Mastering_Kali_Linux_for_Advanced_Penetration_Testing_4th_Edition

Mastering Kali Linux for Advanced Penetration Testing Fourth Edition
Apply a proactive approach to secure your cyber
infrastructure and enhance your pentesting skills Vijay Kumar Velu BIRMINGHAM—MUMBAI
Mastering Kali Linux for Advanced Penetration Testing Fourth Edition
Copyright © 2022 Packt Publishing
All rights reserved. No part of this book may be reproduced, stored in a retrieval system, or transmitted in
any form or by any means, without the prior written permission of the publisher, except in the case of brief
quotations embedded in critical articles or reviews.
Every effort has been made in the preparation of this book to ensure the accuracy of the information
presented. However, the information contained in this book is sold without warranty, either express or
implied. Neither the author, nor Packt Publishing or its dealers and distributors, will be held liable for any
damages caused or alleged to have been caused directly or indirectly by this book.
Packt Publishing has endeavored to provide trademark information about all of the companies and products
mentioned in this book by the appropriate use of capitals. However, Packt Publishing cannot guarantee
the accuracy of this information.
Producer: Dr. Shailesh Jain
Acquisition Editor – Peer Reviews: Saby Dsilva
Project Editor: Amisha Vathare
Content Development Editor: Bhavesh Amin
Copy Editor: Safis Editor
Technical Editor: Aditya Sawant
Proofreader: Safis Editor
Indexer: Pratik Shirodkar
Presentation Designer: Ganesh Bhadwalkar First published: June 2014 Second edition: June 2017 Third edition: January 2019 Fourth edition: February 2022 Production reference: 2240222
Published by Packt Publishing Ltd. Livery Place 35 Livery Street Birmingham B3 2PB, UK. ISBN 978-1-80181-977-0 www.packt.com Contributors About the author
Vijay Kumar Velu is a passionate information security practitioner, author, speaker, investor,
and blogger, currently based in London. He has over 16 years of IT industry experience, is a licensed
penetration tester, and specializes in offensive security and digital forensics incident response.
He is the author of Mastering Kali Linux for Advanced Penetration Testing – Second and Third Editions,
and Mobile Application Penetration Testing. Outside of work, he enjoys playing music and doing
charity work. He holds multiple security qualifications, including CEH, ECSA, and CHFI.
I would like to dedicate this book to the open-source community and all security enthusiasts. I would like to
thank my family, friends (Hackerz), and mentors. Special thanks to the Packt publishing team for all the
support that they provided throughout the journey of this book and my colleagues, Brad and Rich, for their extended support. About the reviewer
Glen D. Singh is a cybersecurity instructor and an InfoSec author. His areas of expertise are
cybersecurity operations, offensive security tactics, and enterprise networking. He holds many
certifications, including CEH, CHFI, PAWSP, and 3xCCNA (in CyberOps, Security, and Routing and Switching).
Glen loves teaching and mentoring others and sharing his wealth of knowledge and experience
as an author. He has written many books that focus on vulnerability discovery and exploitation,
threat detection, intrusion analysis, incident response (IR), implementing security solutions,
and enterprise networking. As an aspiring game-changer, Glen is passionate about increasing
cybersecurity awareness in his homeland, Trinidad and Tobago.
I would like to thank Divya Mudaliar and Saby Dsilva for having me as part of this project, Amisha Vathare
for her continuous support during this journey, and the wonderful people at Packt Publishing. Thank you everyone! Table of Contents Preface xvii
Chapter 1: Goal-Based Penetration Testing 1
Different types of threat actors ........................................................................................... 2
Conceptual overview of security testing ............................................................................. 2
Common pitfalls of vulnerability assessments,
penetration testing, and red team exercises ........................................................................ 3
Objective-based penetration testing ................................................................................... 5
The testing methodology .................................................................................................... 5
Introduction to Kali Linux features ..................................................................................... 8
The role of Kali in red team tactics • 9
Installing and updating Kali Linux ................................................................................... 10
Using as a portable device • 10
Installing Kali on a Raspberry Pi 4 • 12 Installing Kali on a VM • 12
VMware Workstation Player • 13 VirtualBox • 14
Installing to a Docker appliance • 16 Kali on AWS Cloud • 17
Kali on Google Cloud Platform (GCP) • 21
Kali on Android (non-rooted phones) ............................................................................... 27
Organizing Kali Linux ....................................................................................................... 28
Configuring and customizing Kali Linux • 29
Resetting the default password • 29
Configuring network services and secure communications • 29
Adjusting network proxy settings • 31
Accessing the secure shell remotely • 31
Speeding up Kali operations • 32
Sharing folders with the host operating system • 32
Using Bash scripts to customize Kali • 34
Building a verification lab ................................................................................................. 34
Installing defined targets • 34 Lab Network • 35
Active Directory and Domain Controller • 35
Installing Microsoft Exchange Server 2016 • 38 Metasploitable3 • 42 Mutillidae • 44
CloudGoat ........................................................................................................................ 47
Managing collaborative penetration testing using Faraday ............................................... 51
Summary .......................................................................................................................... 54
Chapter 2: Open-Source Intelligence and Passive Reconnaissance 55
Basic principles of reconnaissance .................................................................................... 56 OSINT • 57 Offensive OSINT • 58
Gather domain information • 59 Maltego • 60 OSRFramework • 63 Web archives • 64 Passive Total • 65
Scraping ............................................................................................................................ 66
Gathering usernames and email addresses • 66
Obtaining user information • 68 TinEye • 68 Online search portals • 69 SpiderFoot • 70 Other commercial tools • 74
Google Hacking Database ................................................................................................. 74
Using dork scripts to query Google • 75 Data dump sites • 77 Defensive OSINT • 78 Dark web • 78 Security breaches • 79 Public records • 80 Threat intelligence • 81
Profiling users for password lists • 82
Creating custom wordlists for cracking passwords ........................................................... 84
Using CeWL to map a website • 84
Extracting words from Twitter using twofi • 84
Summary .......................................................................................................................... 85
Chapter 3: Active Reconnaissance of External and Internal Networks 87
Stealth scanning techniques ............................................................................................ 88
Adjusting source IP stack and tool identification settings • 89
Modifying packet parameters • 90
Using proxies with anonymity networks • 92
DNS reconnaissance and route mapping ........................................................................... 96
The whois command (post GDPR) • 97
Employing comprehensive reconnaissance applications .................................................. 98 The recon-ng framework • 99 IPv4 • 101 IPv6 • 102
Using IPv6-specific tools • 103
Mapping the route to the target • 104
Identifying the external network infrastructure .............................................................. 107
Mapping beyond the firewall .......................................................................................... 109
IDS/IPS identification ..................................................................................................... 109
Enumerating hosts ........................................................................................................... 110 Live host discovery • 110
Port, operating system, and service discovery ................................................................... 111 Port scanning • 111
Writing your own port scanner using netcat .................................................................... 113
Fingerprinting the operating system • 113
Determining active services • 114
Large-scale scanning ....................................................................................................... 115 DHCP information • 116
Identification and enumeration of internal network hosts • 117
Native MS Windows commands • 118 ARP broadcasting • 120 Ping sweep • 121
Using scripts to combine masscan and nmap scans • 121
Taking advantage of SNMP • 123
Windows account information via SMB sessions • 126
Locating network shares • 127
Reconnaissance of active directory domain servers • 128
Enumerating the Microsoft Azure environment • 129
Using comprehensive tools (Legion) • 133
Using machine learning for reconnaissance ..................................................................... 133
Summary ......................................................................................................................... 137
Chapter 4: Vulnerability Assessment 139
Vulnerability nomenclature ............................................................................................ 140
Local and online vulnerability databases ........................................................................ 140
Vulnerability scanning with Nmap ................................................................................. 144
Introduction to Lua scripting • 146
Customizing NSE scripts • 147
Web application vulnerability scanners ........................................................................... 149 Nikto • 150 Customizing Nikto • 150 OWASP ZAP • 152
Vulnerability scanners for mobile applications ................................................................ 156
The OpenVAS network vulnerability scanner .................................................................. 158 Customizing OpenVAS • 160
Commercial vulnerability scanners ................................................................................ 160 Nessus • 161 Qualys • 162
Specialized scanners ........................................................................................................ 163
Threat modeling ............................................................................................................. 164
Summary ........................................................................................................................ 168
Chapter 5: Advanced Social Engineering and Physical Security 169
Command methodology and TTPs .................................................................................. 170 Technology • 171 Computer-based • 171 Mobile-based • 172 People-based • 172
Physical attacks • 173 Voice-based • 173
Physical attacks at the console ......................................................................................... 174 samdump2 and chntpw • 174 Sticky Keys • 177
Creating a rogue physical device ...................................................................................... 179
Microcomputer or USB-based attack agents • 180 The Raspberry Pi • 180
MalDuino: the BadUSB • 182
The Social Engineering Toolkit (SET) ............................................................................. 184
Social-engineering attacks • 186
Credential harvester web attack method • 187
Multi-attack web attack method • 190 HTA web attack method • 192
Using the PowerShell alphanumeric shellcode injection attack • 194
Hiding executables and obfuscating the attacker’s URL .................................................. 195
Escalating an attack using DNS redirection .................................................................... 196 Spear phishing attack • 197
Email phishing using Gophish • 202
Launching a phishing attack using Gophish ................................................................... 204
Using bulk transfer as phishing to deliver payloads ........................................................ 209
Summary ........................................................................................................................ 210
Chapter 6: Wireless and Bluetooth Attacks 211
Introduction to wireless and Bluetooth technologies ...................................................... 211
Configuring Kali for wireless attacks ............................................................................... 212
Wireless reconnaissance .................................................................................................. 213
Bypassing a hidden SSID .................................................................................................. 216
Bypassing MAC address authentication and open authentication ................................... 219
Attacking WPA and WPA2 ................................................................................................ 221 Brute-force attacks • 221
Attacking wireless routers with Reaver • 226
Denial of Service (DoS) attacks against wireless communications .................................. 228
Compromising enterprise implementations of WPA2 ..................................................... 229
Working with bettercap .................................................................................................. 232
Evil Twin attack using Wifiphisher ................................................................................. 233
WPA3 .............................................................................................................................. 236
Bluetooth attacks ............................................................................................................ 237
Summary ........................................................................................................................ 240
Chapter 7: Exploiting Web-Based Applications 241
Web application hacking methodology ........................................................................... 242
The hacker’s mind map ................................................................................................... 244
Reconnaissance of web apps ........................................................................................... 245
Detection of web application firewall and load balancers • 247
Fingerprinting a web application and CMS • 250
Mirroring a website from the command line • 253
Client-side proxies .......................................................................................................... 253 Burp Proxy • 254
Web crawling and directory brute-force attacks • 261
Web service-specific vulnerability scanners • 261
Application-specific attacks ............................................................................................ 262
Brute-forcing access credentials • 262
OS command injection using commix • 262 sqlmap • 264 XML injection • 268 Bit-flipping attack • 270
Maintaining access with web shells • 274
The Browser Exploitation Framework (BeEF) ................................................................. 278
Installing and configuring BeEF • 279
Understanding the BeEF browser ................................................................................... 284
Using BeEF as a tunneling proxy • 288
Summary ......................................................................................................................... 291
Chapter 8: Cloud Security Exploitation 293
Introduction to cloud services ........................................................................................ 294
Vulnerability scanning and application exploitation in an EC2 instance ........................ 298
Testing for S3 bucket misconfiguration ............................................................................ 311
Exploiting security permission flaws ............................................................................... 315
Obfuscating CloudTrail logs ........................................................................................... 326
Summary ........................................................................................................................ 326
Chapter 9: Bypassing Security Controls 327
Bypassing Network Access Control (NAC) ....................................................................... 328 Pre-admission NAC • 328
Adding new elements • 329
Identifying the rules • 329
Disabling endpoint security • 330 Post-admission NAC • 331 Bypassing isolation • 331
Detecting a honeypot • 331
Bypassing application-level controls ............................................................................... 331
Tunneling past client-side firewalls using SSH • 332 Inbound to outbound • 332
Bypassing URL filtering mechanisms • 332
Outbound to inbound • 335
Bypassing the antivirus with files ................................................................................... 337
Using the Veil framework • 338 Using Shellter • 344
Going fileless and evading antivirus ................................................................................ 348
Bypassing Windows operating system controls .............................................................. 348
User Account Control (UAC) • 348
Using fodhelper to bypass UAC in Windows 10 • 351
Using Disk Cleanup to bypass UAC in Windows 10 • 353
Obfuscating the PowerShell and using fileless techniques • 354
Other Windows-specific operating system controls • 357
Access and authorization • 358 Encryption • 359 System security • 359
Communications security • 360
Auditing and logging • 360
Summary ......................................................................................................................... 361 Chapter 10: Exploitation 363
The Metasploit Framework ............................................................................................. 363 Libraries • 364 REX • 365 Framework core • 365 Framework base • 365 Interfaces • 365 Modules • 366
Database setup and configuration • 367
Exploiting targets using MSF .......................................................................................... 373
Single targets using a simple reverse shell • 373
Exploiting multiple targets using MSF resource files ....................................................... 377
Using public exploits ....................................................................................................... 378
Locating and verifying publicly available exploits • 378
Compiling and using exploits • 379
Compiling C files and executing exploits • 379
Adding the exploits that are written using the MSF as a base • 380
Developing a Windows exploit ....................................................................................... 382
Identify the vulnerability through fuzzing • 383
Debug and replicate the crash • 387
Control the application execution • 390
Identify the right bad characters and generate shellcode • 392 Obtain the shell • 394
PowerShell Empire framework ....................................................................................... 395
Summary ........................................................................................................................ 399
Chapter 11: Action on the Objective and Lateral Movement 401
Activities on the compromised local system .................................................................... 401
Conducting rapid reconnaissance of a compromised system • 402
Finding and taking sensitive data – pillaging the target • 404
Creating additional accounts • 406
Post-exploitation tools • 407
The Metasploit Framework – Meterpreter • 408
The PowerShell Empire project • 411 CrackMapExec • 413
Horizontal escalation and lateral movement ................................................................... 415
Compromising domain trusts and shares • 417
PsExec, WMIC, and other tools • 419 WMIC • 421
Windows Credentials Editor • 424
Lateral movement using services • 425
Pivoting and port forwarding • 426
Using ProxyChains • 428
Summary ........................................................................................................................ 429
Chapter 12: Privilege Escalations 431
Overview of the common escalation methodology .......................................................... 431
Escalating from domain user to system administrator .................................................... 433
Local system escalation ................................................................................................... 435
Escalating from administrator to system ........................................................................ 436 DLL injection • 437
Credential harvesting and escalation attacks .................................................................. 440 Password sniffers • 441 Responder • 442
Performing a MiTM attack on LDAP over TLS • 446
Escalating access rights in Active Directory .................................................................... 452
Compromising Kerberos – a golden-ticket attack ........................................................... 458
Summary ........................................................................................................................ 464
Chapter 13: Command and Control 465
Persistence ...................................................................................................................... 465
Using persistent agents ................................................................................................... 466
Employing Netcat as a persistent agent • 467
Using schtasks to configure a persistent task • 471
Maintaining persistence with the Metasploit framework • 472
Using the post exploit persistence module • 472
Creating a standalone persistent agent with Metasploit • 473
Persistence using online file storage cloud services • 475 Dropbox • 475 Microsoft OneDrive • 478 Covenant • 482 PoshC2 • 485
Domain fronting ............................................................................................................. 487
Using Amazon CloudFront for C2 • 487
Exfiltration of data .......................................................................................................... 492
Using existing system services (Telnet, RDP, and VNC) • 492
Using the ICMP protocol • 494
Hiding evidence of an attack • 496
Summary ........................................................................................................................ 498
Chapter 14: Embedded Devices and RFID Hacking 501
Embedded systems and hardware architecture ............................................................... 502
Embedded system basic architecture • 502
Understanding firmware • 503
Different types of firmware • 504
Understanding bootloaders • 505 Common tools • 505
Firmware unpacking and updating ................................................................................. 506
Introduction to RouterSploit Framework ....................................................................... 510
UART ................................................................................................................................ 514
Cloning RFID using ChameleonMini ................................................................................ 517 Other tools • 521
Summary ........................................................................................................................ 522 Other Books You May Enjoy 527 Index 533 Preface
This book is about the use of Kali Linux in performing penetration tests against networks, systems,
and applications. A penetration test simulates an attack against a network or a system by a ma-
licious outsider or insider. Unlike a vulnerability assessment, penetration testing is designed to
include the exploitation phase. Therefore, it proves that the exploit is present and that the system
is at risk of being compromised if not acted upon.
Throughout this book, we will refer to penetration testers, attackers, pentesters, and
hackers interchangeably as they use the same techniques and tools to assess the
security of networks and data systems. The only difference between them is their
end objective—infiltrating a secure data network or a data breach.
Readers must be aware that it is illegal to knowingly/intentionally scan or access a
protected computer or network without explicit approval.
In short, this book will take you through a journey of a penetration tester with many proven
techniques to defeat the latest defenses on a network using Kali Linux. From selecting the most
effective tools, to rapidly compromising network security to highlighting the techniques used to avoid detection. Who this book is for
If you’re a penetration tester, IT professional, or security consultant who wants to maximize
the success of your network testing using some of the advanced features of Kali Linux, then this
book is for you. Some prior exposure to the basics of penetration testing/ethical hacking would
be helpful to get the most out of this title. xviii Preface What this book covers
Chapter 1, Goal-Based Penetration Testing, introduces a functional outline based on the penetra-
tion testing methodology that will be used throughout the book. It ensures that a coherent and
comprehensive approach to penetration testing will be followed.
Chapter 2, Open-Source Intelligence and Passive Reconnaissance, provides a background on how to
gather information about a target using publicly available sources and the tools that can simplify
reconnaissance and information management.
Chapter 3, Active Reconnaissance of External and Internal Networks, introduces the reader to stealthy
approaches that can be used to gain information about the target, especially the information that
identifies vulnerabilities, which could be exploited.
Chapter 4, Vulnerability Assessment, teaches you the semi-automated process of scanning a network
and its devices to locate systems that are vulnerable to attack and compromise and the process
of taking all reconnaissance and vulnerability scan information, assessing it, and then creating
a map to guide the penetration testing process.
Chapter 5, Advanced Social Engineering and Physical Security, shows you why being able to phys-
ically access a system or interact with the humans who manage it provides the most successful route to exploitation.
Chapter 6, Wireless and Bluetooth Attacks, provides a brief explanation of wireless and Bluetooth
technologies and focuses on the common techniques used to compromise these networks by bypassing security.
Chapter 7, Exploiting Web-Based Applications, provides a brief overview of one of the most complex
delivery phases to secure: web-based applications that are exposed to the public internet.
Chapter 8, Cloud Security Exploitation, focuses on attacks against AWS cloud infrastructure, which
are frequently prone to security misconfigurations and are protected to the same degree as the
organization’s primary network.
Chapter 9, Bypassing Security Controls, demonstrates the most common security controls in place,
identifies a systematic process for overcoming these controls, and demonstrates this using the tools from the Kali toolset.
Chapter 10, Exploitation, demonstrates the methodologies that can be used to find and execute
exploits that allow a system to be compromised by an attacker. Preface xix
Chapter 11, Action on the Objective and Lateral Movement, focuses on the immediate post-exploit
activities, as well as the aspect of horizontal escalation – the process of using an exploited system
as a starting point to “jump off” to other systems on the network.
Chapter 12, Privilege Escalations, teaches the penetration tester to own all aspects of a system’s
operations; more importantly, obtaining some access privileges that allow the tester to control
all the systems across a network.
Chapter 13, Command and Control, focuses on what a modern attacker would do to enable data to
be exfiltrated to the attacker’s location and hide the evidence of the attack.
Chapter 14, Embedded Devices and RFID hacking, focuses on what a modern attacker would do to
perform a structured attack on embedded devices and clone NFC cards.
To get the most out of this book
To practice the material presented in this book, you will need virtualization tools such as VMware or VirtualBox.
You will need to download and configure the Kali Linux operating system and its suite of tools. To
ensure that it is up-to-date and that you have all of the tools, you will need access to an internet connection.
Sadly, not all of the tools on the Kali Linux system will be addressed since there are too many
of them. The focus of this book is not to overwhelm you with all of the tools and options but to
provide an approach for testing that will allow you to learn and incorporate new tools as their
experiences and knowledge change over time.
Although most of the examples from this book focus on Microsoft Windows, the methodology
and most of the tools are transferrable to other operating systems such as Linux and the other flavors of Unix.
Finally, this book applies Kali to complete the cyber kill chain against target systems. You will
need a target operating system. Many of the examples in the book use Microsoft Windows 2016,
Windows 10, Ubuntu 14.04, and Windows 2008 R2.
To make the best use of lab exercises, it is recommended that you disable Windows
Defender on the vulnerable Windows servers by running PowerShell with admin-
istrative privilege and typing Set-MpPreference -DisableRealtimeMonitoring $true