Kali Linux

Penetration testing could have another stage of information gathering via tools such as those installed inKali Linux. Example of useful information to collect is SDN, hostname, IP address, credentials, configuration, etc. Information collected can be classified into active or passive information. If the information is collected directly from the target via interacting with it through communication, then it is active data collection, If the collected information comes from other resources such as search engines, security Databases and repositories, then it is passive information collection. It is safer to collect information passively, but active information collection grants more detailed information gathering.

Kali Linuxby Offensive Security, is a multipurpose operating system packed with the most

significant security assessment and penetration testing tools. The previously mentioned methods commonly contain the following adjustable stages: Target scoping, Information gathering, Target discovery, Enumerating target, Vulnerability mapping, Social engineering, Target exploitation, Privilege escalation, Maintaining access and Documentation and reporting, all of which are in Kali. Kali Linux OS has an application menu that is organized based on the common penetration testing stages.

The main Kali tools used in this research are listed below along with some alternatives.

Whois used to attain information about the host from the domain name or an IP address.Whois can expose the routing path from pentester device to target and whether there is a firewall in place. Alternatives are traceroute, tcptrace.

Sparta used to scan and enumerate a target, recusively processing from one

tool to another embedded within it.

NMap a classic tool used by pentesters either on the command line or through a GUI (ZenMap). It takes a single target, or full network range and scans at different intensity levels for ports, mail servers, load balanc- ing, IP addresses etc. AMap can be used if only port information is needed to match against a registered database. Also, traceroute, tcptrace, ping, arping, fping, hping3, nping give information as to liveness of a target.

Nessus is a vulnerability scanner which uses the classic CVE database and

can link to other security tools. It uses a scripting language, the Nessus Attack Scripting Language (NASL) to test for individual threats and potential attacks. Nessus creates policies which are vulnerability tests applied to a target. Nessus can target different software versions and patches for updates, apply brute force testing and assess the target configurations for security threats. Vulnerabilities are labelled as critical, high etc. An alternative would be to use the CVE, OSVDB databases etc by checking operating system and software for vulnerabilities manually.

2.11.3.2 Pentesting Stages in Kali

After theInformation Gatheringphase - as mentioned in page 61-, the next step is to target devices in the network and determine their OSs and applications. At this point the best option is to identify the live targets and their OSs. These tools include ping, arping, fping, hping3, nping. All these tools depend on sending ICMP echoes to the targets; either a common ICMP echo like ping, or ARP requests such as arping, or multiple targets at one time such as fping and nping [125]. However, many of these tools are included in other bigger packages such as NMAP. The best tool to identify live targets OS is NMAP with the –O option. The methods to find the target OS is calledOperating System (OS)fingerprinting and is applied either passively or actively. By knowing the target OS, the tester (or attacker) can run more vulnerability tests based on the OS or select OS proprietary penetration test tools.

The next stage isEnumerating Target, and involves collecting much deeper information such as ports, services, etc.

Port scanning can be defined as a method used to determine the state of the Transmission Control Protocol (TCP) and User Datagram Protocol (UDP) ports on the target machines. An open port may mean that there is a network service listening on the port and the service is accessible, whereas a closed port means that there is no network service listening on that port.

Service enumerationis a method that is used to find the service version that is available on a

particular port on the target system [125]. A Service version is a crucial piece of information for pentesters as it represents a valuable lead for vulnerabilities related to the service/software version. Example tools for detection are Network Scanners such as NMAP, ZenMAp and Amap. A penetration test has to be concluded with a report to state the target status and list the security issues, the discovered vulnerabilities and suggestions as to how to mitigate them. The Kali Linux menu categorizes tools to match the penetration test life cycle phases and further penetration test tasks such as Information gathering, Vulnerability assessment, Web applications, Exploitation tools, Sniffing and spoofing, Reporting tools and System services, etc. Each category lists a number of popular penetration tools to serve the purpose of its category. Moreover, there are extra tool sections to provide specific penetration test tasks such as Wireless attacks, Reverse engineering, Stress testing, Hardware hacking and Forensics [125].

Consequently, we followed the Kali life-cycle which was similar to both Broad and Bindner [126] and the Kill Chain life-cycle [137], and we used tools embedded within Kali as used by real world pentesters.