Discover system vulnerabilities and exploits

Anti-Theft Device

Forensics: When It's Too Late

The last main group of tools in Kali Linux deals with systems on which all your precautions have been in vain – that is, forensic tools that you need to trace an attack.

Unfortunately, many admins rank forensics at the bottom of the list after an attack, because the main effort is to put the affected services back online as quickly as possible to keep financial losses as small as possible. Time is often not available to deal systematically with the nature and content of a break-in.

However, forensics are essential to discovering successful attack vectors, which drives the actions that need to be taken to avoid similar scenarios in the future. Take compliance, for example: If someone breaks into a system through an outdated installation of WordPress, the tools that are supposed to check and ensure that WordPress installations are up to date have obviously failed. However, if someone hacks a system with stolen credentials or a guessable password, it's time to take a look at your password policy.

How exactly an attack took place can only be determined on the affected system itself, and to do this, the system in question must be taken offline immediately – and ideally switched off. Attackers often try to cover their tracks, making analysis even more difficult.

When handling a system that you want to examine, simply switching on the server is the wrong approach, because pertinent files in /tmp would be lost if it were cleared at system startup. As the first step, it therefore makes more sense to remove the data carrier from the respective system and connect it to a system with Kali Linux.

Alternatively, Kali Linux can also be started in Live mode on such a system, which has no effect on the hard drives. Local analysis is then possible.

The Kali Linux forensics toolbox is rich with important tools: binwalk supports the analysis of binary files. If you are dealing with a Windows system, RegRipper searches the registry for suspicious entries and typical signs of attack tools. Different tools are included for different filesystems for recovering deleted files, but the chances of success can vary from case to case.

All in all, Kali Linux impresses as a comprehensive toolbox for forensic investigations on systems after a break-in. The compilation of tools and wealth of choice make Kali Linux valuable.

For Raspberry Pi 4

As mentioned earlier, several variants of Kali are available. The developers specifically point to support for the still quite new Raspberry Pi 4 (RPi4) single-board computer. The ARM image for the RPi4 was available on the Kali Linux website the first day it went on sale.

The ARM port of the distribution is nothing new. You could install and run Kali even on older Rasp Pis, but it's far more fun with the RPi4 – at least if you use a model with a generous helping of RAM. The almost 4GB disk space required by Kali Linux is easily provided by a microSD card. A portable Kali Linux, however, is a powerful tool: The focus is obviously not on testing server applications; it is on the very powerful tools for testing things like WiFi networks.

An RPi4 can be used with a large power bank (about 20,000mAh) for quite a while without problem, and if you are a mobile worker, your vehicle's 12V socket can be your power supply. Therefore, if you need to check the WiFi network of a client, a friend, or even your parents, Kali on an RPi4 is a good solution.

Conclusions

Kali Linux is a powerful distribution with many tools that can be used (and misused) for exploits, although its strongest focus is not exploitation. Instead, gathering information is the typical use case for the distribution. For example, what does the infrastructure look like? What makes it special, and where are potential security holes through which the bad guys can break in? The main focus is therefore more on the thorough analysis of a network.

Additionally, Kali Linux performs classic security tasks. If you want to make sure your users don't just use password to complement their username, you will also find brute forcing tools in Kali Linux.

However, if you simply download Kali Linux and expect a complete hands-free, no-worries package, you are mistaken. Kali Linux unfolds its full potential when used in a targeted way to search for vulnerabilities. Kali does not aimlessly volley against all possible attack vectors, despite, or maybe precisely because of, its many individual tools.

For this reason, it is important from your point of view to define the attack scenario for a certain situation as precisely as possible. Armed with such a definition, you can then determine where the threat of attacks is greatest.

If your career path is firmly rooted in the security context, it makes sense to take a very close look at Kali Linux. I highly recommend including it in your toolbox.

Infos

  1. Kali Linux: https://www.kali.org

The Author

Martin Gerhard Loschwitz is Senior Cloud Architect at Mirantis, where he focuses on topics such as OpenStack, Ceph, and Kubernetes.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus