the desktops that are available so you can have a
comfortable working environment. If you are new to Linux, this
chapter will prepare you to be successful with the remainder of the
book so you aren’t overwhelmed when we start digging deep into the
tools available.
Network Security Testing Basics
The services you are most familiar with listen on the network. Also,
systems that are connected to the network may be vulnerable. To be in
a better position to perform testing over the network, we’ll cover
some basics of the way network protocols work. When you really get
deep into security testing, you will find an understanding of the
protocols you are working with to be an invaluable asset. We will
also take a look at tools that can be used for stress testing of
network stacks and applications.
Reconnaissance
When you are doing security testing or penetration testing, a common
practice is to perform reconnaissance against your target. A lot of
open sources are available that you can use to gather information
about your target. This will not only help you with later stages of
your testing, but also provide a lot of details you can share with
the organization you are performing testing for. This can help them
correctly determine the footprint of systems available to the outside
world. Information about an organization and the people in it can
provide stepping stones for attackers, after all.
Looking for Vulnerabilities
Attacks against organizations arise from vulnerabilities. We’ll look
at vulnerability scanners that can provide insight into the technical
(as opposed to human) vulnerabilities that exist at your target
organization. This will lead to hints on where to go from here, since
the objective of security testing is to provide insights to the
organization you are testing for about potential vulnerabilities and
exposures. Identifying vulnerabilities will help you there.
Automated Exploits
While Metasploit may be the foundation of performing security testing
or penetration testing, other tools are available as well. We’ll
cover the basics of using Metasploit but also cover some of the other
tools available for exploiting the vulnerabilities found by the tools
discussed in other parts of the book.
Owning Metasploit
Metasploit is a dense piece of software. Getting used to using it
effectively can take a long time. Nearly 2,000 exploits are available
in Metasploit, as well as over 500 payloads. When you mix and match
those, you get thousands of possibilities for interacting with remote
systems. Beyond that, you can create your own modules. We’ll cover
Metasploit beyond just the basics of using it for rudimentary
exploits.
Wireless Security Testing
Everyone has wireless networks these days. That’s how mobile devices
like phones and tablets, not to mention a lot of laptops, connect to
enterprise networks. However, not all wireless networks have been
configured in the best manner possible. Kali Linux has tools
available for performing wireless testing. This includes scanning for
wireless networks, injecting frames, and cracking passwords.
Web Application Testing
A lot of commerce happens through web interfaces. Additionally, a lot
of sensitive information is available through web interfaces.
Businesses need to pay attention to how vulnerable their important
web applications are. Kali is loaded with tools that will help you
perform assessments on web applications. We’ll take a look at proxy-
based testing as well as other tools that can be used for more
automated testing. The goal is to help you provide a better
understanding of the security posture of these applications to the
organization you are doing testing for.
Cracking Passwords
This isn’t always a requirement, but you may be asked to test both
remote systems and local password databases for password complexity
and difficulty in getting in remotely. Kali has programs that will
help with password cracking — both cracking password hashes, as in a
password file, and brute forcing logins on remote services like SSH,
VNC, and other remote access protocols.
Advanced Techniques and Concepts
You can use all the tools in Kali’s arsenal to do extensive testing.
At some point, though, you need to move beyond the canned techniques
and develop your own. This may include creating your own exploits or
writing your own tools. Getting a better understanding of how
exploits work and how you can develop some of your own tools will
provide insight on directions you can go. We’ll cover extending some
of the tools Kali has as well as the basics of popular scripting
languages along the way.
Reporting
The most important thing you will do is generate a report when you
are done testing. Kali has a lot of tools that can help you generate
a report at the end of your testing. We’ll cover techniques for
taking notes through the course of your testing as well as some
strategies for generating the report.