The book "Kali Linux. Penetration and Security Testing

Hello, habrozhiteli! 4th edition of Kali Linux 2018: Assuring Security by Penetration Testing is designed for ethical hackers, pentesters, and IT security professionals. The reader is required to have basic knowledge of the Windows and Linux operating systems. Knowledge of information security will be a plus and will help you better understand the material presented in the book. What you will learn • Perform the initial stages of penetration testing, understand the scope of application • Perform reconnaissance and accounting of resources in the target networks • Receive and crack passwords • Use Kali Linux NetHunter to test for penetration of wireless networks • Generate competent penetration testing reports • Orient yourself in the structure of the PCI-DSS standard and tools used for scanning and penetration testing

Publication structure

Chapter 1 “Installing and Configuring Kali Linux”. In this chapter, you will be introduced to Kali Linux 2018. Particular attention is paid to various methods of using the system. The chapter is written so that even an inexperienced user can run Kali Linux from a Live DVD; install and configure the system on a hard drive, an SD card connected to a USB port of a flash drive; Install Kali Linux on a virtual machine. In addition, using AWS, you can install Kali Linux in the cloud.



Chapter 2 “Establishment of a testing laboratory”. This chapter describes how to create a secure virtual environment in which you can legally implement the practical examples developed for each chapter. The chapter also provides detailed instructions for setting up virtual machines such as Metasploitable 2 and Metasploitable 3, which will be used as target machines in penetration experiments (pentests).



Chapter 3, Penetration Testing Methodology. Various test methodologies are presented here to plan and determine the extent of pentests. You will also find a description of practical steps and technologies for penetration testing.



Chapter 4, “Obtaining the fingerprint and collecting information.” In the first phase of penetration testing, several common tools used for intelligence are used, including hacking the Google database. In this publication, you will find new information on tools for automatically collecting information such as Devploit, RedHawk and Shodan.



Chapter 5, Scanning and Evasion Techniques. This chapter describes how to use the powerful Nmap tool to discover targets, nodes and services. With Netdiscover and Striker, automated scanning and collection of information is performed. In addition, this chapter discusses a tool like Nipe, which provides users with privacy and anonymity.



Chapter 6, Vulnerability Scan. Here, practical examples show how to find vulnerabilities in the target machine. It provides step-by-step instructions for using such powerful automated tools for vulnerability assessment as Nessus 7 and OpenVAS. You will find new information about the Lynis Linux tool for scanning and checking vulnerabilities, and the SPARTA tool, whose purpose is to evaluate and list vulnerabilities. The work of all instruments is carried out in a testing laboratory, and it is guaranteed that real-type evaluations are accurately modeled.



Chapter 7, Social Engineering. It discusses the basic principles and methods used by professional social engineers to manipulate people so that they divulge information or perform other actions.



Chapter 8 “Targeted Operation”. In this chapter, you will apply methods and tools to operate computer systems (exploits). Exploits exploit vulnerabilities and flaws in systems, which allows the user to gain access to the system.



Chapter 9, “Privilege escalation and maintaining access.” Here you will learn how to increase access level and hack other accounts in the system. Hacked accounts will be used to maintain access to the system and gain further access to the network.



Chapter 10, Testing Web Applications. In this chapter, we will look at a few basic tools for testing web applications, as well as cloud applications, since they are based on the same protocols and use many of the same platforms.



Chapter 11, “Testing Wireless Networks for Penetration.” This chapter discusses the configuration of tools designed to capture the data necessary for hacking wireless networks and gaining access to them, including setting up fake access points.



Chapter 12 “Mobile Penetration Testing with Kali NetHunter.” This chapter presents a practical approach to penetration testing using mobile devices. The installation and configuration of the necessary applications is described in detail, as well as the process of scanning and evaluating vulnerabilities, man-in-the-middle attacks and wireless attacks that can be carried out by mobile applications is demonstrated.



Chapter 13, “PCI DSS: Scanning and Penetration Testing.” A standard is introduced here, six tasks and 12 requirements are described, and an overview penetration test is given. The emphasis is on PCI DSS versions 11.3.1 and 11.3.2.



Chapter 14, Penetration Testing Reporting Tools. Various types of reports and procedures that are conducted at the end of testing are discussed, and the use of the Dradis platform for organizing and fully documenting a penetration test is demonstrated.

Excerpt. Penetration Testing Methodology

One of the most important factors affecting the success of a penetration test is the standard test methodology. The lack of standard methods for conducting a penetration test means the lack of uniformity. We are sure that you do not want to be a tester, conducting a haphazard test, using one or the other tool and not having an idea of ​​what results this test should bring.



A methodology is a set of standard rules, practical actions and procedures that are implemented when working with any program designed to verify information security. The penetration testing methodology primarily determines the test plan. This plan provides not only the goals of testing, but also the actions that must be performed to assess the true state of security of the network, applications, system, or any combination thereof.



The tester is required to have practical testing skills. He must own the tools with which the test is conducted. Only a well-defined penetration test methodology, theoretical knowledge and practical skills of the tester will allow a complete and reliable penetration test. But at the same time, the methodology should not prevent the tester from analyzing his guesses.

Penetration Testing Methodology

To determine which test you will need to do now, you need to know which tests exist, in which areas and for what purposes they are used. All tests can be divided into three groups.

• The methods of the "white box". In this group of tests, the tester knows the system under test well and has full access to all its components. Testers work with a client and have access to proprietary information, servers, running software, network diagrams, and sometimes even credentials. This type of test is usually carried out to test new applications before putting them into operation, as well as to regularly check the system as part of its life cycle - Systems Development Life Cycle (SDLC). Such activities can identify and eliminate vulnerabilities before they can get into the system and harm it.
• The methods of the "black box". This group of tests is applicable when the tester does not know anything about the system under test. This type of testing is most similar to a real attacker attack. The tester must obtain all the information by creatively applying the methods and tools at his disposal, but without going beyond the agreement concluded with the client. But this method has its drawbacks: although it imitates a real attack on a system or application, a tester, using only it, can skip some vulnerabilities. This is a very expensive test because it takes a lot of time. Performing it, the tester will study all possible directions of attack and only after that will report the results. In addition, in order not to damage the system under test and not cause a malfunction, the tester must be very careful.
• The methods of the "gray box". The test takes into account all the advantages and disadvantages of the first two tests. In this case, only limited information is available to the tester, allowing an external attack on the system. Tests are usually performed to a limited extent when the tester knows a little about the system.

To ensure the best test results, regardless of the penetration tests used, the tester must adhere to the test methodology. Next, we will discuss in more detail some of the most popular standard test methods.

• OWASP Testing Guide.
• PCI Penetration Testing Guide.
• Penetration testing standard.
• NIST 800-115.
• Open Source Security Testing Methodology Guide (OSSTMM).

OWASP Testing Guide

Open Web Application Security Project (OWASP) - This project brings together open source software developers. People in this community create programs to protect web applications and web services. All applications are created taking into account the experience of dealing with programs that harm web services and web applications. OWASP is the starting point for system architects, developers, suppliers, consumers and security professionals, that is, all professionals who are involved in the design, development, deployment and security testing of all web services and web applications. In other words, OWASP is committed to helping create more secure web applications and web services. The main advantage of the OWASP testing guide is that you can get a comprehensive description of all threats from the test results presented. The OWASP Testing Guide identifies all hazards that may affect the operation of both the system and applications, and assesses the likelihood of their occurrence. Using the threats described in OWASP, you can determine the overall assessment of the risks identified by testing and develop appropriate recommendations to address the shortcomings.



The OWASP Testing Guide focuses primarily on the following issues.

• Methods and tools for testing web applications.
• Collection of information.
• Authentication.
• Testing business logic.
• Test data.
• Denial of service attacks testing.
• Verification of session management.
• Testing web services.
• AJAX test.
• Determining the degree of risk.
• The likelihood of threats.

PCI Penetration Testing Guide

Here are the guidelines for companies that meet PCI requirements (Payment Card Industry). Moreover, in the manual you will find standards not only for the PCI v3.2 standard. It was created by the PCI Security Council, which defines penetration testing methods as part of vulnerability management programs.



The PCI Data Security Standard (PCI DSS) Version 3.2 was released in April 2016 by the Payment Card Industry Security Standards Board (PCI SSC). After updating the standard, the requirements were clarified, additional instructions and seven new requirements appeared.



In order to eliminate problems related to violations of the confidentiality of personal data of cardholders, as well as to protect against existing exploits, various changes were introduced into the PCI DSS V. 3.2 standard, most of which are related to service providers. New changes to penetration testing were added to these changes, according to which segmentation testing for service providers was performed at least every six months or after any significant changes in the controls / methods of segmentation. In addition, this standard contains several requirements that require service providers to continuously monitor and maintain critical security management elements throughout the year.

Standard Penetration Testing

The penetration testing standard consists of seven main sections. They cover all the requirements, conditions and methods of conducting penetration tests: from intelligence to attempts to conduct pentests; stages of information collection and threat modeling, when, in order to achieve the best verification results, testers work incognito; stages of vulnerability research, exploitation and post-exploitation, when practical knowledge of security testers is combined with data obtained during penetration tests; and as a final stage - reporting, in which all information is provided in a form understandable to the client.



Today is the first version in which all standard elements are tested in real conditions and approved. The second version is under development. In it, all requirements will be detailed, refined and improved. Since each penetration test plan is developed individually, various tests can be applied in it: from testing web applications to conducting tests intended for black-box testing. Using this plan, you can immediately determine the expected level of complexity of a particular study and apply it in the volumes and areas that are necessary, according to the organization. Preliminary research results can be seen in the section responsible for intelligence gathering.



The main sections of the standard we are considering are listed below as a basis for performing penetration tests.

• Preliminary agreement for interaction.
• Intelligence gathering.
• Threat Modeling.
• Vulnerability analysis.
• Exploitation.
• Post-exploitation.
• Compilation of a report.

NIST 800-115

A special publication of the National Institute of Standards and Technology Special Publication, NIST SP 800-115, is a technical guide for testing and evaluating information security. The publication was prepared by the Information Technology Laboratory (ITL) at NIST.



In the manual, security assessment is interpreted as a process of determining how effectively the organization being evaluated meets specific security requirements. When viewing the manual, you will see that it contains a large amount of information for testing. Although the document is rarely updated, it is not outdated and can serve as a reference for building a testing methodology.



This handbook provides practical guidance on the development, implementation, and maintenance of technical information, safety tests, and examination processes and procedures, covering a key element or technical safety and examination testing. These recommendations can be used for several practical tasks. For example, searching for vulnerabilities in a system or network and verifying compliance with a policy or other requirements.



NIST 800-115 provides a large penetration test plan. It makes sure that the penetration testing program is as recommended.



Open Source Security Testing Methodology Guide

OSSTMM is a document that is quite difficult to read and understand. But it contains a large amount of relevant and very detailed safety information. It is also the best-known security guide on the planet with approximately half a million downloads per month. The reason for this popularity is this: these instructions are about a decade ahead of all other documents in the security industry. OSSTMM's goal is to develop Internet security verification standards. This document is intended to form the most detailed basic plan for testing, which, in turn, will provide a thorough and comprehensive penetration test. Regardless of other organizational features, such as the corporate profile of a penetration testing service provider, this test will allow the customer to verify the level of technical assessment.

Framework: general penetration testing

Despite the fact that the standards differ in the number of conditions, penetration testing can be divided into the following stages.



1. Intelligence.



2. Scanning and listing.



3. Getting access.



4. Privilege escalation.



5. Maintain access.



6. Sweeping tracks.



7. Reporting.



Let's consider each stage in more detail.

Intelligence service

This is the first and very important step in a penetration test. It can take a lot of time. Many testers divide this stage into two parts: active and passive intelligence. I prefer to combine these two stages, as the results will speak for themselves.



Intelligence (reconnaissance) is a systematic approach when you try to locate and collect as much information as possible about the target system or machine. This is also called trace collection.



The following methods can be used to carry out this process (in fact, the list of methods can be much wider).

• Social engineering (this is an exciting method).
• Research on the Internet (using search engines Google, Bing, LinkedIn, etc.).
• Traveling through trash cans (you can get your hands dirty).
• Cold calls.

You can choose any of the listed methods to obtain information about the target system or machine. But what do we still need to know at this stage?



Of course, every bit of information can be useful to us. But we must have a priority goal. Please note that the collected data, which at the current stage may seem unnecessary, may come in handy later.



At first, the following information will be very important for us.

• Names of contacts in the organization.
• Where is the organization located (if such data is available).
• Email addresses (this data can be used later for phishing, that is, the collection of confidential data).
• Phone numbers of important people working in this company (useful for phishing).
• Operating systems used by the company, such as Windows or Linux.
• Job advertisements.
• Summary of employees (past and present).

At first glance, all this data seems useful (unless confusing job ads). But suppose you are meeting a system administrator. Knowing the basic requirements, you can get a lot of information about the organization’s internal system. This can be used to develop an attack direction.



For the same purposes, and serve as a summary of employees. Knowing what people can do, it is easy to determine which systems they work with and which are not available to them.



This may seem tedious to you. But keep in mind: the more information you collect, the more opportunities you will have to make decisions now and later.



We believe that intelligence should be resorted to throughout the interaction.



»More details on the book can be found on the publisher’s website

» Contents

» Excerpt



25% off coupon for hawkers - Kali Linux

Upon payment of the paper version of the book, an electronic book is sent by e-mail.