Kali Linux Penetration Testing Bible

YOUR ULTIMATE GUIDE TO PENTESTING WITH KALI LINUX

Kali is a popular and powerful Linux distribution used by cybersecurity professionals around the world. Penetration testers must master Kali’s varied library of tools to be effective at their work. The Kali Linux Penetration Testing Bible is the hands-on and methodology guide for pentesting with Kali.

You’ll discover everything you need to know about the tools and techniques hackers use to gain access to systems like yours so you can erect reliable defenses for your virtual assets. Whether you’re new to the field or an established pentester, you’ll find what you need in this comprehensive guide.

* Build a modern dockerized environment
* Discover the fundamentals of the bash language in Linux
* Use a variety of effective techniques to find vulnerabilities (OSINT, Network Scan, and more)
* Analyze your findings and identify false positives and uncover advanced subjects, like buffer overflow, lateral movement, and privilege escalation
* Apply practical and efficient pentesting workflows
* Learn about Modern Web Application Security Secure SDLC
* Automate your penetration testing with Python

GUS KHAWAJA is an expert in application security and penetration testing. He is a cybersecurity consultant in Montreal, Canada and has a depth of experience working with organizations to protect their assets from cyberattacks. He is a published author and online educator in the field of cybersecurity.

Introduction xx

CHAPTER 1 MASTERING THE TERMINAL WINDOW 1

Kali Linux File System 2

Terminal Window Basic Commands 3

Tmux Terminal Window 6

Starting Tmux 6

Tmux Key Bindings 7

Tmux Session Management 7

Navigating Inside Tmux 9

Tmux Commands Reference 9

Managing Users and Groups in Kali 10

Users Commands 10

Groups Commands 14

Managing Passwords in Kali 14

Files and Folders Management in Kali Linux 15

Displaying Files and Folders 15

Permissions 16

Manipulating Files in Kali 19

Searching for Files 20

Files Compression 21

Manipulating Directories in Kali 23

Mounting a Directory 23

Managing Text Files in Kali Linux 24

Vim vs. Nano 26

Searching and Filtering Text 27

Remote Connections in Kali 29

Remote Desktop Protocol 29

Secure Shell 30

SSH with Credentials 30

Passwordless SSH 32

Kali Linux System Management 34

Linux Host Information 36

Linux OS Information 36

Linux Hardware Information 36

Managing Running Services 38

Package Management 39

Process Management 41

Networking in Kali Linux 42

Network Interface 42

IPv4 Private Address Ranges 42

Static IP Addressing 43

DNS 45

Established Connections 46

File Transfers 47

Summary 48

CHAPTER 2 BASH SCRIPTING 49

Basic Bash Scripting 50

Printing to the Screen in Bash 50

Variables 52

Commands Variable 54

Script Parameters 54

User Input 56

Functions 56

Conditions and Loops 57

Conditions 58

Loops 60

File Iteration 61

Summary 63

CHAPTER 3 NETWORK HOSTS SCANNING 65

Basics of Networking 65

Networking Protocols 66

TCP 66

UDP 67

Other Networking Protocols 67

IP Addressing 69

IPv4 69

Subnets and CIDR 69

IPv6 70

Port Numbers 71

Network Scanning 72

Identifying Live Hosts 72

Ping 73

ARP 73

Nmap 73

Port Scanning and Services Enumeration 74

TCP Port SYN Scan 75

UDP 75

Basics of Using Nmap Scans 76

Services Enumeration 77

Operating System Fingerprinting 79

Nmap Scripting Engine 80

NSE Category Scan 82

NSE Arguments 84

DNS Enumeration 84

DNS Brute-Force 85

DNS Zone Transfer 86

DNS Subdomains Tools 87

Fierce 87

Summary 88

CHAPTER 4 INTERNET INFORMATION GATHERING 89

Passive Footprinting and Reconnaissance 90

Internet Search Engines 90

Shodan 91

Google Queries 92

Information Gathering Using Kali Linux 94

Whois Database 95

TheHarvester 97

DMitry 99

Maltego 99

Summary 103

CHAPTER 5 SOCIAL ENGINEERING ATTACKS 105

Spear Phishing Attacks 105

Sending an E-mail 106

The Social Engineer Toolkit 106

Sending an E-mail Using Python 108

Stealing Credentials 109

Payloads and Listeners 110

Bind Shell vs. Reverse Shell 111

Bind Shell 111

Reverse Shell 112

Reverse Shell Using SET 113

Social Engineering with the USB Rubber Ducky 115

A Practical Reverse Shell Using USB Rubber Ducky and PowerShell 117

Generating a PowerShell Script 118

Starting a Listener 118

Hosting the PowerShell Script 119

Running PowerShell 120

Download and Execute the PS Script 120

Reverse Shell 121

Replicating the Attack Using the USB Rubber Ducky 122

Summary 122

CHAPTER 6 ADVANCED ENUMERATION PHASE 125

Transfer Protocols 126

FTP (Port 21) 126

Exploitation Scenarios for an FTP Server 126

Enumeration Workflow 127

Service Scan 127

Advanced Scripting Scan with Nmap 128

More Brute-Forcing Techniques 129

SSH (Port 22) 130

Exploitation Scenarios for an SSH Server 130

Advanced Scripting Scan with Nmap 131

Brute-Forcing SSH with Hydra 132

Advanced Brute-Forcing Techniques 133

Telnet (Port 23) 134

Exploitation Scenarios for Telnet Server 135

Enumeration Workflow 135

Service Scan 135

Advanced Scripting Scan 136

Brute-Forcing with Hydra 136

E-mail Protocols 136

SMTP (Port 25) 137

Nmap Basic Enumeration 137

Nmap Advanced Enumeration 137

Enumerating Users 138

POP3 (Port 110) and IMAP4 (Port 143) 141

Brute-Forcing POP3 E-mail Accounts 141

Database Protocols 142

Microsoft SQL Server (Port 1433) 142

Oracle Database Server (Port 1521) 143

MySQL (Port 3306) 143

CI/CD Protocols 143

Docker (Port 2375) 144

Jenkins (Port 8080/50000) 145

Brute-Forcing a Web Portal Using Hydra 147

Step 1: Enable a Proxy 148

Step 2: Intercept the Form Request 149

Step 3: Extracting Form Data and Brute-Forcing with Hydra 150

Web Protocols 80/443 151

Graphical Remoting Protocols 152

RDP (Port 3389) 152

RDP Brute-Force 152

VNC (Port 5900) 153

File Sharing Protocols 154

SMB (Port 445) 154

Brute-Forcing SMB 156

SNMP (Port UDP 161) 157

SNMP Enumeration 157

Summary 159

CHAPTER 7 EXPLOITATION PHASE 161

Vulnerabilities Assessment 162

Vulnerability Assessment Workflow 162

Vulnerability Scanning with OpenVAS 164

Installing OpenVAS 164

Scanning with OpenVAS 165

Exploits Research 169

SearchSploit 171

Services Exploitation 173

Exploiting FTP Service 173

FTP Login 173

Remote Code Execution 174

Spawning a Shell 177

Exploiting SSH Service 178

SSH Login 178

Telnet Service Exploitation 179

Telnet Login 179

Sniffing for Cleartext Information 180

E-mail Server Exploitation 183

Docker Exploitation 185

Testing the Docker Connection 185

Creating a New Remote Kali Container 186

Getting a Shell into the Kali Container 187

Docker Host Exploitation 188

Exploiting Jenkins 190

Reverse Shells 193

Using Shells with Metasploit 194

Exploiting the SMB Protocol 196

Connecting to SMB Shares 196

SMB Eternal Blue Exploit 197

Summary 198

CHAPTER 8 WEB APPLICATION VULNERABILITIES 199

Web Application Vulnerabilities 200

Mutillidae Installation 200

Apache Web Server Installation 200

Firewall Setup 201

Installing PHP 201

Database Installation and Setup 201

Mutillidae Installation 202

Cross-Site Scripting 203

Reflected XSS 203

Stored XSS 204

Exploiting XSS Using the Header 205

Bypassing JavaScript Validation 207

SQL Injection 208

Querying the Database 208

Bypassing the Login Page 211

Execute Database Commands Using SQLi 211

SQL Injection Automation with SQLMap 215

Testing for SQL Injection 216

Command Injection 217

File Inclusion 217

Local File Inclusion 218

Remote File Inclusion 219

Cross-Site Request Forgery 220

The Attacker Scenario 221

The Victim Scenario 222

File Upload 223

Simple File Upload 223

Bypassing Validation 225

Encoding 227

OWASP Top 10 228

Summary 229

CHAPTER 9 WEB PENETRATION TESTING AND SECURE SOFTWARE DEVELOPMENT LIFECYCLE 231

Web Enumeration and Exploitation 231

Burp Suite Pro 232

Web Pentest Using Burp Suite 232

More Enumeration 245

Nmap 246

Crawling 246

Vulnerability Assessment 247

Manual Web Penetration Testing Checklist 247

Common Checklist 248

Special Pages Checklist 248

Secure Software Development Lifecycle 250

Analysis/Architecture Phase 251

Application Threat Modeling 251

Assets 251

Entry Points 252

Third Parties 252

Trust Levels 252

Data Flow Diagram 252

Development Phase 252

Testing Phase 255

Production Environment (Final Deployment) 255

Summary 255

CHAPTER 10 LINUX PRIVILEGE ESCALATION 257

Introduction to Kernel Exploits and Missing Configurations 258

Kernel Exploits 258

Kernel Exploit: Dirty Cow 258

SUID Exploitation 261

Overriding the Passwd Users File 263

CRON Jobs Privilege Escalation 264

CRON Basics 265

Crontab 265

Anacrontab 266

Enumerating and Exploiting CRON 266

sudoers 268

sudo Privilege Escalation 268

Exploiting the Find Command 268

Editing the sudoers File 269

Exploiting Running Services 270

Automated Scripts 270

Summary 271

CHAPTER 11 WINDOWS PRIVILEGE ESCALATION 273

Windows System Enumeration 273

System Information 274

Windows Architecture 275

Listing the Disk Drives 276

Installed Patches 276

Who Am I? 276

List Users and Groups 277

Networking Information 279

Showing Weak Permissions 282

Listing Installed Programs 283

Listing Tasks and Processes 283

File Transfers 284

Windows Host Destination 284

Linux Host Destination 285

Windows System Exploitation 286

Windows Kernel Exploits 287

Getting the OS Version 287

Find a Matching Exploit 288

Executing the Payload and Getting a Root Shell 289

The Metasploit PrivEsc Magic 289

Exploiting Windows Applications 293

Running As in Windows 295

PSExec Tool 296

Exploiting Services in Windows 297

Interacting with Windows Services 297

Misconfigured Service Permissions 297

Overriding the Service Executable 299

Unquoted Service Path 299

Weak Registry Permissions 301

Exploiting the Scheduled Tasks 302

Windows PrivEsc Automated Tools 302

PowerUp 302

WinPEAS 303

Summary 304

CHAPTER 12 PIVOTING AND LATERAL MOVEMENT 305

Dumping Windows Hashes 306

Windows NTLM Hashes 306

SAM File and Hash Dump 307

Using the Hash 308

Mimikatz 308

Dumping Active Directory Hashes 310

Reusing Passwords and Hashes 310

Pass the Hash 311

Pivoting with Port Redirection 312

Port Forwarding Concepts 312

SSH Tunneling and Local Port Forwarding 314

Remote Port Forwarding Using SSH 315

Dynamic Port Forwarding 316

Dynamic Port Forwarding Using SSH 316

Summary 317

CHAPTER 13 CRYPTOGRAPHY AND HASH CRACKING 319

Basics of Cryptography 319

Hashing Basics 320

One-Way Hash Function 320

Hashing Scenarios 321

Hashing Algorithms 321

Message Digest 5 321

Secure Hash Algorithm 323

Hashing Passwords 323

Securing Passwords with Hash 324

Hash-Based Message Authenticated Code 325

Encryption Basics 326

Symmetric Encryption 326

Advanced Encryption Standard 326

Asymmetric Encryption 328

Rivest Shamir Adleman 329

Cracking Secrets with Hashcat 331

Benchmark Testing 332

Cracking Hashes in Action 334

Attack Modes 336

Straight Mode 336

Combinator 337

Mask and Brute-Force Attacks 339

Brute-Force Attack 342

Hybrid Attacks 342

Cracking Workflow 343

Summary 344

CHAPTER 14 REPORTING 345

Overview of Reports in Penetration Testing 345

Scoring Severities 346

Common Vulnerability Scoring System Version 3.1 346

Report Presentation 349

Cover Page 350

History Logs 350

Report Summary 350

Vulnerabilities Section 350

Summary 351

CHAPTER 15 ASSEMBLY LANGUAGE AND REVERSE ENGINEERING 353

CPU Registers 353

General CPU Registers 354

Index Registers 355

Pointer Registers 355

Segment Registers 355

Flag Registers 357

Assembly Instructions 358

Little Endian 360

Data Types 360

Memory Segments 361

Addressing Modes 361

Reverse Engineering Example 361

Visual Studio Code for C/C++ 362

Immunity Debugger for Reverse Engineering 363

Summary 368

CHAPTER 16 BUFFER/STACK OVERFLOW 369

Basics of Stack Overflow 369

Stack Overview 370

PUSH Instruction 370

POP Instruction 371

C Program Example 371

Buffer Analysis with Immunity Debugger 372

Stack Overflow 376

Stack Overflow Mechanism 377

Stack Overflow Exploitation 378

Lab Overview 379

Vulnerable Application 379

Phase 1: Testing 379

Testing the Happy Path 379

Testing the Crash 381

Phase 2: Buffer Size 382

Pattern Creation 382

Offset Location 382

Phase 3: Controlling EIP 383

Adding the JMP Instruction 384

Phase 4: Injecting the Payload and Getting a Remote Shell 386

Payload Generation 386

Bad Characters 386

Shellcode Python Script 387

Summary 388

CHAPTER 17 PROGRAMMING WITH PYTHON 389

Basics of Python 389

Running Python Scripts 390

Debugging Python Scripts 391

Installing VS Code on Kali 391

Practicing Python 392

Python Basic Syntaxes 393

Python Shebang 393

Comments in Python 393

Line Indentation and Importing Modules 394

Input and Output 394

Printing CLI Arguments 395

Variables 395

Numbers 395

Arithmetic Operators 397

Strings 397

String Formatting 397

String Functions 398

Lists 399

Reading Values in a List 399

Updating List Items 399

Removing a list item 400

Tuples 400

Dictionary 400

More Techniques in Python 400

Functions 400

Returning Values 401

Optional Arguments 401

Global Variables 402

Changing Global Variables 402

Conditions 403

if/else Statement 403

Comparison Operators 403

Loop Iterations 404

while Loop 404

for Loop 405

Managing Files 406

Exception Handling 407

Text Escape Characters 407

Custom Objects in Python 408

Summary 409

CHAPTER 18 PENTEST AUTOMATION WITH PYTHON 411

Penetration Test Robot 411

Application Workflow 412

Python Packages 414

Application Start 414

Input Validation 415

Code Refactoring 417

Scanning for Live Hosts 418

Ports and Services Scanning 420

Attacking Credentials and Saving the Results 423

Summary 426

APPENDIX A KALI LINUX DESKTOP AT A GLANCE 427

Downloading and Running a VM of Kali Linux 428

Virtual Machine First Boot 428

Kali Xfce Desktop 429

Kali Xfce Menu 430

Search Bar 430

Favorites Menu Item 430

Usual Applications 432

Other Menu Items 433

Kali Xfce Settings Manager 433

Advanced Network Configuration 435

Appearance 436

Desktop 439

Display 441

File Manager 442

Keyboard 445

MIME Type Editor 447

Mouse and Touchpad 448

Panel 449

Workspaces 450

Window Manager 451

Practical Example of Desktop Customization 454

Edit the Top Panel 454

Adding a New Bottom Panel 454

Changing the Desktop Look 457

Installing Kali Linux from Scratch 458

Summary 466

APPENDIX B BUILDING A LAB ENVIRONMENT USING DOCKER 467

Docker Technology 468

Docker Basics 468

Docker Installation 468

Images and Registries 469

Containers 470

Dockerfile 472

Volumes 472

Networking 473

Mutillidae Docker Container 474

Summary 475

Index 477