Kali Linux Intrusion and Exploitation Cookbook

Kali Linux Intrusion and Exploitation Cookbook

Over 70 recipes for system administrators or DevOps to master Kali Linux 2 and perform effective security assessments

Dhruv Shah

Ishan Girdhar

   BIRMINGHAM - MUMBAI

Kali Linux Intrusion and Exploitation Cookbook

Copyright © 2017 Packt Publishing

All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, without the prior written permission of the publisher, except in the case of brief quotations embedded in critical articles or reviews.

Every effort has been made in the preparation of this book to ensure the accuracy of the information presented. However, the information contained in this book is sold without warranty, either express or implied. Neither the authors, nor Packt Publishing, and its dealers and distributors will be held liable for any damages caused or alleged to be caused directly or indirectly by this book.

Packt Publishing has endeavored to provide trademark information about all of the companies and products mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee the accuracy of this information.

First published: April 2017

Production reference: 1140417

Published by Packt Publishing Ltd.

Livery Place

35 Livery Street

Birmingham 

B3 2PB, UK.

ISBN 978-1-78398-216-5

www.packtpub.com

Credits

About the Authors

Dhruv Shah is an information security consultant and security researcher. He started his career as an information security trainer and later moved to consulting. He has a great passion for security. He has been working in the security industry for nearly 7 years. Over this period, he has performed network security assessments, web application assessments, and mobile application assessments for various private and public organizations, as well as private sector banks.

He runs the security-geek.in website, a popular resource of security guides, cheat sheets, and walkthroughs for vulnerable machines of VulnHub. He holds a masters of science in information technology (MSc IT)  degree from Mumbai University. His certifications include CEH, CISE, and ECSA.

Outside of work, he can be found gaming on Steam, playing CS GO and Rocket League.

I'd like to extend my thanks to Rohit Kumar Singh for giving me the opportunity to get involved in this book. I'd like to thank Ishan Girdhar for having me on board and co-author this book. I'd thank my parents for providing a core set of values that guide me through the roughest days; my brother, Harshit Shah, for always being there for me; and, especially, my girlfriend, Tusharika Agrawal, for her support, encouragement, and most importantly motivation throughout the writing of this book.

Also, I'd like to give a final thank you to all of my friends, family, and colleagues who have supported me over the years.

Ishan Girdhar is a senior pentester and DevSecOps engineer. With over 7 years of work experience, he has been vigorously involved in building application security and bug bounty programs, in his current and previous roles, helping businesses and organizations to be more secure ad aware. He is currently working with Southeast Asia’s biggest ride-hailing platform, Grab. Previously, he has worked with organizations such as InMobi and one of the biggest Internet payment company, PayPal. He holds bachelor's and master's degrees in computer science and has the MCP, CCNA, RHCE, and OSCP certifications. He has also conducted various trainings for Red Hat Linux and web application and network security. He loves to share his work with the InfoSec and developer community through public speaking and open source projects. He loves to code in Python.

In his spare time, he prefers reading, scripting, tweeting (@ishangirdhar), and writing articles at his blog (www.securityninja.io), which aims on sharing knowledge and encouraging budding enthusiasts. You can check out some of his open source projects at github.com/ishangirdhar. He was a part of NullCon (Goa 2012,2013, 2014, and 2015) and has been actively engaged in Null Meets (the Delhi, Bangalore, and Singapore chapters).

First and foremost, I would like to thank the supreme almighty (Raj ji) for constantly bestowing some of his kindest blessings on me. I would like to thank my parents, Asha Girdhar and Narender Girdhar, for all of the sacrifices they made to give me the life I am living today. I dedicate this book to my wife, for all her support and unconditional love. It’s because of her sacrifice of time, which I spent working on this book, that I should have ideally spent with her. I would like to thank Vinay Argekar for approaching me for this project and Rohit Kumar Singh for being so patient, helpful, and for his continuous follow-up to make this book a reality. I would also like to thank Dhruv Shah for working with me as a coauthor and Akash Mahajan and Nishant Das Pattanayak for sharing their super helpful and honest reviews.

About the Reviewers

Akash Mahajan is an accomplished security professional with over a decade's experience of providing specialist application and infrastructure consulting services at the highest levels to companies, governments, and organizations around the world.

He has a lot of experience of working with clients to provide cutting edge security insight that truly reflects the commercial and operational needs of the organization, ranging from strategic advice and testing and analysis to incident response and recovery.

 He is an active participant in the international security community and a conference speaker both individually, as chapter lead of the Bangalore chapter of OWASP--the global organization responsible for defining the standards for web application security--and as a co-founder of NULL, India’s largest open security community.

He is the author of Burp Suite Essentials, by Packt, and also a technical reviewer for Mobile Application Penetration Testing.

Thank you Izzat for making the job of technical reviewing as smooth as it can be.

Nishant Das Patnaik is an experienced application security and DevSecOps engineer. He is currently working as an application security engineer at eBay Bangalore. In the past, he has worked as an application security researcher at InMobi and as a senior paranoid at Yahoo!. He loves to share his work with the InfoSec and developer community through public speaking and open source projects. Hence, he has been a presenter at Black Hat Europe 2016, Black Hat USA 2016, Black Hat USA 2013, and Nullcon 2012. He loves to code in Python, Node.js, and PHP. He has authored a book, Software Hacking, published by Vikas Publishing, and he is also the technical reviewer of a book, iOS Penetration Testing: A Definitive Guide to iOS Security, published by Apress Inc. When he is not working, you can either find him playing the piano or experimenting in the kitchen. You may reach out to him on Twitter at @dpnishant and check out some of his open source projects at github.com/dpnishant.

I would like to thank my parents, Manoj Das Pattanaik and Ipsita Das Pattanaik, for all of their sacrifices to give me better opportunities in life, and my sister, Sulagna, without whose support, love, and blessings I would not have been able to achieve what I have today. I would also like to thank all of my really close friends, Diwakar Kumar Dinkar, Abhilash Sahoo, Piyush Pattanayak, Vivek Singh Yadav, Somasish Sahoo, and my colleagues at eBay and Yahoo!, who have always been a constant source of support and encouragement. I would like to thank Izzat Contractor from Packt Publishing Limited, and Ishan Girdhar, for giving me this great opportunity to work with them. Last but not least, I would like to thank the Supreme Almighty for constantly bestowing some of his kindest blessings on me.

Sreenath Sasikumar is the CEO of MashupAcademy, a fullstack educational startup, and also a web security consultant. He also works with Kerala Police Cyberdome as a deputy commander and is the board member of OWASP, Kerala. He loves open source and has created eight Mozilla add-ons, including Clear Console, the featured add-on, which was selected among the best Firefox add-ons of 2013. He has created the world's first-of-its-kind hacking browser, PenQ. He works as start-up mentor to technology firms and student start-ups. He is also a co-organizer and speaker at Google Developer Group, Trivandrum.

Bhargav Tandel has over 5 years of experience in Information Security with companies such as Reliance Jio, Vodafone, and Wipro. His core expertise and passions are vulnerability assessment, penetration testing, ethical hacking, information security, and system administration.  He is currently pursuing the OSCP certification. He has the ability to solve complex problems involving a wide variety of information systems, work independently on large-scale projects, and thrive under pressure in fast-paced environments while directing multiple projects from the concept to the implementation.

You can connect with him on LinkedIn at https://www.linkedin.com/in/bhargav-tandel-aa046646 or e-mail him at er.bhargav18@gmail.com. You can also subscribe his YouTube Channel, www.youtube.com/bhargavtandel.

I would like to dedicate this book to my family and friends, who have always stood by me. Jigar Tank (www.hupp.in) and Utkarsh Bhatt, my friends, who have always been there for me. My sir, Rakesh Dwivedi, gave me the reason to continue learning and growing. My extended family made of friends, new and old, makes life more exciting and are far too many to list.

Above all, I'd like to thank my parents and my love, Urvashi, for always being there and inspiring me to never back down.

Thank you, all!!

www.PacktPub.com

For support files and downloads related to your book, please visit www.PacktPub.com.

Did you know that Packt offers eBook versions of every book published, with PDF and ePub files available? You can upgrade to the eBook version at www.PacktPub.com and as a print book customer, you are entitled to a discount on the eBook copy. Get in touch with us at service@packtpub.com for more details.

At www.PacktPub.com, you can also read a collection of free technical articles, sign up for a range of free newsletters and receive exclusive discounts and offers on Packt books and eBooks.

https://www.packtpub.com/mapt

Get the most in-demand software skills with Mapt. Mapt gives you full access to all Packt books and video courses, as well as industry-leading tools to help you plan your personal development and advance your career.

Why subscribe?

Fully searchable across every book published by Packt

Copy and paste, print, and bookmark content

On demand and accessible via a web browser

Customer Feedback

Thanks for purchasing this Packt book. At Packt, quality is at the heart of our editorial process. To help us improve, please leave us an honest review on this book's Amazon page at https://goo.gl/QcxheF.

If you'd like to join our team of regular reviewers, you can e-mail us at customerreviews@packtpub.com. We award our regular reviewers with free eBooks and videos in exchange for their valuable feedback. Help us be relentless in improving our products!

Table of Contents

Preface

What this book covers

What you need for this book

Who this book is for

Sections

Getting ready

How to do it…

How it works…

There's more…

See also

Conventions

Reader feedback

Customer support

Errata

Piracy

Questions

Getting Started - Setting Up an Environment

Introduction

Installing Kali Linux on Cloud - Amazon AWS

Getting ready

How to do it...

How it works...

There's more...

Installing Kali Linux on Docker

Getting ready

How to do it...

How it works...

There's more...

Installing NetHunter on OnePlus One

Getting ready

How to do it...

How it works...

There's more...

Installing Kali Linux on a virtual machine

Getting ready

How to do it...

How it works...

Customizing Kali Linux for faster package updates

Getting ready

How to do it...

How it works...

Customizing Kali Linux for faster operations

Getting ready

How to do it...

How it works...

Configuring remote connectivity services - HTTP, TFTP, and SSH

Getting ready

How to do it...

How it works...

Configuring Nessus and Metasploit

Getting ready

How to do it...

How it works...

There's more...

Configuring third-party tools

Getting ready

How to do it...

How it works...

Installing Docker on Kali Linux

Getting ready

How to do it...

How it works...

Network Information Gathering

Introduction

Discovering live servers over the network

Getting ready

How to do it...

How it works...

There's more...

See also

Bypassing IDS/IPS/firewall

Getting ready

How to do it...

How it works...

There's more...

Discovering ports over the network

Getting ready

How to do it...

How it works...

There's more...

See also

Using unicornscan for faster port scanning

Getting ready

How to do it...

How it works...

There's more...

Service fingerprinting

Getting ready

How to do it...

How it works...

There's more...

Determining the OS using nmap and xprobe2

Getting ready

How to do it...

How it works...

There's more...

Service enumeration

Getting ready

How to do it...

How it works...

There's more...

Open-source information gathering

Getting ready

How to do it...

How it works...

There's more...

Network Vulnerability Assessment

Introduction

Using nmap for manual vulnerability assessment

Getting ready

How to do it...

How it works...

There's more...

See also...

Integrating nmap with Metasploit

Getting ready

How to do it...

How it works...

There's more...

Walkthrough of Metasploitable assessment with Metasploit

Getting ready...

How to do it...

How it works...

There's more...

See also...

Vulnerability assessment with OpenVAS framework

Getting ready

How to do it...

How it works...

There's more...

PTES

OWASP

Web Application Hacker's Methodology

See also...

Network Exploitation

Introduction

Gathering information for credential cracking

Getting ready

How to do it...

Cracking FTP login using custom wordlist

Getting ready

How to do it...

How it works...

There's more...

Cracking SSH login using custom wordlist

Getting ready

How to do it...

How it works...

There's more...

Cracking HTTP logins using custom wordlist

Getting ready

How to do it...

How it works...

There's more...

Cracking MySql and PostgreSQL login using custom wordlist

Getting ready

How to do it...

How it works...

There's more...

Cracking Cisco login using custom wordlist

Getting ready

How to do it...

How it works...

There's more...

Exploiting vulnerable services (Unix)

Getting ready

How to do it...

How it works...

There's more...

Exploiting vulnerable services (Windows)

Getting ready

How to do it...

How it works...

There's more...

Exploiting services using exploit-db scripts

Getting ready

How to do it...

How it works...

There's more...

Web Application Information Gathering

Introduction

Setting up API keys for recon-ng

Getting ready

How to do it...

How it works...

Using recon-ng for reconnaissance

Getting ready

How to do it...

Gathering information using theharvester

Getting ready

How to do it...

How it works...

Using DNS protocol for information gathering

Getting ready

How to do it...

How it works...

There's more...

Web application firewall detection

Getting ready

How to do it...

How it works...

HTTP and DNS load balancer detection

Getting ready

How to do it...

How it works...

Discovering hidden files/directories using DirBuster

Getting ready

How to do it...

How it works...

CMS and plugins detection using WhatWeb and p0f

Getting ready

How to do it...

How it works...

There's more...

Finding SSL cipher vulnerabilities

Getting ready

How to do it...

How it works...

Building a Classification Model with Spark *

Types of classification models

Linear models

Logistic regression

Multinomial logistic regression

Visualizing the StumbleUpon dataset

Extracting features from the Kaggle/StumbleUpon evergreen classification dataset

StumbleUponExecutor

Linear support vector machines

The naïve Bayes model

Decision trees

Ensembles of trees

Random Forests

Gradient-Boosted trees

Multilayer perceptron classifier

Extracting the right features from your data

Training classification models

Training a classification model on the Kaggle/StumbleUpon evergreen classification dataset

Using classification models

Generating predictions for the Kaggle/StumbleUpon evergreen classification dataset

Evaluating the performance of classification models

Accuracy and prediction error

Precision and recall

ROC curve and AUC

Improving model performance and tuning parameters

Feature standardization

Additional features

Using the correct form of data

Tuning model parameters

Linear models

Iterations

Step size

Regularization

Decision trees

Tuning tree depth and impurity

The naïve Bayes model

Cross-validation

Summary

Web Application Vulnerability Assessment

Introduction

Running vulnerable web applications in Docker

Getting ready

How to do it...

How it works...

Using W3af for vulnerability assessment

Getting ready

How to do it...

How it works...

Using Nikto for web server assessment

Getting ready

How to do it...

How it works...

Using Skipfish for vulnerability assessment

Getting ready

How it works...

Using Burp Proxy to intercept HTTP traffic

Getting ready

How to do it...

How it works...

Using Burp Intruder for customized attack automation

Getting ready

How to do it...

How it works...

Using Burp Sequencer to test the session randomness

Getting ready

How to do it...

How it works...

Web Application Exploitation

Introduction

Using Burp for active/passive scanning

Getting ready

How to do it...

How it works...

Using sqlmap to find SQL Injection on the login page

Getting ready

How to do it...

How it works...

Exploiting SQL Injection on URL parameters using SQL Injection

Getting ready

How to do it...

How it works...

Getting ready

How to do it...

How it works...

Using Weevely for file upload vulnerability

Getting ready

How to do it...

How it works...

Exploiting Shellshock using Burp

Getting ready

How to do it...

How it works...

Using Metasploit to exploit Heartbleed

Getting ready

How to do it...

How it works...

Using the FIMAP tool for file inclusion attacks (RFI/LFI)

Getting ready

How to do it...

How it works...

System and Password Exploitation

Introduction

Using local password-attack tools

Getting ready

How to do it...

How it works...

There's more...

Cracking password hashes

Getting ready

How to do it...

How it works...

There's more...

Using Social-Engineering Toolkit

Getting ready

How to do it...

How it works...

There's more...

Using BeEF for browser exploitation

Getting ready

How to do it...

How it works...

There's more...

Cracking NTLM hashes using rainbow tables

Getting ready

How to do it...

How it works...

There's more...

Privilege Escalation and Exploitation

Introduction

Using WMIC to find privilege-escalation vulnerabilities

Getting ready

How to do it...

How it works...

There's more...

Sensitive-information gathering

Getting ready

How to do it...

There's more...

Unquoted service-path exploitation

Getting ready

How to do it...

How it works...

There's more...

See also...

Service permission issues

Getting ready

How to do it...

How it works...

There's more...

Misconfigured software installations/insecure file permissions

Getting ready

How to do it...

How it works...

There's more...

See also...

Linux privilege escalation

Getting ready

How to do it...

How it works...

There's more...

See also...

Wireless Exploitation

Introduction

Setting up a wireless network

Getting ready

How to do it...

Bypassing MAC address filtering

Getting ready

How to do it...

There's more...

Sniffing network traffic

Getting ready

How to do it...

How it works...

There's more...

Cracking WEP encryption

Getting ready

How to do it...

How it works...

There's more...

Cracking WPA/WPA2 encryption

Getting ready

How to do it...

How it works...

There's more...

Cracking WPS

Getting ready

How to do it...

How it works...

There's more...

Denial-of-service attacks

Getting ready

How to do it...

How it works...

There's more...

Pen Testing 101 Basics

Introduction

What is penetration testing?

What is vulnerability assessment

Penetration testing versus vulnerability assessment

Objectives of penetration testing

Types of penetration testing

Black box

White box

Gray box

Who should be doing penetration testing?

What is the goal here?

General penetration testing phases

Gathering requirements

Preparing and planning

Defining scope

Conducting a penetration test

Categorization of vulnerabilities

Asset risk rating

Reporting

Conclusion

Preface

This book reveals the best methodologies and techniques for a penetration testing process with the help of Kali Linux. This is a value add for network system admins, aiding them to understand the entire security testing methodology. This will help protect them from day-to-day attacks by allowing them to find and patch the vulnerability beforehand. As penetration testing in corporate environments usually happens on an annual basis, this will assist the admins to proactively protect their network on a regular basis.

This book covers recipes to get you started with security testing and performing your own security assessment in the corporate network or the server being tested. By the end of this book, you will have developed a greater skill set and knowledge of a complete penetration testing scenario, and you will be able to perform a successful penetration test of any network.

Kali Linux is an advanced OS with advanced tools that will help identify, detect, and exploit vulnerability. It is considered a one-stop OS for successful security testing.

What this book covers

Chapter 1, Getting Started - Setting Up an Environment, teaches you how to install Kali Linux and Kali products on your system, Amazon Cloud, mobile device, and Docker. This chapter helps you get familiarized with the installation of Kali Linux on multiple mediums of convenience, along with the installation of multiple third-party tools.  

Chapter 2, Network Information Gathering, covers discovering servers and open ports over the network. You will also learn to probe services and grab banners, and different ways to scan the network, including IDS/IPS/firewall bypass.

Chapter 3, Network Vulnerability Assessment, shows you how to use certain Kali tools for vulnerability assessment. You will learn about vulnerability assessment by testing one of the vulnerable machines as a part of the learning process. You will also learn to use advanced tools to perform assessment.

Chapter 4, Network Exploitation, covers multiple techniques to break into network services such as FTP, HTTP, SSH, SQL. Additionally, you will learn how to exploit vulnerable services on Linux and Windows machines.

Chapter 5, Web