Kali Linux: Security Distro

Kali Linux – the Security Distro
Sep 16, 2017

The most advanced penetration testing distribution, ever. Or so it says.

Kali Linux is an alternate distribution for the Odroid and Raspberry Pi, which has the pentest tools already in the distro, making them easy to install. Many of the tools are not in the Raspbian distro, and would have to be downloaded and compiled separately.

First Impressions

  • Kali Linux is a good distro, up-to-date, debian-based (uses apt-get)
  • Does not have penetration tools already installed (why?)
    • Fortunately, there is katoolin which will download all the tools for you
  • Plays well with IPv6, most tools work in an IPv6 environment, but they may not work as you expect (IPv6 is a different protocol)
  • There is a PDF online which shows how to install Kali Linux.

Installing Kali Linux

  1. Download the image for your board (Pi or Odroid)
  2. Use dd to copy it to a micro SD Card
  3. Put micro SD Card into your board (Pi or Odroid) and boot. Default login is root, password toor
  4. Login and change the root password NOW, I’ll wait. Also, you should consider creating a non-privileged user account, which you normally login as.
  5. If you are interested in penetration testing, download katoolin and run it to download all the PenTest tools

After you create the SD image, and boot it, you will want to grow the root partition as it will be 7GB regardless of how much larger your SD card it. Install gparted and use it to increase the size of your root parition. It is always a good idea to reboot after this operation.

Digging into Kali Linux

Kali Linux with PenTest tools is just a collection of tools from various open source projects. I didn’t see a tool that was actually written by Kali. These tools include well known excellent tool such as those by THC (The Hacker’s Choice).

The tools are organized in the following categories, and the tools I found useful:

  • Information Gathering
    • urlcrazy – creates typos for the domain, and checks if there are servers on that domain
    • nmap – Host and port scanner
    • sslscan – Checks SSL/TLS Certs
  • Vulnerability Analysis
    • dhcpig – consumes all DHCP Pool addresses on DHCP server (doesn’t quite work that way with DHCPv6)
    • yersinia – Layer 2 attacks, e.g. STP (spanning tree) attacks
  • Web Application
    • wpscan – Nice WordPress scanner, reveals plug-in versions, and if they are up to date
  • Database Assessment
    • sqlmap – SQL injection tool (better only use on your own databases)
  • Password Attacks
    • john – reasonable offline password cracker (test for weak passwords)
  • Wireless Attacks
    • aircrack-ng – a wellknown 802.11 testing/cracking tool
  • Reverse Engineering
  • Exploitation Tools
    • ipv6-toolkit – scanning a IPv6 prefix is useless, scanning link-local addresses is useful
  • Sniffing & Spoofing
    • wireshark – the tool for sniffing a network to figure out what is really happening

But one needs to know a little bit about security testing before using the tool. Some are obvious, such as a password cracker like john, which will test your system for weak passwords.

urlcrazy

root@kali-arm64:~# urlcrazy meetup.com
URLCrazy Domain Report
Domain    : meetup.com
Keyboard  : qwerty
At        : 2017-09-02 20:04:26 +0000

# Please wait. 91 hostnames to process

Typo Type                     Typo           DNS-A            CC-A               DNS-MX                           Extn
------------------------------------------------------------------------------------------------------------------------
Character Omission            meetp.com      98.124.245.24    US,UNITED STATES   mail.b-io.co                     com
Character Omission            meetu.com      5.22.149.135     DE,GERMANY                                          com
Character Replacement         meerup.com     185.53.178.9                        mail.h-email.net                 com
Character Insertion           meetrup.com    184.168.221.40   US,UNITED STATES   mailstore1.secureserver.net      com
Missing Dot                   wwwmeetup.com  141.8.224.25     CH,SWITZERLAND                                      com
Vowel Swap                    meetep.com     173.198.225.140  AU,AUSTRALIA       meetep.com                       com
Homophones                    meatup.com     66.96.149.32     US,UNITED STATES   mx.meatup.com                    com
Bit Flipping                  meedup.com     72.52.4.122      UA,UKRAINE         localhost                        com
Wrong TLD                     meetup.ca      208.73.211.165   AU,AUSTRALIA                                        ca
...

wpscan

root@kali-arm64:~# wpscan vicpimakers.ca
[+] URL: http://vicpimakers.ca/
[+] Started: Sat Sep  2 20:09:31 2017

[+] robots.txt available under: 'http://vicpimakers.ca/robots.txt'
[+] Interesting entry from robots.txt: http://vicpimakers.ca/wp-admin/admin-ajax.php
[!] The WordPress 'http://vicpimakers.ca/readme.html' file exists exposing a version number
[+] Interesting header: LINK: <http://vicpimakers.ca/wp-json/>; rel="https://api.w.org/", <http://wp.me/7qApj>; rel=shortlink
[+] Interesting header: SERVER: Apache
[+] Interesting header: X-POWERED-BY: PHP/5.4.45

[+] WordPress version 4.8.1 (Released on 2017-08-02) identified from meta generator, links opml

[+] WordPress theme in use: twentyseventeen - v1.3

[+] Enumerating plugins from passive detection ...
 | 3 plugins found:

[+] Name: jetpack - v5.2.1
 |  Latest version: 5.2.1 (up to date)
 |  Last updated: 2017-08-02T20:09:00.000Z
 |  Location: http://vicpimakers.ca/wp-content/plugins/jetpack/
 |  Readme: http://vicpimakers.ca/wp-content/plugins/jetpack/readme.txt
 |  Changelog: http://vicpimakers.ca/wp-content/plugins/jetpack/changelog.txt
...

john

root@kali-arm64:~# john --incremental=alnum  /etc/shadow
Using default input encoding: UTF-8
Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 64/64 OpenSSL])
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (weakuser)

sslscan

root@kali-arm64:~# sslscan --ipv6 --show-certificate google.com
Version: 1.11.10-static
OpenSSL 1.0.2-chacha (1.0.2g-dev)

Trying IPv6 lookup

Testing SSL server google.com on port 443 using SNI name google.com

  TLS Fallback SCSV:
Server supports TLS Fallback SCSV

  TLS renegotiation:
Secure session renegotiation supported

  TLS Compression:
Compression disabled

  Heartbleed:
TLS 1.2 not vulnerable to heartbleed
TLS 1.1 not vulnerable to heartbleed
TLS 1.0 not vulnerable to heartbleed

Wireshark

Wireshark can filter the capture based on protocol, or follow TCP streams to track individual session. It is a very powerful packet sniffer, and best of all it is free!

Demo of Tools

Conclusion

Kali Linux can be used without Penetration Testing tools. It is a perfectly good linux distro for your Pi or Odroid. But it doesn’t make your Pi/Odroid secure by installing it. You will want to take active steps to secure your device.

Some basic rules of thumb when using PenTest tools

  1. Learn about the what the tool does before using on your own device(s)
  2. Use the tools on your own devices! Don’t use on sites without permission
  3. Monitor with wireshark to find out what the tool is really doing
  4. Be kind, use the force for good, not evil (or, don’t be an butthead)