Cyber Security with Linux
If you are interested in taking a path towards Cyber Security then learning how to perform penetration testing is often a subject of great interest. There’s many books and references on “hacking” out there, but realistically where can someone start to learn the skills for commercial “pentesting” ?
Cyber Security threats are increasing fast, and learning how to respond to them has put many IT providers in a tough spot. Take the Managed IT Services industry for example. Providers who work with small businesses are often ill-equipped to handle the kinds of threats we see coming at us today.
One place to start if you want to learn about Cyber Security and are an IT professional already is with Kali Linux.
Setting Kali up, and learning how to use it is a great place to begin. There’s lots of resources out there to learn Kali Linux — one of the best places to start is with the official book Kali Linux Revealed which covers a great deal of Linux fundamentals, and how to set this platform up.
With the tools and work bench ready, there’s many resources out there that cover the subject. One of the best places to begin is with Offensive Security’s free course called Metasploit Unleashed and it covers a great deal of ground related to penetration testing in general but it also is a key resource for Rapid 7’s Metasploit tool. The Metasploit platform is a powerful aid for pentesters.
When your ready to “go pro” there’s a variety of certifications for Pentesters. Many people go for. Licensed Penetration Tester from ECouncil is a popular route. GIAC is another popular choice, as it’s backed by SANS. One of the most respected certifications globally is the OSCP and OSCE from Offensive Security.
It just so happens that Offensive Security is the primary backer of Kali Linux.
We really like the Offensive Security slogan “Try Harder”.
Having Kali available is great, but you certainly should not just go out and start attacking stuff unless you’ve got authorization to try. Even then many ISP’s monitor traffic and detect things like aggressive port scans or SQL injection attempts and might ban your IP. Furthermore, remote systems in the cloud might think that you are a real attacker and this could also cause everyone problems.
Many universities and education centers are now offering a “Cyber Range” which you might think of like a “gun range for attack hackers.” These are labs built by professionals and stocked with vulnerable images that can challenge all levels of skill. In San Antonio, UTSA is building a cyber range in their new expansion.
Node, LLC is also building a Cyber Range. Join our Live Stream and watch as we build and attack it. Contact Node if you are interested in building one of these for your corporation or educational institution.
Learn More about Cyber Security in San Antonio and Managed IT Services.
Setting Up Your Pentesting Lab
Building your own lab is “easy” if you are experienced with VM’s and networks. The main thing you need is lots of RAM to run multiple virtual machines. You can run your VM’s from either VMWARE Workstation (free) or Oracle Virtualbox (free). We like both platforms but kind of prefer Virtualbox as it runs on both Windows and Linux but for maximum compatibility VMWARE Workstation is probably a little easier to get up and running as you can import Virtualbox machines straight into it.
You can set up your lab no matter what OS you run. MacOS, Microsoft Windows and Linux all are quite suitable for this.
First install Virtualbox or VMWARE Workstation
From Ubuntu Linux:
sudo apt-get install virtualbox
Once you have a Hypervisor installed, you want to probably download an Official Kali Linux Virtual Machine from Offensive Security.
Fire it up and update it. The default credential for it is ‘root’ and ‘toor’ then install the initial updates and perform the distribution upgrade.
Updating Kali Linux:
apt-get update
apt-get upgrade
apt-get dist-upgrade
To contain your network, it’s important to run all your lab VM’s in their own “virtual lan” or select “NAT” from network adapters. Don’t use Bridged Mode!
You want to run everything including your Kali attack instance under the same network, but if you use “bridged mode” in the network settings for either VMWARE Workstation or Virtualbox then you will end up with your lab facing the actual LAN your sitting on and you’ll end up probing targets that you might not want to, or you might cause problems on the network.
You will need to download some vulnerable images. There are 2 which should be in every lab. Metasploitable2 and Metasploitable3. Additional images can be found at Vulnhub and there’s a wide range of them in there. The Kioptrix series and mrRobot are a couple fun places to begin. Old copies of Windows XP and Windows 7 that you might be able to virtualize make fun targets, as do old unpatched versions of Microsoft Server products.
Here’s a replay of a casual livestream after setting up a Kali lab how to gather some information about your targets and begin exploiting them from the safety of your own private lab.
Gather Information
Enumerate information about your targets with tools like NMAP or Zenmap, and Sparta. Explore the other tools that Kali offers by visiting the Kali website and looking up the list of tools that can be used for “enumeration”. There’s a wide range of information gathering tools that each have their own specialty.
I like Sparta as it’s a great place to organize information from plus it automates a huge amount of work to recon for both weak passwords, and open services. It’s very aggressive and you should be extremely careful not to use it without understanding it’s implications for the network your running it on.
OpenVas is a classic tool for performing general and quite aggressive Vulnerability Scanning. It can often find many potential vulnerabilities quickly and is a powerful system. Be careful when running this though. It is easy for IDS systems to detect and will get you flagged by your ISP or cloud provider and even makes your local anti-virus angry. You often have to completely disable your host AV if your on Windows to get things like OpenVas to properly work. This tool can make your network go bonkers as well, for example devices it hits might freeze or crash or printers might dump a ream of paper with special characters for no reason. It can cause all kinds of exotic problems. Use it with caution.
Even when you have the scans in, the work is literally just beginning. Use the Kali command line to run things like “searchsploit” or visit the Exploit DB website and look up every version of every application you found. Now you can start the process of “penetration testing” yourself.
With some exploits in hand, you can attempt to run them against your “victims” in your private self-contained lab.
Enumerating information is a huge process. You have to use a wide range of tools to gather as much detail as possible about everything. Going in to Exploit DB with a solid list of candidates will yield the best change of finding suspect exploits. Many exploits have to be compiled, sometimes on the remote target. That might mean you need to run another exploit 1st that gets you a way to remotely upload a file to the target even if you can’t run the exploit. You might find yourself with a “low privilege shell” and need to escalate permission. Along the way, at each step you have to continue enumerating things about the target. For example, with a low priv shell you might be able to learn more about the Host OS and find other exploits that could let you escalate your privileges.
There are walkthroughs for many of the vulnerable machines that you might want to use. These will really help you understand what skills are needed to get into the various systems. It takes a wide range of knowledge in a huge amount of areas to be good at this! Exploits are written in nearly any language from uncompiled C source code to Python scripts to just examples of using a debugger and assembly!
For targets that feature a “web server” there are a wide variety of web-vulnerability-scanners. These are often aside from the standard vulnerability assessment tools you might be using already. Wordpress sites for example can be scanned with WPSCAN and there’s a seperate scanner for Joomla as well. There’s many tools that help you specifically assess web applications for vulnerabilities, in addition to running them through the Exploit DB once you know version numbers.
Eumeration can take quite some time, but properly armed with all of the information, the exploitation phase is much more likely to be successful.
Exploitation With Kali Linux
The reward for pentesters is awesome. Gaining access to a system and getting shell is a huge rush. At every stage of the process there’s puzzles sort out. While there are lots of boring aspects like waiting for scans to complete, and researching potential exploit candidates, there’s also quite a bit of excitement that can go along with the process of learning. Even without the ability to code, being able to get a shell by using metasploit exploits should be trivial for most IT people that are savvy with Linux and networks.
While the urge to jump straight into exploitation is very strong, you must first “know your enemy” and be patient. Think like “The Art of War”.
Pentesters will find themselves needing to be comfortable using an assembly debugger and compiling code. That is a bit of an entry barrier for some but people with computer science backgrounds can usually handle it.
You can not expect the tools to do all the work for you, and even if they can do most of the work you will still have to be able to read, follow along, and edit code from multiple programming languages on the fly, in the field, under pressure.
Of course if you use Metasploit it can really help. The Metasploit Unleashed course should be mandatory reading for people this far into the subject. It’s a crucial reference. There’s also an official book on Metasploit that’s very handy to have around.
If you can find metasploit exploits on Exploit DB for your targets, run them. They can make easy work for you! The Metasploit tool kit provides a huge amount of other resources though. It can be a database for managing your entire attack scope in a saved “workspace”. I frequently use Sparta for this purpose but Metasploit has amazing power. By plugging into Armitage you can also gain a powerful GUI for it, and collaborate with teams.
If you want to get started without really having to put in much effort at all, there’s even the easiest way to basically build an infected payload that communicates back to you. This is called the Social Engineering Toolkit or SET for short. This tool makes it really simple.
It’s part of the Kali distribution and can be started up from a terminal. It provides a simple menu that can be used to launch a variety of attacks and it sets everything up for you. It will craft the payload, and set up a metasploit listener for you. All you have to do is execute the payload on the target system. It can also help you deliver the payload a variety of ways. Many times this form of attack is accomplished by means of “social engineering”. For example, this tool can instantly generate a custom virus on a USB thumb-drive that when inserted into a PC will send a session back to your remote listener and you’ll basically be looking at a DOS prompt of the target Windows box running under the privileges of the user who inserted the stick.
SET isn’t very practical outside of a lab. The payloads it makes are easily identified by AV and various other software protection systems. Some older things like Windows XP without anti-virus and a user set up as a local administrator would be extremely low hanging fruit for this tool however.
It’s an example of how easy it can be to exploit unpatched poorly configured legacy systems. The truth is, many many organizations run these very kinds of systems even today, and getting a USB stick into one of them can be fairly trivial for a determined individual who knows what to look for.
Conclusion
I hope you’ve learned a bit about Penetration Testing and building a lab with Kali Linux. Please follow my YouTube page for more videos and vulnerable machine walkthroughs. Many IT people should become more educated on this subject and should be deploying these tools and methods for themselves to level the playing field a bit more because if you know what an attacker might know about you, then you can take action you never even knew you needed to take.
Be diligent, stay safe, keep it clean, keep it legal, and happy hunting!