20 Fantastic Kali Linux Tools
SwordSec
http://www.swordsec.com
November, 2014
Before beginning your penetration test and security auditing, remember that the best
tool available is your own mind. Kali Linux is a suite of tools built to help gather information
and exploit weaknesses, but the logical decision making and analysis is yours. Outside of the
technical aspects of attacking, being calm and organized will help you more than anything.
Further, always make sure you have direct permission or ownership of the sites involved in
your penetration testing. Once you have limited your risk to undue outside influences, it is
time to begin phase one of the penetration test. In order to be sufficiently thorough, illegal
tools and actions must be considered as weapons the attackers may implement.
“A complete and adequate penetration test involves penetration testers conducting
illegal activities on systems external or internal to an organization’s network.
Organizations must understand that penetration testers performing the tests in most cases
are breaking the law. “
SANS on penetration testing
Tools for Phase One
Information Gathering and Analysis
Kali Linux has a wonderful set of tools for gathering data on your target. The end goal of
phase one is to have a logical map of the target’s network, both of people and of machines.
Any information discovered now may be key to a pivot later on, so thoroughness is your ally.
Most tools in this stage are very quiet, so if time is not a critical factor in your attack, this is the
best time to move slowly and dig deep. The more you sweat now, the less you’ll bleed later.
1.
DNSenum Enumerating the Servers
The first high level maps of an organization’s network will come from locating its DNS
servers. Starting with a good foundation here will help you find the key footholds you’ll
need later. DNSenum is a high level tool that is very often the first step in mapping
your targets network. Using the format ...
./dnsenum enum [TARGET DOMAIN NAME]
… we can begin enumeration of the higher level servers available to our target.
DNSenum in terminal
2.
dmitry The Network Rangefinder
Once your DNSenum information has come back, you will have a range of
servers used by your target. The goal of the dmitry rangefinder is to find out which IP’s
are used on those servers. This is done using a TCP traceroute command which can
be threaded, and displayed graphically with dmitry commands.
3.
Nmap
The Nmap (Network Map) project is famous for its standalone application and open
source code. The Nmap tool in Kali Linux is used to determine if a host is alive, active,
and gives a bounty of other information in one quick scan. Nmap is an essential tool
for quickly gathering specific details on any active machine.
“Nmap uses raw IP packets in novel ways to determine what hosts are available on
the network, what services (application name and version) those hosts are offering,
what operating systems (and OS versions) they are running, what type of packet
filters/firewalls are in use, and dozens of other characteristics.”
The Nmap tool is located at Kali Linux / Information Gathering / Live Host Identifcation
To add to the beauty, the Nmap scan can gather all of this information off only a
handful of packets tossed around in such a way as to be quieter than many other
available tools.
4.
Maltego
Maltego is an excellent builtin tool from the development team at Paterva
technologies. The design is unique and with a little time spent learning how to best
play with it, Maltego quickly becomes an essential tool for any medium to large scale
penetration test. The system is built to determine relationships between actors in an
environment. This could be a name, a DNS server, an IP address, a WHOIS lookup, or
any number of other bits of information. Maltego will do some rooting around and
come up with a logical map that displays these relationships visibly. In invaluable tool
for the critical penetration tester, these logical maps will shed light on a messy
situation, or reaffirm suspected relationship links.
Once all your information gathered from DNSenum, dmitry, and Nmap has
been poured over and filtered into Maltego, a clean and clear logical map of your
target’s environment can be formed.
5.
Social Engineering Toolkit
The Social Engineering Toolkit (SET) is designed to help the penetration tester work
against the human elements of the target’s security environment. Working with a wide
variety of tools, SET enables the attacker to exploit weaknesses in security training, as
opposed to weaknesses in hardware or software.
People are often the weakest link in any security system.
Social Engineering takes on a different attack path at first glance, but information
gained through social engineering attacks can quickly be turned into a serious
advantage for the penetration testing team. SET can be accessed by opening terminal
and entering. “setoolkit”. Experience working with java applets will be helpful when
working with SET to plan attacks. SET can also be used during Phase Four :
Exploitation, to deliver clickables that will help gain access to a target’s machine.
Personally I find it most useful in the information gathering stages, although it can be
more invasive and louder depending on the level of security awareness in the target
environment.
Tools for Phase Two
Vulnerability Detection and Enumeration
6.
Nessus
Working With Vulnerabilities
Taking your logical map from Maltego, and the wealth of technical information
gathered from the time spent in Nmap, it’s time to find vulnerabilities that lie in the
target’s system. Neesus takes command of the next step, finding vulnerabilities in the
local system, in the local network, and in both Linux and Windows environments.
When checking a network for vulnerabilities, Neesus is as thorough as tools come.
Although Neesus works on Kali Linux, it is not bundled with the download, and will
need to be downloaded and unpackaged on the Kali Linux OS. Registration through
the Neesus website is also required to run this tool.
7.
OpenVAS
Open Vulnerability Assessment System
OpenVAS is bundled and packaged with Kali Linux, but is less polished than its
cousin. Both OpenVAS and Neesus work to discover vulnerabilities in local systems,
networks, and operating systems. After running all your gathered information through
one or both of these tools, you will have a list of vulnerabilities that will prove essential
in getting into the target system. Using the targeting data we gathered in phase one,
you can set OpenVAS to scan each machine in the target’s network for vulnerabilities.
After this detailed scan, you can take a step back and scan the target network itself for
vulnerabilities. The list of weaknesses is long and varied, and will give the attackers
essential data to help target a specific vulnerability to exploit.
A list of different kinds of vulnerabilities OpenVAS can find
from the
Kali Linux Cookbook
Tools for Phase Three
Penetration Attempts
At this phase, penetration testers will take the logical maps of the environment, and the list of
exploitable vulnerabilities gathered in phases one and two. In a team of attackers, this is the
perfect time for a brief pause and gathering of the troops. Up until this point most of the tools
used were relatively quiet and noninvasive, and while Kali Linux is generally a very quiet set
of tools, the pattern of attacks from here on out is necessarily noisier, and a lot more rides on
the quality of the defense. If the attacking team is properly prepared, choosing which attack
vector to hit is the next key step.
|
