Kali Linux Tips
The regular penetration testing could significantly improve the company's security. The auditor shall obtain all necessary rights and permissions to conduct penetration tests from the owner of the target network or from the owner of target system before conducting any audit.
All the content and resources have been provided in the hope that it will be useful. Author does not take responsibility for any misapplication of it. The document is distributed in the hope that will be useful, but WITHOUT ANY WARRANTY.
The security assessment could be performed using open-source Kali Linux distribution and by various tools which are included in this distribution. This document is providing selected steps and is presenting approaches which could be used to perform the security assessment effectively within the limited allocated time.
The document is provided with intentions to security professionals and security community which would like to asset the security of their corporate or home network or perform the security assessment towards the infrastructure only where they have all the permissions and authorisation required.
The overall IT security could be improved by educating the users and security professionals by learning how to effectively use the available open-source tools.
Nmap scanner is one of the most powerful tool to perform the initial reconnaissance and attack surface discovery. By initial probing it is possible to quickly detect the live hosts in the given network segment.
During the initial reconnaissance it should be evaluated how large is the target network segment to use optimal method and if it is likely that the target hosts would be answering to ping requests in the target environment. (e.g. in some networks the ICMP pings could be allowed globally over the firewalls, however in some other network the ICMP ping is filtered).
The following are the nmap command examples which could be used to perform the hosts detection.
// Example of hosts / subnets syntax<hosts> 127.0.0.1 192.168.10.0/24 127.0.0.1-12 127.0.0.1,127.0.0.2// TCP syn scan, including ping scan and reverse DNS resolutionnmap -sS <hosts>
// TCP syn scan but without ping and DNS resolutionnmap -sS -n -Pn <hosts>
// TCP syn scan fast, but without ping and DNS resolution to quickly detect live systems, list only opened portsnmap -sS -F -n -Pn --open <hosts>
// even faster live systems detections, just selected ports and list only opened portsnmap -sS -p21,22,23,80,443 -n -Pn --open <hosts>
By scanning it should be understood detailed scanning and probing of the services running on the target system and also the vulnerability scanning. The goal is to detect the services, their software version and possibly the vulnerabilities on the target system.
The following are the nmap command examples which could be used to perform the scanning. The proper method should be chosen based on the performance, target network conditions and based on the time available to perform the scanning.
// TCP syn scan of nmap top 10000 portsnmap -n -sS --top-ports 10000 -Pn <hosts>
// TCP syn scan, run safe scripts, version detection for all ports and write output in all nmap formatsnmap -Pn -sS --open -p- -sV -sC -n -oA <output> <hosts>
Example of output:Host is up (0.34s latency).Not shown: 65523 filtered ports, 3 closed portsSome closed ports may be reported as filtered due to --defeat-rst-ratelimitPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 6.6.1 (protocol 2.0)| ssh-hostkey:| 1024 25:8f:94:0e:30:d1:eb:c7:dc:12:f1:71:eb:ba:88:86 (DSA)|_ 1024 99:ae:8d:a3:3d:87:51:11:2f:93:94:a8:9a:13:6c:1e (RSA)111/tcp open rpcbind 2-4 (RPC #100000)| rpcinfo:| program version port/proto service| 100000 2,3,4 111/tcp rpcbind|_ 100000 2,3,4 111/udp rpcbind7938/tcp open rpcbind 2 (RPC #100000)11000/tcp open http MiniServ 0.01 (Webmin httpd)|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).16800/tcp open tcpwrapped
// UDP scan, fast scan, with version detectionnmap -sU -sV -sC -F -n-Pn -oA <output> <hosts>
Example of output:161/udp open snmp SNMPv1 server (public)
Nmap + vulscan
Nmap can be enhanced and used as vulnerability scanner by using vulscan script.
It can be installed by using the following commands:
mkdir /usr/share/nmap/scripts/vulscancd /usr/share/nmap/scripts/vulscangit clone https://github.com/scipag/vulscan.git
and used by the following command:
# nmap -sV --script=vulscan/vulscan.nse 127.0.0.1Starting Nmap 7.50 ( https://nmap.org ) at 2017-10-09 08:33 CESTNmap scan report for localhost (127.0.0.1)Host is up (0.0000080s latency).Not shown: 998 closed portsPORT STATE SERVICE VERSION80/tcp open http Greenbone Security Assistant| vulscan: scip VulDB - http://www.scip.ch/en/?vuldb:| No findings| | MITRE CVE - http://cve.mitre.org:| No findings| | OSVDB - http://www.osvdb.org:| No findings| | SecurityFocus - http://www.securityfocus.com/bid/:| No findings| | SecurityTracker - http://www.securitytracker.com:| No findings| | IBM X-Force - http://xforce.iss.net:| No findings| | Exploit-DB - http://www.exploit-db.com:| No findings| | OpenVAS (Nessus) - http://www.openvas.org:| No findings|_111/tcp open rpcbind 2-4 (RPC #100000)| rpcinfo: | program version port/proto service| 100000 2,3,4 111/tcp rpcbind|_ 100000 2,3,4 111/udp rpcbind
The OpenVAS vulnerability scanner could be in automated way used to perform the vulnerability scanning. For OpenVAS installation follow the instructions on the above link. It is the free alternative to commercial vulnerability scanners like Nessus, Qualys, Nexpose and others.
The added way is relatively easy setup and fast run, but it should be considered that the scanning could be quite intensive and could affect the production systems. Additionally also the results could contain False Positives or False Negatives. Therefore it should be considered also to manually verify every vulnerability reported by the scanner.
Always before scanning the user should update the OpenVAS NVT feeds to scan for the latest vulnerabilities.
Installation:# setup openvas in Kaliroot@kali:~# openvas-setup
# start openvas scannerroot@kali:~# openvas-start
# sync nvt feedroot@kali:~# openvas-nvt-sync
# check if the services are runningroot@kali:~# service openvas-manager statusroot@kali:~# service openvas-scanner status
# change admin passwordopenvasmd --user=admin --new-password=password
# use browser to access the GUIhttps://127.0.0.1:9392
Figure 1: OpenVAS report example
Skipfish could be used as web vulnerability scanner after detecting a web server on the target system. The added value is that the web vulnerability scanner is web oriented. It is more optimized and more specific for web vulnerabilities (e.g. to detect the OWASP top 10 vulns). This is the main difference compared to network vulnerabilities scanners like OpenVAS, where the scanners are more universals but are not deeply scanning the detected web servers. The common method used by the web scanners is the web crawling of the target web. This approach tries to detect new ULRs from the links on the already detected pages.
The example of the execution scanner is bellow.# basic scanskipfish -o out_dir https://www.host.com
# using cookies to access authenticated pagesskipfish -o out_dir -I urls_to_scan -X urls_not_to_scan -C cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -C cookie2=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX https://www.host.com
Figure 2: Skipfish report example
Always it useful tool to try to bruteforce the files and directories on the web server. The web servers are commonly used service on the most of the systems and it could be worth to try to find files or directories which are not authenticated or just hidden (e.g. admin console).
The common web vulnerability (e.g. skipfish, Vega, or other commercials scanner) are commonly just crawling the target side (recursively following the links present on the web pages). Therefore it is not uncommon that the web vulnerability scanners could miss some vulnerabilities, or even miss the not authenticated pages, but the URL bruteforcing could reveal hidden pages or administration consoles.
The useful wordlist could be found on the following link
Figure 3: Dirbuster GUI
After finding the vulnerabilities, it is possible to try to exploit them. For the exact vulnerability should be reviewed and checked if there is some public working exploit (in Metaploit project, ExploitDB or other sources).
Metasploit is modular framework to perform penetration testing.
Figure 4: Metasploit
There exist many public resources with tutorials and the documentation. The following links can be used to get started.
Example of ssh_login:root@kali:~# msfconsolemsf > use auxiliary/scanner/ssh/ssh_loginmsf auxiliary(ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE no File containing passwords, one per line RHOSTS yes The target address range or CIDR identifier RPORT 22 yes The target port STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host THREADS 1 yes The number of concurrent threads USERNAME no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether to print output for all attempts
msf auxiliary(ssh_login) > set RHOSTS "10.XXX.XXX.XXX 10.XXX.XXX.YYY 10.XXX.XXX.ZZZ"msf auxiliary(ssh_login) > set USER_AS_PASS truemsf auxiliary(ssh_login) > set USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users_custom.txtmsf auxiliary(ssh_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txtmsf auxiliary(ssh_login) > show optionsmsf auxiliary(ssh_login) > run
ExploitDB is online database providing publicly known exploits which could be used to verify and demonstrate the vulnerability and gain further access. The resources contain most time scripts and source code which can be compiled and used to exploit certain vulnerability.
Figure 5: ExploitDB Web Page
Sqlmap can be used to try to find vulnerabilities in the web server using the GET or POST HTTP methods or COOKIES to find the injection in vulnerable web server. This method could be very effective while testing custom web applications, CGI scripts, PHP pages, that are not well tested products or open-source application.
sqlmap -u "http://host.com/vulnerable.php?param=12345"sqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --sql-query="select name,master.sys.fn_sqlvarbasetostr(password_hash) from master.sys.sql_loginssqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dbssqlmap -u "http://host.com/vulnerable.php?param=12345" --dbms "Microsoft SQL Server" --dump -D database -T tablesqlmap -u "http://host.com/vulnerable.php?param=12345" --cookie "cookie1=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"sqlmap -r POST.txt -p field
To try to find the GET, POST parameters or cookies the useful method is to trace the traffic towards the web server or use the Burp Suite proxy to capture the HTTP/HTTPs communication.
Integrated platform, providing full control of HTTP/HTTPs session allowing manipulation of the requests, run local proxy, run scanner, intruder and additional tools.
Very useful and easy to use is the Proxy feature, which can be used to intercept and modify the HTTP/HTTPs messages towards the web server.
Figure 6: Burp Suite GUI
After gaining the access to the operating system, it is possible to try to escalate privileges.
The following resources could be useful to perform some automated detection on the Linux systems. However always should be performed also manual investigation on the target system.
Privilege Escalation Cheat Sheets
After finding some hashes located on the machine it is possible to try to crack them depending on the hash algorithm and if the salt has been used.
John the Ripper
John the Ripper is publicly well known tool used for password cracking containing several cracking modules.
Example of cracking the linux OS passwords from passwd and shadow files:
Example of writing reports using nmap output
The effective way for writing the audit reports could be just to write the finding directly into nmap output.
If it is required to document the finding separately in the final report, it could be still good practice to include the nmap output in the report annex and reference there the findings.
Example of such nmap result with manually documented vulnerability inside is bellow:
Nmap scan report for <host>Host is up (0.00064s latency).Not shown: 992 closed portsPORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 5.3 (protocol 2.0)| ssh-hostkey:| 1024 3d:43:a8:3e:bd:f3:7a:e8:ec:d8:a3:88:ec:30:95:e3 (DSA)|_ 2048 6a:28:3b:42:a1:aa:65:89:c0:ea:39:ab:f0:13:c2:06 (RSA)111/tcp open rpcbind 2-4 (RPC #100000)| rpcinfo:| program version port/proto service| 100000 2 7938/tcp rpcbind| 100000 2 7938/udp rpcbind| 390113 1 7937/tcp nsrexec| 390435 1 8263/tcp|_ 390436 1 8208/tcp111/udp open rpcbind123/udp open ntp NTP v4 (secondary server)161/udp open snmp SNMPv1 server (public) Default SNMP community string (public) # snmpwalk -mALL -v1 -cpublic <host> SNMPv2-MIB::sysName.0 = STRING: *********** SNMPv2-MIB::sysLocation.0 = STRING: Unknown (edit /etc/snmp/snmpd.conf) SNMPv2-MIB::sysORLastChange.0 = Timeticks: (19) 0:00:00.19 SNMPv2-MIB::sysORID.1 = OID: SNMP-MPD-MIB::snmpMPDMIBObjects.3.1.1 SNMPv2-MIB::sysORID.2 = OID: SNMP-USER-BASED-SM-MIB::usmMIBCompliance SNMPv2-MIB::sysORID.3 = OID: SNMP-FRAMEWORK-MIB::snmpFrameworkMIBCompliance SNMPv2-MIB::sysORID.4 = OID: SNMPv2-MIB::snmpMIB SNMPv2-MIB::sysORID.5 = OID: TCP-MIB::tcpMIB SNMPv2-MIB::sysORID.6 = OID: RFC1213-MIB::ip SNMPv2-MIB::sysORID.7 = OID: UDP-MIB::udpMIB SNMPv2-MIB::sysORID.8 = OID: SNMP-VIEW-BASED-ACM-MIB::vacmBasicGroup HOST-RESOURCES-MIB::hrSystemUptime.0 = Timeticks: (484084654) 56 days, 0:40:46.54 End of MIB162/udp open snmp net-snmp8080/tcp open http-proxy Apache| http-auth:| HTTP/1.1 401|_ Server returned status 401 but no WWW-Authenticate header.| http-methods:|_ Potentially risky methods: PUT DELETE TRACE|_http-server-header: Apache|_http-title: Error8899/tcp open http Apache httpd|_http-server-header: Apache|_http-title: ************************ Not authenticated web server Detected URLs: Dir found: /example/ - 302 Dir found: /admin - 200
The security assessment and vulnerability scanning is complex task. The above document is describing only the very basics and just few tools which could be used effectively to perform such assessment with quite good coverage. The Kali Linux distribution contains much more tools, and the proper tools selection depends always on the goal of the auditor and also on the target network and technology under audit.