INTRODUCING KALI
Kali Linux is a powerhouse of pen-testing and security research goodness.
The tools we’re going to show you can be installed on pretty much any Linux distro, but we’re going to use Kali Linux. This is primarily because it has all these tools installed already, and there’s excellent documentation if you want some more information about it.
Kali is probably not something you’d want to use as a daily driver, although if you look online you’ll see a lot of posts by budding haxors that do just this. Up until the end of last year Kali used the root account by default, since many tricks such as handcrafting network packets require this. It would be a terrible idea if you were running, say, your mail client as root and you clicked a dodgy link.
Using the root account was sound practice so long as you kept the system “clean” of any of your (or other users’) personal affairs. In fact, the risk is often overstated on a single user machine where that user typically has sudo access anyway. However, many applications also require a non-root account, since running them as root presents a security risk.
So now Kali has adapted, and root is no longer the default (the default username and password are both “kali”). However, you still shouldn’t use it as a daily driver. You will run into oddities with networking, Bluetooth and package availability, since all these things have been tweaked, either to minimize the attack surface or to make things easier for launching attacks. Perhaps this is why Parrot beats Kali. Parrot is more like a regular distro, with security tools, while Kali is more focused on security and pen-testing. There’s no LibreOffice, and because it’s based on Debian some repositories are disabled, so installing additional software may not be as easy as you would expect.
Launching Kali
You don’t even need to install Kali Linux. You can run it from the live environment, either on bare metal or in a virtual machine. So long as you’re sure you’re using an official Kali image, this will ensure that your other data remains intact – security by separation is good practice, after all. But then again so is keeping your system updated, and it’s frustrating to have to do that every time you boot Kali, so an installer is available. It’s also possible to create a Kali Live USB stick with persistent storage, which makes life easier if your security business involves gathering data. See www.kali.org/docs/introduction/downloadofficial-kali-linux-images to check the image is official. If you find yourself downloading a newer version, be sure to do so from the official website, and follow the checksum and signature-checking instructions.
Kali Linux uses the Xfce desktop – even if you’re not familiar with it, it should be easy to navigate. What may be a little overwhelming is the huge amount of stuff packed into the initial install. Fortunately, everything has been categorised in the Applications menu. We don’t have enough space to talk about everything, but we can cover the basics, and if you’re lucky a couple of more advanced
topics. So fire up Kali, open up a terminal, and carry out some reconnaissance against our own machine, by following the guide in the box (below left).
At this point you can start using some of the tools in the Kali arsenal to probe machines on your network. Or you could run Kali in a VM and then set up another vulnerable virtual machine and start attacking that. VirtualBox’s Internal Network option is good for this, as it enables VMs to communicate with one another while isolating them from physical hosts on the network. There are several toy VMs and applications available to practise this on. We’ll look at some of these over the page. The most popular is the Metasploitable (a pair of deliberately vulnerable VMs running Windows 2008 and Ubuntu 14.04), which is provided by Rapid7 – the same people who make Metasploit Framework.
Get ‘sploiting!
Metasploit Framework is one of the most powerful security tools out there. From its command line interface you have immediate access to thousands of exploit (“sploit”) modules, and many more are available from the community. Each module has a variety of parameters, but commonly just a target IP address is required to launch an attack. You’ll find Metasploit in Kali’s Exploitation Tools menu, or you can start it from the terminal with a simple msfconsole. Metasploit features a hierarchy of modules sorted into categories, such as auxiliary (things like port scanners and fuzzers), exploits (code for exploiting vulnerable systems), and payloads (things to execute on a remote machine that’s been pwned by an exploit).
There are tools to craft and disguise custom payloads. One of the most useful is a reverse shell, which is like a regular shell, only it connects to you. This is handy if one of your targets is behind a firewall and can’t be directly connected to. All an attacker needs to do is make sure a listening service is set up on their machine, and that the service is reachable from the outside. Metasploit has its own Meterpreter shell that can be used for this purpose. All communication with the shell is encrypted, and nothing is written to disk, so it’ll be as if you never were there, hypothetically. Not all exploits allow remote code to be executed, but that’s not always necessary.
The Heartbleed vulnerability (CVE-2014-0160) was a buffer overflow in OpenSSL that enabled an attacker to read privileged memory and steal passwords, certificates and other private data. Unlike many other bugs, it’s easy (with the benefit of hindsight) to spot the mistake in the code. To keep connections alive, the software introduced a “heartbeat” feature, where a client could send a small amount of data to the server, which would echo it back. Unfortunately, it was possible for a client to send a malicious heartbeat request, a single byte long, and request up to 64K back from the server. Because only a single byte was allocated, OpenSSL would read past the end of the buffer and return a random 64K chunk of memory. This may not sound like much, but the attack could be quickly and repeatedly carried out. We may never know if anyone discovered this bug before it was actually announced, but distros quickly patched it afterwards.
To attempt a Heartbleed attack on a server on your network is very easy (it’s also easy to do against remote hosts, but don’t do that). From Metasploit just do:
> use auxiliary/scanner/openssl_heartbeat
> set verbose true
> set RHOSTS 192.168.x.x
> run
We hope you’re not running a vulnerable version of OpenSSL on your server, but at least this way you’ll know.