Introduction to Kali Linux Part-1

History of Kali Linux

Offensive Security is the company behind this wonderful distribution. Kali
Linux is the company’s latest release. Kali is a live disk security
distribution having over 300 penetration testing and security tools. If you
have prior experience with the operating system, you may have noticed
that the tools have been categorized into groups that are commonly
utilized by penetration testers and any other entities doing the assessment
of information systems. Kali Linux utilizes Debian 7.0
distribution as its base, unlike the earlier distributions that were released
by Offensive Security. The operating system is of the same lineage as its
predecessor, Backtrack Linux. It is worth noting that it is also supported
by the same team.
The name change to Kali Linux, according to Offensive Security, implies
that this operating system is a total rebuild of the Backtrack distribution.
The major improvements that were made meant that it was not just a new
version of Backtrack but a new operating system altogether. Going down
memory lane, you will remember that Backtrack itself, just like Kali, was
an upgrade that was derived from White Hat and SLAX, abbreviated as
WHAX alongside Auditor. Technically speaking, Kali is the most recent
incarnation of the information security industry penetration and auditing
assessment tools.

Tool categories in Kali Linux

Kali Linux comes prepackaged with plenty of tools we can use for
carrying out penetration testing. As we have said previously, the tools in
Kali Linux are categorized in a fashion that helps with the penetration
testing exercise. Below are the broad categories:

1) Information gathering tools: 
In this category, we have numerous
tools that are used in the information gathering process. Normally, a
penetration tester would be interested in information about DNS,
operating systems, IDS/IPS, SSL, network scanning, routing, voice
over IP, SMB, e-mail addresses, VPN, and SNMP.

2) Vulnerability assessment tools: 

Here, tools that are used in the
scanning of vulnerabilities, in general, are located. We have tools
that are utilized for the vulnerability assessment of the Cisco
network and database servers. We also have several fuzzing tools in
this category.

3) Web applications: 
Just like the name, tools in this category relate
to web applications. They include database exploitation, content
management system scanner, web vulnerability scanners, web
crawlers, and web application proxies.

4) Tools for password attacks:

 Tools that you can use to carry out
both online and offline password attacks are found under this
category.

5) Exploitation tools : 
You will find tools for the exploitation of the
vulnerabilities unearthed from a selected target environment. Here,
you will get exploitation tools you can use for databases, the Web,
and the network. Also, under this category, you will find tools for
carrying out social engineering attacks. The tools will give the user
information about the exploits carried out too.

6) Tools for sniffing and spoofing: 

The tools here are used for
sniffing web traffic and the network traffic. We also have network
spoofing tools, for example, Yersinia and Ettercap.

7) Tools for maintaining access:
 A penetration tester will use the
tools found here to maintain their access to a target machine.
Obviously, you require the highest level of privilege to install tools
located in this category. We have tools that can be used for
backdooring web applications and the operating system. Tools used
for tunneling are also found in this category.

8) Tools for reporting: Tools that are used for documentation of the
penetration testing methodology and the obtained results and
recommendations are found in this category.

9) System services:
 We have numerous services which are necessary
during the penetration testing exercise in this category. Examples
include: the Metasploit service, Apache service, SSH service, and
MySQL service.

10) Wireless attacks: Here, we have tools for carrying out
attacks on wireless devices, RFID/NFC and Bluetooth devices.

11) Reverse engineering: Tools in this category are normally
used for debugging programs or carrying out disassembly of
executable files.

12) Stress testing : If you want to carry out stress testing of
your network, VOIP environment, wireless and Web, you will find
all the tools relevant in this category.

13) Hardware hacking: If you are interested in working with
Arduino and Android applications, all the tools you need are found
here.

14) Forensics: The forensics category contains numerous tools
normally utilized in digital forensics. Examples of forensics include
the acquisition of hard disk images, carving of files and, more
importantly, analyzing the image retrieved from the hard disk. To do
these tasks properly, a user is required to go to the Kali Linux
Forensics menu then select the No Drives or Swap Mount from the
booting menu. This way, the operating system will not automatically
mount the drives. This implies that the integrity of the drives will be
maintained.
Hold onto this information for now as we will look at some of it in chapter
5.

The Lifecycle for Penetration Testing
Today, we have various lifecycle models of penetration testing that are
being used. So far, the lifecycle and the methodology defined and used by
the EC-Council Certified Ethical Hacker program is the one that is widely
used. This penetration testing life cycle is made up of five phases,
including Reconnaissance, Scanning, Gaining Access, Maintaining Access
and finally Covering Tracks in that order. Later in the book, we will look
at each of the stages above in detail.

General Penetration Testing Framework

We have said before that Kali Linux provides us with the versatility we
need in the process of penetration testing and security assessment from the
numerous tools it possesses. A penetration tester who does not follow a
proper framework is likely to get unsatisfactory results emanating from
unsuccessful testing. This means that it is therefore essential for managers
and technical administrators to ensure that the security testing is in
harmony with a structured framework: the goal of the test is to provide
useful findings.

What you are going to learn here is a general testing framework that is
normally used by both the white box and black box approaches. From it,
you will get an elementary understanding of the typical phases that a
penetration tester or a security auditor should progress. The frameworks,
however, need to be adjusted appropriately basing on the target being
assessed. The following are steps that need to be followed so that the
assessment procedure is successful.

1) Scoping of the target
2) Gathering Information
3) Discovery of the Target
4) Target Enumeration
5) Mapping out Vulnerabilities
6) Social engineering
7)The exploitation of the Target
8)Escalation of Privilege
9)Maintenance of access
10)Reporting and Documentation

1. Scoping of the Target
This is usually the first step prior to beginning the technical assessment of
the security. It is essential that observations are carried out on the target
network environment so that the scope is well understood. It is also
possible to define the scope for a given set of entities or a single entity
that is given to the auditor. Examples of typical decisions normally made
in this step include;
What element requires testing?
How will it be tested?
What are the parameters that will be applied when conducting
the test?
What are the limiting factors of the test process?
How long will the test take?
What objectives are intended to be achieved?
For any penetration testing exercise to be successful, the tester must have
a good understanding of the technology being assessed, its basic
operations together with the way it interacts with the network
environment. What this means is that an auditor’s knowledge is what
determines the success of the penetration testing procedure.

2. Information gathering
After scoping has been done, the next phase is the reconnaissance phase.
Here, the penetration tester will make use of resources that are available
publicly to get a better understanding of their target. One can get valuable
information from sources on the Internet, which include:

Social networks

Articles

Forums

Blogs

Bulletin boards

Commercial or non-commercial websites

Newsgroups

Search engines, for example, MSN Bing, Google, among others.
Additionally, Kali Linux has several tools that you can use to get a target’s
network information. The tools use crucial data mining techniques for
gathering information from DNS servers, e-mail addresses, traceroutes,
phone numbers, Whois database, personal information, and user accounts.
Chances of having a successful penetration test increase with the amount
of information that is gathered.

3. Target discovery
Here, key activities are the identification of the network status of selected
targets, its OS and, if possible, the target’s network architecture. Such
information gives a penetration tester a comprehensive outlook of the
interconnected devices or current technologies in the network. That means
that they will be able to enumerate the numerous services running within
the network. It is possible to do all this (determination of hosts on the
network that are live, the running OS on the hosts and the characterization
of each of them based on their roles in the network system) using the Kali
Linux advanced network tools. The detection techniques employed by
these tools can either be active or passive. This is done on top of network
protocols and can be manipulated in a fashion that will yield useful
information. An example of this information is the OS fingerprinting.

4. Target Enumeration
This phase advances the previous efforts by finding open ports on the
systems being targeted. After the identification of open ports, enumeration
of the ports will be done for the running services. Employing port
scanning techniques like stealth, full-open, and half-open scan can assist a
hacker, or a penetration tester checks the visibility of ports. This is
possible for hosts that are behind an Intrusion Detection System or a
firewall. To help penetration testers or hackers discover existing
vulnerabilities in a target network's infrastructure, an investigation of the
services which are mapped to the open ports can be done. This means that
we can use target enumeration as a platform for unearthing vulnerabilities
present in the various devices on the network. Through the vulnerabilities,
one can penetrate the network. A security auditor can utilize Kali Linux’s
automated tools to do target enumeration.

5. Vulnerability mapping
By now, we will be having enough information about the target network.
We will now need to analyze the identified vulnerabilities basing on the
services and ports we have discovered. We have automated vulnerability
assessment tools for applications and the network in Kali Linux that can
help us achieve the objectives of this phase. It is also possible to do
vulnerability mapping manually. The only downside is that it requires
expert knowledge and consumes plenty of time. The best approach to this
is to combine the two so that a security auditor can have a clear vision that
will enable them to investigate vulnerabilities that are either known or
unknown in the network systems.

6. Social engineering
Social engineering is a type of attack which uses human beings as attack
vectors. In most information security configurations, human beings are
regarded as the weak link through which an attacker can gain access to a
system. An attacker can penetrate a target network and execute a
malicious code that will do some damage and, in some cases, create a
backdoor for future use. All this will have been made possible through
deceiving the people in charge of or those using a given network. Social
engineering can be of different forms. For instance, an attacker using a
phone can pretend to be a network administrator prompting a user to
disclose their account information. Another form of social engineering is
an e-mail phishing scam, which is used by malicious users to steal the
account details of your bank. Physically, a person can imitate a legitimate
user to gain access to a physical location. This is also social engineering.
From these examples, we can see that the possibilities for achieving a
required goal are immense. To make any penetration testing exercise
successful, it is important that the tester or attacker takes time to
understand human psychology as it is a skill that will help them improvise
accordingly in their targeting. Note that most countries have laws
regulating this, and as such, it is good to know the laws before attempting
anything lest you end up in jail.

7. Target exploitation
After we have studied the vulnerabilities we have uncovered, we can go
ahead and penetrate our target based on the available types of exploits.
Most of the time, modifications or additional research on existing exploits
are needed to ensure the exploits work as intended. The task is, of course,
daunting. However, Kali Linux comes prepackaged with advanced
exploitation tools that can help in the simplification of the exercise.
Further, a tester is at liberty to employ client-side exploitation tactics in
addition to some little social engineering to enable them assume control of
a target system. A keen reader should, by now, see that this phase
concentrates more on the process of target acquisition. Target exploitation
encompasses three key areas. These are pre-exploitation, exploitation, and
post-exploitation activities.

8. Privilege escalation
After target acquisition, the penetration exercise will be deemed
successful. The penetration tester or auditor will now be able to roam in
the system freely based on their access privileges. Using local exploits
matching the environment of the system, a tester can escalate these
privileges. Once these exploits are executed, a hacker or a penetration
tester will now be able to get system-level or super-user privileges. From
here onwards, a tester can carry out additional attacks on the local network
systems. Based on a target's scope, this process can either be nonrestricted or restricted. It is also possible to get more information
regarding a compromised target through cracking passwords to various
services, network traffic sniffing, and employing spoofing tactics on local
networks. This implies that the main objective of privilege escalation is to
enable one to acquire the highest-level access to the targeted system.

9. Maintaining access
A penetration tester, in some instances, can be requested by a client to
maintain their access in the system for a specified period. This can be used
as a demonstration to the network managers to show how illegal access to
the system can be done without the need for a penetration process again.
Also, it serves to save resources, time and cost that is spent in gaining
access to the system for purposes of assessing its security. One can choose
to use secret tunneling methods that utilize proxy, protocols, or end-to-end
connection strategies. This way, a tester can create backdoor access, which
will assist them in maintaining their presence in a target system for as
long as they are required to. This technique of accessing the system gives
us an indication of how an attacker can keep their presence in a targeted
system without raising suspicion.

10. 
Reporting and Documentation
A penetration testing exercise will not be complete if a presentation of
disclosed vulnerabilities is not done. Verified and exploited vulnerabilities
should be well documented, reported and presented. Ethically speaking,
this is crucial as it will help the network and system administrators and
managers to direct their resources towards sealing any security loopholes
present in their infrastructure. The reports will have different outlooks
based on the needs of the different contracting organizations. The
customizations of the report will help technical staff and businesses get to
know and analyze points of weaknesses existing in their IT infrastructure.
In addition to that, the reports can be used in the comparison of the
integrity of a target system after and before the penetration process.
Let us look at the Ethics
To ensure that everything remains legal, we have rules of engagement.
These must be adhered to by the auditors and other information security
professionals.
These rules describe the way the penetration testing should be given, the
way testing is to be performed, the determination of legal negotiations and
contracts, definition of the testing scope, test plan preparation, the process
the test should follow, and the management of a reporting structure that is
consistent. A keen examination is required to address each of these areas.
The making of formal procedures and practices need to be adhered to
throughout the engagement period. These rules include but are not limited
to, the following:

1. The test schedule should be chosen in a way that does not affect
or interrupt the normal operation of a business. It is prudent to
create a schedule that does not cover the typical working hours.

2. The rules governing the test process clearly outline a set of
steps to be followed during the testing exercise. The
organization’s managers and technicians participate in the
formulation of these rules for purposes of restricting the testing
process with its environment and people.

3. It is forbidden to provide testing services to a client after
hacking their systems prior to coming up with any formal
agreement. This is akin to unethical marketing, and in some
cases, it may lead to failure of the normal business operations
and can cause one to face excruciating legal repercussions
based on the country’s rules and laws.

4. It is strictly prohibited to conduct a penetration test past the
scope of testing or breaching the set limits without a clients’
express permissions.

5. A legally binding contract should be agreed upon by parties
involved so that it limits the liability of a job unless there is
evidence of illegal activity. It must clearly state the conditions
and terms of the test procedure, the emergency contact
information, the description of work, and any conflicts of
interest if present.

6. The scope of the penetration test should be clearly defined,
indicating the contractual entities and any restrictions that have
been imposed on them during the procedure.

7. On completion of the testing, reports and results must be
presented in a consistent and clear fashion. It should include all
the vulnerabilities that are known and unknown. Furthermore, it
needs to be confidentially delivered to authorized personnel
only.

Terminologies
In this book, we are going to encounter commonly used terms in the field
of penetration testing. The terms are normally understood differently by
members, technicians and professionals in the same field, and that is the
reason we need a working definition to avoid any misunderstanding.
Below are the terms and associated definitions we shall be using.

Penetration Testing
We define it as the process, methodology and procedures that are used in
the attempt to bypass the safeguard mechanisms of the information
systems, including overcoming the integrated security set up of that
system. Normally, the entire process follows approved and specific
guidelines. Penetration Testing is concerned with examining the
administrative, technical, and operational controls and settings of a
system. The testing assesses the security of a particular information
system exactly as it is configured. The system administrators and staff of
the targeted network may or may not know that such an exercise is
happening.

Ethical Hacking
This is a professional penetration tester whose main job is to carry out an
attack on the computer or network systems for an organization or a
particular owner of the information system. In this book, you will note that
Ethical Hacking and Penetration Testing are used interchangeably.

White Hat
This terminology is synonymous with computer security professional or
an Ethical Hacker who is specialized in the security testing of information
systems so as to provide security where it is lacking or improve it where it
is possible.

Black Hat
This is a terminology used to describe a person who uses his IT skills for
bypassing the security of information systems without permission. The
intention of black hats is normally to commit computer crimes. Red Team
members, together with Penetration Testers, normally employ techniques
used by Black Hats in their work. This is to simulate the malicious fellows
in security testing while they are carrying out legitimate tests or exercises.

Grey Hat
In life, we have the good guys, the bad guys and those who lie in between.
In hacking, grey hats are those in the middle. Normally, they will try to
circumvent the security features of an information system in most cases
without prior permission. They do this normally to bring to light the
discovered weaknesses to the system administrators. In most cases, they
are not after profit. What makes them illegitimate is the fact that they do
not seek prior permission from the owners before carrying out their
activities.

Vulnerability Assessment/Analysis
This is an exercise done to evaluate the security configurations of a
system. The forms of the assessments that can be carried out comprise the
evaluation of security patches that have been applied to a system and those
that are missing. The team that carries out Vulnerability Assessment can
either be external or it can be part of an organization’s IT team.

Malicious User Testing
In this scenario, the assessor will act as if they were an insider acting
maliciously. Of course, being an insider makes them a trusted entity. What
happens is that the assessor will be given legitimate login credentials
belonging to an authorized user; this will be a test account. They will then
go ahead and use the credentials to try and circumvent laid down security
measures. They can do this by modifying settings that are not supposed to
be changed, viewing settings and documents that the account is not
authorized to and escalating their permissions and privileges beyond the
level the test account should have. In summary, a malicious user test
attempts to simulates actions that a rogue insider can carry out using their
trusted credentials.

Phishing
In this type of attack, attempts will be made to get the targeted entities to
reveal personal information such as passwords, account numbers, and user
names. Normally, this is done by the use of authentic-looking emails that
are fake. The emails can be from customer support staff, banks and
corporations. A different type of phishing attack is where users are
prodded to click on phony hyperlinks. This will make it possible for
malicious codes to be installed on the target system without the owner’s
knowledge. Once this has been done, the malware can be used to attack
other computers or for obtaining data stored on the computer. Phishing
attacks are by nature, not directed to a specific target. Targets can be all
the people in a mailing list or those whose email addresses have a specific
extension, such as those with a “@kali.com” extension.

Spear Phishing
This is a type of phishing attack whereby the targets are specific. For
instance,
An attacker can perform reconnaissance to discover email addresses of
top-level management of an organization. They can go ahead then to carry
out the phishing attack on only these individuals.
Dumpster Diving
In this technique, the penetration tester will make attempts to filter
through a systems’ discarded trash. This trash might be from any of the
users and the system administrators. Any information obtained here will
be of great help in understanding a particular target. A penetration tester
might recover information detailing network diagrams, system settings
and configurations, the hardware components and the software versions
that are being used. On a good day, one might even get user credentials
such as passwords and user names. Dumpster Diving is a term used to
explain the process of entering a large trash container. Also, garbage cans
from small offices normally have some lucrative information.
LiveOS, Live Disk, Live CD
The terms above are used to refer to an optical disk containing a complete
operating system. Live disks are a crucial asset to penetration testers and
assessors since it is possible to modify them to suit the needs at hand. One
can customize them to have specific settings, tools and software
components. Many of the live disks in distributions are normally Linux
based, although, over the years, we have had numerous Microsoft
Windows versions being released. In most assessments, it is sufficient for
an assessor to only bring with them a live disk. The systems under
assessment can be directly booted to the live disk, effectively turning the
information systems assets against the system itself.