Intro to Kali Linux & Tools What makes Kali Linux different? Stuart Hoxie Ask for questions: Answer: simply, not much. It's just mostly a debian distro with a **** ton of packages, apps, services, programs, preferences, etc installed on it

Basics Debian distro for the use of industry grade penetration testing Completely customizable, any user can tweak the experience to their liking ARMEL and ARMHF, compatible with ARM based devices Stuart Hoxie

Legal Remember: anything you do while inside an environment such as many of the tools Kali linux offers, they can be viewed as malicious activity. Any form of testing should be done in a safe environment, VM, or done with the strict permission and supervision of the organization. -in short, be smart about what you do. Stuart Hoxie

Ethical Phases Information Gathering Reconnaissance Access/Exploitation Post Exploitation Reporting Finishing/wrap up Stuart Hoxie

Installations Nothing inherently special about installing Kali linux Single, dual, etc boot https://www.kali.org/downloads/ Prefered if, as a student, use a virtual box After installation and boot, open console and enter: apt-get update && apt-get upgrade && apt-get dist-upgrade Stuart Hoxie After instal, go to terminal/console, then apt-get update && apt-get upgrade && apt-get dist-upgrade If you dont know how to do so, look up a tutorial on how to set up a dual boot or VM

Tools 3 phases will be covered: resource gathering/Reconnaissance Exploitation Zenmap/Nmap Wireshark Armitage Metasploit Stuart Hoxie (GUI of Metasploit) MetaSploit Framework

Reconnaissance Wireshark! Select your desired interface Each individual packet can be opened and observed closer Search for malicious activity on your NIC If uncertain, check your ports in terminal Sudo lsof -i:port number Stuart Hoxie Wireshark is an open source sniffing program that allows you to look at all traffic and specific packets through any particular network interface Whether its your ethernet or wifi Once connected you will be able to see time, source, destination of packet, protocol used, length, additional info As a network admin, unusual traffic should be gathered, this can help troubleshoot vulnerabilities, most notably open ports.YOu can use the filter to search for these specific items For a website, you can use the http section under additional info at the bottom of the panel to view all know/gathered information from the computer during its attempt(s) to connect to a web server, server, range, lactation, domain name, IP, how it was resolved and more One quick method of determining if malicious activity is occurring, is by going through in searching/filtering for traffic from an odd or unknown IP/MAC to your machine and chances are if RST is shown in the info tab, your computer is booting and dropping the packet sent to it, commonly you will see this occurring on many different ports if it is malicious activity. Using the command, you will see what applications/services on your machine are yousing the specified port

Reconnaissance Nmap (command Line) Zenmap (GUI) “ * ” wildcard when searching for a target IP We will continue with Zenmap Stuart Hoxie The astrx will cover from 0-255 Fantastic tool to search throughout your network as a sys admin, and received detailed information about your network

Reconnaissance Various scans will yield different information about the targeted network and its depth Such as: Intense scan will show services, OS guess/exact + details, network diagnostics, ports open on hosts, domain, etc Stuart Hoxie The Zenmap/ Nmap scan will provide more in depth information than the soon to be mentioned Armitage scan, also Zenmap is much easier to read and comprehend. The information gathered from these scans can be used in various ways. You can use it for troubleshooting a network, finding rouge devices on your network, find OS details and google solutions and more.

Exploitation Remote Attack Client Side Attack Blind Side Attack/ Hail Mary Social Engineering Attack Fuzzing/ Dos Man In The Middle Stuart Hoxie Remote: exploit service that are vulnerable, such as netbios and DNS, Remote Client: something that you are trying to exploit on a client side, includes programs, controllers, java, flash, etc Blind Side: fires everything possible at the target network, all tools are used at once

Access: Exploit Metasploit + Armitage Scripting (public + nonpublic) SE-Toolkit Dos Google Stuart Hoxie SE _> social engineering toolkit Google: find vulnerability feed site, basic search parameters available on google vanilla Other Msic tools in Kali

Access: Exploit Starting MetaSploit framework In msf type: armitage ->Connect -> Start RPC Stuart Hoxie Don't change the Connect address, this is you! Only change it if you have some sorta specific use scenario

Access: Exploit Begin Scan Hosts -> choose scanning method Provide armitage or msf with your desired IP range to scan Import your scanned hosts Hosts-> import hosts Layout ->stack Stuart Hoxie Layout stack, to reorganize hosts shown

Access: Exploit If needed, use MSF scan Now all possible information is displayable about the machines Right click machine -> services Stuart Hoxie MSF scan will provide you even more info, including but not limited to service packs, installed software, buld revisions, running ports, running programs. All aux scanners All tasks are shown at the bottom of armitage This provides an abundance of information about each individual system

Footnote: security These scans can a fantastic source for finding open ports, useless programs, and vulnerabilities to your system. Stuart Hoxie As a network admin, you should be accustomed to what services are running on your machines, and be able to quickly identify ones that should not

Access: Attack Select your desired target, indicated by the green dashed box Attacks -> Find Attacks Check Exploits if option available Launch exploit Exploit service tab will open and show status Remember: google is your friend Stuart Hoxie Find Attacks queries all exploits that coincide with the information gathered from the device scans. Some attacks may or may not work, remember all devices are unique Check exploit can be view in console, and will tell you if the gathered attack is usable Some exploits have specific configurable launch options. Using reverse connections is recommended. Whatever payload is used and sent to target, once exploit is passed and then comes back to pick up the payload, we can use reverse connection like reverse tcp/dns or bind tcp/ or dns (advance, more used in MSF) Once launch is clicked, the payload is launched. Remember you can search for specific exploits in armitage, use google to search for known working exploits on specific machines your have analysed. Launcheing tons of failing attacks is not a good idea…. For obvious reasons

Access: Attack SUCCESS!!! When finished With your attack, Kill! Stuart Hoxie You have found a exploit that has worked and the payload has been delivered, the machine has been infected with meterpreter. NOw you are onto the next step, POST, Selecting Meterpreter shell will now allow you to continue your POST exploitation activities.

Sources: https://www.youtube.com/watch?v=lZlqr2PFJIo https://www.youtube.com/watch?v=8lR27r8Y_ik https://www.youtube.com/watch?v=dlcx-fmzrnc http://knoxd3.blogspot.com/2013/07/how-to-use-zenmap-in-kali-linux.html https://www.youtube.com/watch?v=TkCSr30UojM