Mastering Kali Linux for Advanced Penetration Testing - Second Edition
eBook - ePub

Mastering Kali Linux for Advanced Penetration Testing - Second Edition

  1. 510 pages
  2. English
  3. ePUB (mobile friendly)
  4. Available on iOS & Android
eBook - ePub

Mastering Kali Linux for Advanced Penetration Testing - Second Edition

About this book

A practical guide to testing your network's security with Kali Linux, the preferred choice of penetration testers and hackers.About This Book• Employ advanced pentesting techniques with Kali Linux to build highly-secured systems• Get to grips with various stealth techniques to remain undetected and defeat the latest defenses and follow proven approaches• Select and configure the most effective tools from Kali Linux to test network security and prepare your business against malicious threats and save costsWho This Book Is ForPenetration Testers, IT professional or a security consultant who wants to maximize the success of your network testing using some of the advanced features of Kali Linux, then this book is for you.Some prior exposure to basics of penetration testing/ethical hacking would be helpful in making the most out of this title. What You Will Learn• Select and configure the most effective tools from Kali Linux to test network security• Employ stealth to avoid detection in the network being tested• Recognize when stealth attacks are being used against your network• Exploit networks and data systems using wired and wireless networks as well as web services• Identify and download valuable data from target systems• Maintain access to compromised systems• Use social engineering to compromise the weakest part of the network—the end usersIn DetailThis book will take you, as a tester or security practitioner through the journey of reconnaissance, vulnerability assessment, exploitation, and post-exploitation activities used by penetration testers and hackers.We will start off by using a laboratory environment to validate tools and techniques, and using an application that supports a collaborative approach to penetration testing. Further we will get acquainted with passive reconnaissance with open source intelligence and active reconnaissance of the external and internal networks. We will also focus on how to select, use, customize, and interpret the results from a variety of different vulnerability scanners. Specific routes to the target will also be examined, including bypassing physical security and exfiltration of data using different techniques. You will also get to grips with concepts such as social engineering, attacking wireless networks, exploitation of web applications and remote access connections. Later you will learn the practical aspects of attacking user client systems by backdooring executable files. You will focus on the most vulnerable part of the network—directly and bypassing the controls, attacking the end user and maintaining persistence access through social media.You will also explore approaches to carrying out advanced penetration testing in tightly secured environments, and the book's hands-on approach will help you understand everything you need to know during a Red teaming exercise or penetration testingStyle and approachAn advanced level tutorial that follows a practical approach and proven methods to maintain top notch security of your networks.

Tools to learn more effectively

Saving Books

Saving Books

Keyword Search

Keyword Search

Annotating Text

Annotating Text

Listen to it instead

Listen to it instead

Information

Publisher
Packt Publishing
Year
2017
eBook ISBN
9781787128170
Edition
2
Topic
Computer Science
Subtopic
Computer Networking
Index
Computer Science

Active Reconnaissance of External and Internal Networks

The main goal of the active reconnaissance phase is to collect and weaponize the information about the target as much as possible in order to facilitate the exploitation phase of the kill chain methodology.
We have seen how to perform passive reconnaissance using OSINT, which is almost undetectable, and can yield a significant amount of information about the target organization and its users.
Active reconnaissance builds on the results of OSINT and passive reconnaissance, and emphasizes more focused probes to identify the path to the target and the exposed attack surface of the target. In general, complex systems have a greater attack surface, and each surface may be exploited and then leveraged to support additional attacks.
Although active reconnaissance produces more useful information, interactions with the target system may be logged, triggering alarms by protective devices, such as firewalls, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS).
As the usefulness of the data to the attacker increases, so does the risk of detection; this is shown in the following diagram:
To improve the effectiveness of active reconnaissance in providing detailed information, our focus will be on using stealthy, or difficult to detect, techniques.
In this chapter, you will learn about the following topics:
  • Stealth scanning strategies
  • External and internal infrastructure, host discovery, and enumeration
  • The comprehensive reconnaissance of applications, especially using recon-ng
  • The enumeration of internal hosts using DHCP
  • Useful Microsoft Windows commands for penetration testing
  • Taking advantage of default configurations

Stealth scanning strategies

The greatest risk involved in active reconnaissance is being discovered by the target. Using the tester's time and data stamps, the source IP address, and additional information, the target can identify the source of the incoming reconnaissance. Therefore, stealth techniques are employed to minimize the chances of being detected.
When employing stealth to support reconnaissance, a tester mimicking the actions of a hacker will do the following:
  • Camouflage tool signatures to avoid detection or triggering an alarm
  • Hide the attack within legitimate traffic
  • Modify the attack to hide the source and type of traffic
  • Make the attack invisible using nonstandard traffic types or encryption
Stealth scanning techniques can include some or all of the following:
  • Adjusting the source IP stack and tool identification settings
  • Modifying packet parameters (nmap)
  • Using proxies with anonymity networks (ProxyChains and the Tor network)

Adjusting the source IP stack and tool identification settings

Before a penetration tester (or an attacker) begins testing, they must ensure that all unnecessary services on Kali are disabled or turned off.
For example, if the local DHCP daemon is enabled but is not required, it is possible for the DHCP to interact with the target system, which could be logged and send alarms to the target's administrators.
Some commercial and open source tools (for example, the Metasploit framework) tag their packets with an identifying sequence. Although this can be useful in the post-test analysis of a system's event logs (where events initiated by a particular testing tool can be directly compared to a system's event logs to determine how the network detected and responded to the attack), it can also trigger certain intrusion detection systems. Test your tools against a lab system to determine the packets that are tagged, and either change the tag, or use the tool with caution.
The easiest way to identify tagging is to apply the tool against a newly-created virtual image as the target, and review system logs for the tool's name. In addition, use Wireshark to capture traffic between the attacker's and target's virtual machines, and then search the packet capture (pcap) files for any keywords that can be attributed to the testing tool (the name of the tool, the vendor, the license number, and so on).
The useragent in the Metasploit framework can be changed by modifying the http_form_field option. From the msfconsole prompt, select the option to use auxiliary/fuzzers/http/http_form_field, and then set a new useragent, as shown in the following screenshot:
In this example, useragent was set as Google's indexing spider, Googlebot. This is a common automated application that visits and indexes websites, and rarely attracts attention from website owners.
To identify legitimate useragents, refer to the examples at http://www.useragentstring.com/.

Modifying packet parameters

The most common approach to active reconnaissance is to conduct a scan against the target, send defined packets to the target, and then use the returned packets to gain information. The most popular tool for this is Network Mapper (nmap).
To use nmap effectively, it must be run with root-level privileges. This is typical of applications that manipulate packets, which is why Kali defaults to root at startup.
Some stealth techniques to avoid detection and subsequent alarms include the following:
  • Attackers approach the target with a goal in mind and send the minimum number of packets needed to determine the objective. For example, if you wish to confirm the presence of a web host, you first need to determine whether port 80, the default port for web-based services, is open.
  • Avoid scans that may connect with the target system and leak data. Do not ping the target or use synchronize (SYN) and nonconventional packet scans, such as acknowledge (ACK), finished (FIN), and reset (RST) packets.
  • Randomize or spoof packet settings, such as the source IP and port address, and the MAC address.
  • Adjust the timing to slow the arrival of packets at the target site.
  • Change the packet size by fragmenting packets or appending random data to confuse packet inspection devices.
For example, if you want to conduct a stealthy scan and minimize detection, the following nmap command could be used:
#nmap --spoof-mac Cisco --data-length 24 -T paranoid --max-hostgroup 1 --max-parallelism 10 -Pn -f -D 10.1.20.5,RND:5,ME -v -n -sS -sV -oA /desktop/pentest/nmap/out -p T:1-1024 --randomize-hosts 10.1.1.10 10.1.1.15
The following table explains the previous command in detail:
Command
Rationale
--spoof-mac-Cisco
Spoofs the MAC address...

Table of contents

  1. Title Page
  2. Copyright
  3. Credits
  4. About the Author
  5. About the Reviewer
  6. www.PacktPub.com
  7. Customer Feedback
  8. Preface
  9. Goal-Based Penetration Testing
  10. Open Source Intelligence and Passive Reconnaissance
  11. Active Reconnaissance of External and Internal Networks
  12. Vulnerability Assessment
  13. Physical Security and Social Engineering
  14. Wireless Attacks
  15. Reconnaissance and Exploitation of Web-Based Applications
  16. Attacking Remote Access
  17. Client-Side Exploitation
  18. Bypassing Security Controls
  19. Exploitation
  20. Action on the Objective
  21. Privilege Escalation
  22. Command and Control

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn how to download books offline
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 990+ topics, we’ve got you covered! Learn about our mission
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more about Read Aloud
Yes! You can use the Perlego app on both iOS and Android devices to read anytime, anywhere — even offline. Perfect for commutes or when you’re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app
Yes, you can access Mastering Kali Linux for Advanced Penetration Testing - Second Edition by Vijay Kumar Velu in PDF and/or ePUB format, as well as other popular books in Computer Science & Computer Networking. We have over one million books available in our catalogue for you to explore.