Kali Linux – the Security Distro
Sep 16, 2017
The most advanced penetration testing distribution, ever. Or so it says.
Kali Linux is an alternate distribution for the Odroid and Raspberry Pi, which has the pentest tools already in the distro, making them easy to install. Many of the tools are not in the Raspbian distro, and would have to be downloaded and compiled separately.
- Kali Linux is a good distro, up-to-date, debian-based (uses apt-get)
- Does not have penetration tools already installed (why?)
- Fortunately, there is katoolin which will download all the tools for you
- Plays well with IPv6, most tools work in an IPv6 environment, but they may not work as you expect (IPv6 is a different protocol)
- There is a PDF online which shows how to install Kali Linux.
Installing Kali Linux
- Download the image for your board (Pi or Odroid)
ddto copy it to a micro SD Card
- Put micro SD Card into your board (Pi or Odroid) and boot. Default login is root, password toor
- Login and change the root password NOW, I’ll wait. Also, you should consider creating a non-privileged user account, which you normally login as.
- If you are interested in penetration testing, download katoolin and run it to download all the PenTest tools
After you create the SD image, and boot it, you will want to grow the root partition as it will be 7GB regardless of how much larger your SD card it. Install
gparted and use it to increase the size of your root parition. It is always a good idea to reboot after this operation.
Digging into Kali Linux
Kali Linux with PenTest tools is just a collection of tools from various open source projects. I didn’t see a tool that was actually written by Kali. These tools include well known excellent tool such as those by THC (The Hacker’s Choice).
The tools are organized in the following categories, and the tools I found useful:
- Information Gathering
- urlcrazy – creates typos for the domain, and checks if there are servers on that domain
- nmap – Host and port scanner
- sslscan – Checks SSL/TLS Certs
- Vulnerability Analysis
- dhcpig – consumes all DHCP Pool addresses on DHCP server (doesn’t quite work that way with DHCPv6)
- yersinia – Layer 2 attacks, e.g. STP (spanning tree) attacks
- Web Application
- wpscan – Nice WordPress scanner, reveals plug-in versions, and if they are up to date
- Database Assessment
- sqlmap – SQL injection tool (better only use on your own databases)
- Password Attacks
- john – reasonable offline password cracker (test for weak passwords)
- Wireless Attacks
- aircrack-ng – a wellknown 802.11 testing/cracking tool
- Reverse Engineering
- Exploitation Tools
- ipv6-toolkit – scanning a IPv6 prefix is useless, scanning link-local addresses is useful
- Sniffing & Spoofing
- wireshark – the tool for sniffing a network to figure out what is really happening
But one needs to know a little bit about security testing before using the tool. Some are obvious, such as a password cracker like
john, which will test your system for weak passwords.
root@kali-arm64:~# urlcrazy meetup.com URLCrazy Domain Report Domain : meetup.com Keyboard : qwerty At : 2017-09-02 20:04:26 +0000 # Please wait. 91 hostnames to process Typo Type Typo DNS-A CC-A DNS-MX Extn ------------------------------------------------------------------------------------------------------------------------ Character Omission meetp.com 18.104.22.168 US,UNITED STATES mail.b-io.co com Character Omission meetu.com 22.214.171.124 DE,GERMANY com Character Replacement meerup.com 126.96.36.199 mail.h-email.net com Character Insertion meetrup.com 188.8.131.52 US,UNITED STATES mailstore1.secureserver.net com Missing Dot wwwmeetup.com 184.108.40.206 CH,SWITZERLAND com Vowel Swap meetep.com 220.127.116.11 AU,AUSTRALIA meetep.com com Homophones meatup.com 18.104.22.168 US,UNITED STATES mx.meatup.com com Bit Flipping meedup.com 22.214.171.124 UA,UKRAINE localhost com Wrong TLD meetup.ca 126.96.36.199 AU,AUSTRALIA ca ...
wpscanroot@kali-arm64:~# wpscan vicpimakers.ca [+] URL: http://vicpimakers.ca/ [+] Started: Sat Sep 2 20:09:31 2017 [+] robots.txt available under: 'http://vicpimakers.ca/robots.txt' [+] Interesting entry from robots.txt: http://vicpimakers.ca/wp-admin/admin-ajax.php [!] The WordPress 'http://vicpimakers.ca/readme.html' file exists exposing a version number [+] Interesting header: LINK: &amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;http://vicpimakers.ca/wp-json/&amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;; rel="https://api.w.org/", &amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;http://wp.me/7qApj&amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;; rel=shortlink [+] Interesting header: SERVER: Apache [+] Interesting header: X-POWERED-BY: PHP/5.4.45 [+] WordPress version 4.8.1 (Released on 2017-08-02) identified from meta generator, links opml [+] WordPress theme in use: twentyseventeen - v1.3 [+] Enumerating plugins from passive detection ... | 3 plugins found: [+] Name: jetpack - v5.2.1 | Latest version: 5.2.1 (up to date) | Last updated: 2017-08-02T20:09:00.000Z | Location: http://vicpimakers.ca/wp-content/plugins/jetpack/ | Readme: http://vicpimakers.ca/wp-content/plugins/jetpack/readme.txt | Changelog: http://vicpimakers.ca/wp-content/plugins/jetpack/changelog.txt ...
johnroot@kali-arm64:~# john --incremental=alnum /etc/shadow Using default input encoding: UTF-8 Loaded 3 password hashes with 3 different salts (sha512crypt, crypt(3) $6$ [SHA512 64/64 OpenSSL]) Press 'q' or Ctrl-C to abort, almost any other key for status 123456 (weakuser)
sslscanroot@kali-arm64:~# sslscan --ipv6 --show-certificate google.com Version: 1.11.10-static OpenSSL 1.0.2-chacha (1.0.2g-dev) Trying IPv6 lookup Testing SSL server google.com on port 443 using SNI name google.com TLS Fallback SCSV: Server supports TLS Fallback SCSV TLS renegotiation: Secure session renegotiation supported TLS Compression: Compression disabled Heartbleed: TLS 1.2 not vulnerable to heartbleed TLS 1.1 not vulnerable to heartbleed TLS 1.0 not vulnerable to heartbleed
Wireshark can filter the capture based on protocol, or follow TCP streams to track individual session. It is a very powerful packet sniffer, and best of all it is free!
Demo of Tools
Kali Linux can be used without Penetration Testing tools. It is a perfectly good linux distro for your Pi or Odroid. But it doesn’t make your Pi/Odroid secure by installing it. You will want to take active steps to secure your device.
Some basic rules of thumb when using PenTest tools
- Learn about the what the tool does before using on your own device(s)
- Use the tools on your own devices! Don’t use on sites without permission
- Monitor with wireshark to find out what the tool is really doing
- Be kind, use the force for good, not evil (or, don’t be an butthead)