Kali Linux is the complete toolbox for penetration testing
Under the Magnifying Glass
Every IT infrastructure offers points of attack that hackers can use to steal and manipulate data. Only one thing can prevent these vulnerabilities from being exploited by unwelcome guests: You need to preempt the hackers and identify and close the gaps. Kali Linux can help.
To maintain the security of a network, you need to check it continuously for vulnerabilities and other weak points through penetration testing. You have a clear advantage over attackers because you know the critical infrastructure components, the network topology, points of attack, the services and servers executed, and so on. Exploitation tests should look for vulnerabilities in a secure, real environment, so you can shut down any vulnerabilities found – and you need to do this over and over again.
The variety of IT components dedicated to security does not make selecting a suitable tool any easier, because all possible attack vectors need to be subjected to continuous testing. Kali Linux [1] meets these requirements – and does much more.
Kali Linux at a Glance
The Debian-based Kali Linux distribution is at the heart of most penetration testing systems. The package contains more than 300 security tools, including those shown in Table 1.
Table 1
A Few Kali Linux Security Tools
Tool | Function |
---|---|
OpenVAS | The only free security scanner that meets professional requirements. |
Maltego | Collects information about individuals or companies on the Internet. |
Kismet | A passive sniffer to examine local wireless networks. |
Social Engineer Toolkit (SET) | Includes programs that focus on social engineering. |
Nmap | The well-known network scanner for network analysis, including the graphical user interface Zenmap. |
Wireshark | The classic graphical network sniffer. |
Ettercap | A network manipulation tool that helps hackers perform man-in-the-middle attacks. |
John the Ripper | Cracks and tests passwords. |
Metasploit | The classic tool for testing and developing exploits on target systems. |
Aircrack-ng | A collection of tools for analyzing and exploiting vulnerabilities in WiFi networks. |
Nemesis | A packet counterfeiter and injection utility. |
RainbowCrack | A cracker for LAN manager hashes. |
Kali Linux groups the most frequently used and most important programs in the Favorites menu (Figure 1). However, you should be aware of one legal aspect before using it: Local data protection legislation applies when you use Kali Linux. In practical terms, this means that in many places you can only use Kali Linux for pentests if you have explicit permission to do so. Know your local laws.
Kali Linux is particularly resource-friendly and can be run in a virtual machine, so any notebook can become a full-fledged penetration test system with very little effort. Most administrators are familiar with classics like Wireshark and Nmap, so I will focus on the less common applications.
Security Scanners
Penetration testing begins with an overview of the infrastructure and then searches for specific weak points. To do this, you first use a security scanner. Depending on their nature and type, these tools are capable of checking entire networks or individual systems or applications for known weak points.
The most functionally comprehensive tool of this kind is OpenVAS [2], which knows thousands of vulnerabilities in common infrastructure components and can check their defenses. Once OpenVAS has identified open ports, you can use Nmap to discover details. Wireshark lets you identify any form of critical content and network activity that points to specific attack patterns. The classic Wireshark tool can also identify bottlenecks that might indicate hacker attacks and require a thorough check.
In the corporate world, web-based applications – often relying on the Apache, MySQL, and PHP stack – dominate the landscape. They are popular targets for hackers because they usually offer a great deal of attack potential. Kali Linux provides more than two dozen specialist tools for testing web applications. The scanners can be found in the Web Application Analysis menu. The Burp Suite and w3af tools are considered the best of their kind.
Burp Suite, which helps you identify and test vulnerabilities, is particularly easy to use. Kali Linux includes the open source version; the Pro version can even perform such tests automatically. For example, brute force attacks can be launched from the Intruder module, which uses request records grouped in the Proxy | Intercept tab to inject a desired payload into the web system.
Burp Suite also detects poor security configurations. An incorrect configuration of security settings can occur at all levels of the application stack (i.e., on web servers, application servers, and in databases and the web applications that use them). To detect such vulnerabilities with Burp Suite, first identify the target and then switch to the Target | Site map tab after mapping. Select the directory you want to check and execute the command Spider from here in the context menu. You can then determine any misconfigurations from the output.
In general, caution is required when analyzing production systems with security scanners, which are not primarily designed to handle systems that must be examined with kid gloves. Although many actions serve to identify points of attack, you should also expect that the systems tested will be affected. Therefore, you should perform these tests with mirrored systems. Ideally, these mirrors are protected by the same firewalls and intrusion detection systems (IDSs) of the production system, so you can check the effectiveness of existing protection mechanisms. Various tools (e.g., Nmap) can run in specific modes that make it difficult for IDSs to detect scans. In intelligent modes, they often remain undetected.
Sounding Out the Weak Points
If you know where the confirmed security gaps are, the next logical step is to sound them out. An essential part of any penetration test is the use of tools that help simulate as many known attack patterns as possible. Metasploit (Figure 2) is generally considered the most commonly used penetration tool, and one of the most important tools for penetration testers. The first step is to use the program's console to select and configure the exploit. Optionally, a vulnerability check is performed that tests whether the target system is at all vulnerable to the selected exploit. As a rule, you will have carried out a vulnerability scan in advance and have the necessary information.
The second step is payload selection. Meterpreter lets you search for files, escalate privileges, run port scans, redirect network traffic, and launch file downloads and uploads through an SSL connection to the target computer. In the third step, the exploit code is executed. Once you have successfully gained access to the system, you can usually perform further actions on the target computer with some payload.
If you regularly perform security checks with Metasploit, an environment for central management of the various configurations and actions is ideal. The Armitage graphical user interface lets you define different target criteria and quickly switch between them. You can create dozens, hundreds, or even thousands of hosts in special target sets. Armitage can import data from multiple security scanners, making preparation easier. The management tool displays the current targets graphically, so you can see at a glance where exploits are running.
Buy this article as PDF
(incl. VAT)