Everything starts with a goal. In this chapter, we will discuss the importance of goal-based penetration testing with a set of objectives and discuss misconceptions and how a typical vulnerability scan, penetration testing, and red teaming exercise can fail without the importance of a goal. This chapter also provides an overview of security testing and setting up a verification lab and focuses on customizing Kali to support some advanced aspects of penetration testing. By the end of this chapter, you'll have learned the following:
- An overview of security testing
- Misconceptions of vulnerability scanning, penetration testing, and red teaming exercises
- History and purpose of Kali Linux
- Updating and organizing Kali
- Setting up defined targets
- Building a verification lab
Every household, individual and public and private business in the world has something to worry about in cyber space, such as privacy, data loss, malware, cyber terrorism, and identity theft. Everything starts with a concept of protection; if you ask the question "What is security testing?" to 100 different security consultants, it is very likely that you'll hear different responses. In the simplest form, security testing is a process to determine that any information asset or system is protected and its functionality is maintained as intended.
In this section, we will discuss some misconceptions and limitations on traditional/classical vulnerability scanning, penetration testing, and red teaming exercises. Let's now understand the actual meaning of all of these three in simple terms and their limitations:
- Vulnerability scanning (Vscan): It is a process of identifying vulnerabilities or security loopholes in a system or network. One of the misconceptions about Vscan is that it will let you know all of the known vulnerabilities; well, it's not true. Limitations with Vscan are only potential vulnerabilities and it purely depends on the type of scanner that one utilizes; it might also include lots of false positives and, to the business owner, there is no clear vision on whether they are relevant risks or not and which one will be utilized by the attackers first to gain access.
- Penetration testing (Pentest): It is a process of safely exploiting vulnerabilities without much impact to the existing network or business. There is a lower number of false positives since the testers will try and simulate the exploit. Limitations with the pentest are only currently known, publicly available exploits and mostly these are project-focused testing. We often hear from pentesters during an assessment, "Yay! Got Root"—but we never question: What's next? This could be due to various reasons, such as the project limits you to report the high-risk issues immediately to the client or the client is interested in only one segment of the network and wants you to test that.
One of the misconceptions about the pentest is that it provides the full attacker view of the network and you are safe once you've done a penetration testing. Well, it isn't the case if attackers found a vulnerability in the business process of your secure app.
- Red Team Exercise (RTE): It is a process of evaluating the effectiveness of an organization to defend against cyber threats and improve its security by any possible means; during an RTE, we can notice multiple ways of achieving project objectives and goals, such as complete coverage of activities with the defined project goal, including phishing, wireless, disk drops (USB, CD, and SSD), and physical penetration testing. The limitations with RTEs are time-bound, pre-defined scenarios and an assumed rather than real environment. Often, the RTE is run with a fully monitored mode for every technique and tactics are executed according to the procedure, but this isn't the case when a real attacker wants to achieve an objective.
Often, all three different testing methodologies refer to the term hack or compromise. We will hack your network and show you where your weaknesses are; but wait, does the client or business owner understand the term hack or compromise? How do we measure it? What are the criteria? And when do we know that the hack or compromise is complete? All the questions point to only one thing: what's the primary goal?
The primary goal of a pentest/RTE is to determine the real risk, differentiating the risk rating from the scanner and giving a business risk value for each asset, along with the brand image of the organization. It's not about whether how much risk they have; rather, it's about how much they are exposed. A threat that has been found does not really constitute a risk and need not be demonstrated. For example, a Cross-Site Scripting (XSS) on a brochure website may not have significant impact on the business; however, a client might accept the risk to put in a mitigation plan using a Web Application Firewall (WAF) to prevent the XSS attacks.
While objective-based penetration testing is time-based, depending on the specific problem that an organization faces, an example of an objective is: We are most worried about the online portal and fraud transactions. So, the objective now is to compromise the portal or administrators through phishing or take over the approval chains through a system flaw. Every objective comes with its own tactics, techniques, and procedures that will support the primary goal of the penetration test activity. We will be exploring all of the different ways throughout this book using Kali Linux.
Methodologies rarely consider why a penetration test is being undertaken or which data is critical to the business and needs to be protected. In the absence of this vital first step, penetration tests lose focus.
Many penetration testers are reluctant to follow a defined methodology, fearing that it'll hinder their creativity in exploiting a network. Penetration testing fails to reflect the actual activities of a malicious attacker. Frequently, the client wants to see whether you can gain administrative access to a particular system (Can you root the box?). However, the attacker may be focused on copying critical data in a manner that does not require root access or cause a denial of service.
In 2009, Mike Cloppert of Lockheed Martin CERT introduced the concept that is now known as the attacker kill chain. This includes the steps taken by an adversary when they are attacking a network. It does not always proceed in a linear flow as some steps may occur in parallel. Multiple attacks may be launched over time at the same target, and overlapping stages may occur at the same time.
In this book, we've modified Cloppert's kill chain to more accurately reflect how attackers apply these steps when exploiting networks, application, and data services.
The following diagram shows a typical kill chain of an attacker:
A typical kill chain of an attacker can be described as follows:
- Explore or reconnaissance phase: The adage, reconnaissance time is never wasted time, adopted by most military organizations, acknowledges that it is better to learn as much as possible about an enemy before engaging them. For the same reason, attackers will conduct extensive reconnaissance of a target before attacking. In fact, it is estimated that at least 70 percent of the work effort of a penetration test or an attack is spent conducting reconnaissance! Generally, they will employ two types of reconnaissance:
- Passive: This does not directly interact with the target in a hostile manner. For example, the attacker will review the publicly available website(s), assess online media (especially social media sites), and attempt to determine the attack surface of the target. One particular task will be to generate a list of past and current employee names. These names will form the basis of attempts to brute force or guess passwords. They will also be used in social engineering attacks. This type of reconnaissance is difficult, if not impossible, to distinguish from the behavior of regular users.
- Active: This can be detected by the target but it can be difficult to distinguish most online organizations' faces from the regular backgrounds. Activities occurring during active reconnaissance include physical visits to target premises, port scanning, and remote vulnerability scanning.
- Delivery phase: Delivery is the selection and development of the weapon that will be used to complete the exploit during the attack. The exact weapon chosen will depend on the attacker's intent as well as the route of delivery (for example, across the network, via wireless, or through a web-based service). The impact of the delivery phase will be examined in the second half of this book.
- Exploit or compromise phase: This is the point when a particular exploit is successfully applied, allowing attackers to reach their objective. The compromise may have occurred in a single phase (for example, a known operating system vulnerability was exploited using a buffer overflow), or it may have been a multiphase compromise (for example, an attacker physically accessed premises to steal a corporate phone book. The names were used to create lists for brute force attacks against a portal logon. In addition, emails were sent to all employees to click on an embedded link to download a crafted PDF file that compromised their computers). Multiphase attacks are the norm when a malicious attacker targets a specific enterprise.
- Achieve phase – Action on the Objective: This is frequently, and incorrectly, referred to as the exfiltration phase because there is a focus on perceiving attacks solely as a route to steal sensitive data (such as login information, personal information, and financial information); it is common for an attacker to have a different objective. For example, a business may wish to cause a denial of service in their competitor's network to drive customers to their own website. Therefore, this phase must focus on the many possible actions of an attacker. One of the most common exploit activity occurs when the attackers attempt to improve their access privileges to the highest possible level (vertical escalation) and to compromise as many accounts as possible (horizontal escalation).
- Achieve phase – Persistence: If there is value in compromising a network or system, then that value can likely be increased if there is persistent access. This allows attackers to maintain communications with a compromised system. From a defender's point of view, this is the part of the kill chain that is usually the easiest to detect.
Kill chains are metamodels of an attacker's behavior when they attempt to compromise a network or a particular data system. As a metamodel, it can incorporate any proprietary or commercial penetration testing methodology. Unlike the methodologies, however, it ensures a strategic-level focus on how an attacker approaches the network. This focus on the attacker's activities will guide the layout and content of this book.
Kali Linux (Kali) is the successor to the BackTrack penetration testing platform that is generally regarded as the de facto standard package of tools used to facilitate penetration testing to secure data and voice networks. It was developed by Mati Aharoni and Devon Kearns of Offensive Security.
In 2018, Kali had four major releases—as of December 2018. The Kali 2018.1 release was on Feb 6 2018 with kernel 4.14.13 and Gnome 3.26.2. The Kali 2018.2 rolling release was on April 30 2018 with Kernel 4.15 that beats the Spectre and meltdown vulnerabilities on x64 and x86 machines, and Kali 2018.3 on August 21 2018 just after the Hacker summer camp. This brings the kernel version to 4.17.0 with minimal addition to the kernel and the final release Kali 2018.4 for the year was on Oct 29 2018 with an experimental Raspberry Pi 3 image that supports 64 bit mode and updated packages of other tools.
Some features of the latest Kali include the following:
- Over 500 advanced penetration testing, data forensics, and defensive tools are included. The majority of the tools are eliminated and replaced by similar tools. They provide extensive wireless support with multiple hardware and kernel patches to permit the packet injection required by some wireless attacks.
- Support for multiple desktop environments such as KDE, GNOME3, Xfce, MATE, e17, lxde, and i3wm.
- By default, Kali Linux has Debian-compliant tools that are synchronized with the Debian repositories at least four times daily, making it easier to update packages and apply security fixes.
- There are secure Development Environment and GPG signed packages and repositories.
- There's support for ISO customization, allowing users to build their own versions of customized Kali with a limited set of tools, to make it lightweight. The bootstrap function also performs enterprise-wide network installs that can be automated using pre-seed files.
- Since ARM-based systems have become more prevalent and less expensive, the support for ARMEL and ARMHF in Kali to be installed on devices such as rk3306 mk/ss808, Raspberry Pi, ODROID U2/X2, Samsung Chromebook, EfikaMX, Beaglebone Black, CuBox, and Galaxy Note 10.1 was introduced.
- Kali always remains an open source project that is free. Most importantly, it is well supported by an active online community.
While pentesters can prefer any type of operating system to perform their desired activity, usage of Kali Linux saves significant time and prevents the need to search for packages that aren't typically available for other operating systems. Some of the advantages that are not noticed with Kali during a red team are the following:
- One single source to attack various platforms
- Quick to add sources and install packages and supporting libraries (especially those that are not available for Windows)
- Possible to install even the RPM packages with the usage of
The purpose of Kali Linux is to secure things and bundle all of the tools to provide a single platform for penetration testers.
In the last edition, we focused on the installation of Kali Linux to VMware player, VirtualBox, and Amazon AWS and using the Docker appliance. In this section, we will touch base on installing on the same platforms along with Raspberry Pi 3.
It is fairly simple to install Kali Linux onto a portable device. In some situations, clients do not permit the use of an external laptop inside a secure facility. In those cases, typically a testing laptop is provided by the client to the pentester to perform the scan. Running Kali Linux from a portable device has more advantages during a pentest or RTE:
- It's in the pocket, in case of a USB or mobile device
- It can be run live without making any changes to the host operating system
- You can customize the build of Kali Linux and you can even make the storage persistent
There are a simple three steps to make a USB into a portable Kali from a Windows PC:
- Download the official Kali Linux image from: http://docs.kali.org/introduction/download-official-kali-linux-images.
- Download Win32 Disk Imager from: https://sourceforge.net/projects/win32diskimager/. We will be using Win32 Disk Imager 1.0.
- Open the Win32 Disk Imager as administrator. Plug the USB drive into the PC's available USB port. Browse to the location where you've downloaded your image. You should be able to see what's shown in the following screenshot. Select the right drive name and then click
Once complete, exit the Win32 Disk Imager and safely remove the USB. The Kali Linux is now ready as a portable device to be plugged into any laptop to boot it up live. It is also possible to generate a hash value using the Win32 Disk Imager. If your host operating system is Linux this can be achieved by two standard commands:
sudo fdisk -l
This will display all of the disks mounted on the drive:
dd if=kali linux.iso of=/dev/nameofthedrive bs=512k
That's it. The
dd command-line utility does the convert and copy,
if is used for input file ,
of is for output file, and
bs is for the block size.
Raspberry Pis are single board devices that are compact in nature and can run just like a fully loaded computer with minimal functionalities. These devices are extremely useful during RTE and penetration testing activities. The base of the operating system is loaded from a SD card just like a hard disk drive for normal computers/laptops.
The same steps as those outlined in the previous section, Using as a portable device, can be performed on a high speed SD card that can be plugged into a Raspberry Pi. We are ready to use the system without any issues. If the installation is successful, the following screen must be present when Kali Linux is booted from a Raspberry Pi. We've used Raspberry Pi 3 for this demonstration and accessed the Pi Operating system using VNC viewer:
VMware Workstation Player, formerly known as VMware Player, is free for personal use and a commercial product for business use from VMware as a desktop application that allows us to run a VM inside your host operating system. This application can be downloaded from: https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0.
We will be using version 12.5.9 VMware Workstation Player. Once the installer is downloaded, go ahead and install the VMware Player accordingly, based on your host operating system. If the installation is complete, you should have the following screen:
The next step to install the Kali-Linux to VMware is to click on
Create a New Virtual machine and select
Installer disc image file (iso). Browse your ISO file that was downloaded and then click
ext. You can now enter the name of your choice (for example,
HackBox) and select the
Custom Location where you would like to store your VMware image. Click
Next and then you'll specify the disk capacity. It is recommended that a minimum of 10 GB is needed to run Kali. Click
Next until you finish.
Another way is to directly download the VMware image and open the
.vmx file and select
I copied it. That should boot up the fully loaded Kali Linux in VMware.
You can either choose to install the Kali-Linux to the host operating system or run it as a live image. Once all of the installation steps are complete, you are ready to launch Kali Linux from VMware without any problem, as shown in the following screenshot:
Similar to VMware workstation player, VirtualBox is the hypervisor that is completely open source and a free desktop application from which you can run any VM from the host operating system. This application can be downloaded from: https://www.virtualbox.org/wiki/Downloads.
We will now go ahead and install Kali to VirtualBox. Similar to VMware, we will just execute the downloaded executable until we have a successful installation of Oracle VirtualBox, as shown in the following screenshot:
During installation, it is recommended that the RAM be set to at least 1 or 2 GB, and that you create the virtual hard drive with a minimum of 10 GB to have no performance issues. After the final step, you should be able to load Kali Linux in VirtualBox, as shown in the following screenshot:
Docker is an open source project that is designed to automate the deployment of software containers and applications instantly. Docker also provides the additional abstraction and automation layer of operating system-level virtualization on Linux.
Docker is available for Windows, Mac, Linux, AWS (Amazon Web Services), and Azure. For Windows, Docker can be downloaded from: https://download.docker.com/.
After the Docker installation, it should be fairly simple to run Kali Linux by running the
docker pull kalilinux/kali-linux-docker and
docker run -t -i kalilinux/kali-linux-docker /bin/bashcommands to confirm installation.
We should be able to run Kali Linux directly from Docker as shown in the following screenshot. Also, note that Docker utilizes the VirtualBox environment in the background. So, technically, it is a VM running on VirtualBox through the Docker appliance:
Once the Docker download is complete, you can run the Docker image by running
docker run -t -i kalilinux/kali-linux-docker /bin/bash. You should be able to see what's shown in the following screenshot:
Amazon Web Services(AWS) provide Kali Linux as part of Amazon Machine Interface (AMI) and Software as a Service (SaaS). A penetration tester or hacker can utilize AWS to conduct penetration testing and more efficient phishing attacks. In this section, we will go through the steps to bring up the Kali Linux on AWS.
First, you'll need to have a valid AWS account. You can sign up by visiting the following URL: https://console.aws.amazon.com/console/home.
When we log in to the AWS account, we should be able to see all of the AWS services. Search for Kali Linux. You'll see the following as per the screenshot, https://aws.amazon.com/marketplace/pp/B01M26MMTT:
The open source community has made it very simple to directly launch with pre-configured Kali Linux 2018.1 in the Amazon marketplace. The following URL will take us to a direct launch of Kali-Linux within a few minutes, https://aws.amazon.com/marketplace/pp/B01M26MMTT. Follow the instructions and then you should be able to launch the instance by selecting
Continue to Subscribe. This should take you to the following option to select as shown in the following screenshot. Finally, just click
Before you launch Kali Linux 2018.3 from AWS, it is recommended that you create a new key pair as shown in the following screenshot:
As usual, to use any AWS VM, you must create your own key pair in order to ensure the security of the environment. Then, you should be able to log in by entering the following command from your command shell. In order to use the private key to log in without the password, Amazon enforces the file permission to be tunneled. We will use the following commands to connect to the Kali Linux instance:
chmod 600 privatekey.pem ssh -i privatekey.pem [email protected]
The following screenshot depicts the successful usage of Kali on AWS:
Kali is a framework that is used to complete a penetration test. However, the tester should never feel tied to the tools that have been installed by default or by the look and feel of the Kali desktop. By customizing Kali, a tester can increase the security of client data that is being collected and make it easier to do a penetration test.
- Resetting the root password
- Adding a non-root user
- Configuring network services and secure communications
- Adjusting network proxy settings
- Accessing the secure shell
- Speeding up Kali operations
- Sharing folders with MS Windows
- Creating encrypted folders
You'll then be prompted to enter a new password, as shown in the following screenshot:
Many of the applications provided in Kali must run with root-level privileges in order to function. Root-level privileges do possess a certain amount of risk; for example, mistyping a command or using the wrong command can cause applications to fail or even damage the system being tested. In some cases, it is preferable to test with user-level privileges. In fact, some applications force the use of lower-privilege accounts.
To create a non-root user, you can simply use the
addusercommand from the Terminal and follow the instructions that appear, as shown in the following screenshot:
# nano /etc/network/interfaces iface eth0 inet dhcp
Once the network configuration file is appended, you should be able to bring up the
ifup script to automatically assign the IP address as shown in the following screenshot:
In the case of a static IP, you can append the same network configuration file with the following lines and quickly set up a static IP to your Kali Linux:
# nano /etc/network/interfaces iface eth0 inet static address <your address> netmask <subnet mask> broadcast <broadcast mask> gateway <default gateway> # nano /etc/resolv.conf nameserver <your DNS ip> or <Google DNS (220.127.116.11)>
By default, Kali does not start with the DHCP service enabled. Doing so announces the new IP address to the network, and this may alert administrators about the presence of the tester. For some test cases, this may not be an issue, and it may be advantageous to have certain services start automatically during boot up. This can be achieved by entering the following commands:
update-rc.d networking defaults /etc/init.d/networking restart
Kali installs with network services that can be started or stopped as required, including DHCP, HTTP, SSH, TFTP, and the VNC server. These services are usually invoked from the command line, however, some are accessible from the Kali menu.
bash.bashrc file, as shown in the following screenshot, using a text editor to add the following lines to the bottom of the
export ftp_proxy="ftp://username:[email protected]:port" export http_proxy="http://username:[email protected]:port" export https_proxy="https://username:[email protected]:port" export socks_proxy="https://username:[email protected]:port"
port with your proxy IP address and port number respectively, and replace
password with your authentication username and password. If there's no need to authenticate, write only the part following the
@ symbol. Save and close the file.
To minimize detection by a target network during testing, Kali does not enable any externally listening network services. Some services, such as Secure Shell (SSH), are already installed. However, they must be enabled prior to use.
Kali comes preconfigured with default SSH keys. Before starting the SSH service, it's a good idea to disable the default keys and generate a unique keyset for use.
Move the default SSH keys to a backup folder, and then generate a new SSH keyset using the following command:
To confirm the SSH service is running, you can verify using the following command (
service ssh status) as shown in the following screenshot:
Note that, with the default configuration of SSH, root login will be disabled. If you require access with the root account, you may have to edit
/etc/ssh/sshd_config and set
yes, save, and then exit. Finally, from any system on the same network, you should be able to access the SSH service and utilize Kali Linux. In this example, we would use PuTTY, which is a free and portable SSH client for windows. Now you should be able to access the Kali Linux from another machine, accept the SSH certificate, and enter your credentials, as shown in the following screenshot:
- When using a VM, install the VM's software drive package: Guest Additions (VirtualBox) or VMware Tools (VMware).
- When creating a VM, select a fixed disk size instead of one that is dynamically allocated. It is faster to add files to a fixed disk, and there is less file fragmentation.
- By default, Kali does not show all applications that are present in the start up menu. Each application that is installed during the boot up process slows the system data and may impact memory use and system performance. Install Boot Up Manager (BUM) to disable unnecessary services and applications that are enabled during the boot up (
apt-get install bum), as shown in the following screenshot:
The Kali toolset has the flexibility to share results with applications residing on different operating systems, especially Microsoft Windows. The most effective way to share data is to create a folder that is accessible from the host operating system as well as the Kali Linux VM guest.
When data is placed in a shared folder from either the host or the VM, it is immediately available via the shared folder to all systems that access that shared folder.
To create a shared folder, perform the following steps:
- Create a folder on the host operating system. In this example, it will be called
- Right-click on the folder and select the
Sharingtab. From this menu, select
- Ensure that the file is shared with
Everyone, and that
Permission Levelfor this share is set to
Read / Write.
- If you haven't already done so, install the appropriate tools onto Kali Linux. For example, when using VMware, install the VMware tools.
- When the installation is complete, go to the VMware player menu and select Manage and click
Virtual Machine Settings. Find the menu that enables
Shared Foldersand select
Always Enabled. Create a path to the shared folder that is present on the host operating system, as shown in the following screenshot:
The shared folder, which will contain sensitive data from a penetration test, must be encrypted to protect the client's network and reduce the tester's liability should the data ever be lost or stolen.
We can utilize the following Bash scripts to customize the Kali Linux depending upon the goal of our penetration testing: https://github.com/PacktPublishing/Mastering-Kali-Linux-for-Advanced-Penetration-Testing-Third-Edition/blob/master/Chapter%2001/lscript-master.zip.
In order to practice the art of exploitation, it is always recommended to make use of the well-known vulnerable software. In this section, we will be installing Metasploitable3, which is a Windows platform, and Mutillidae, which is a PHP framework web application.
Metasploitable3 is an indubitable vulnerable VM that's intended to be tested for multiple exploits using Metasploit. It is under BSD-style license. Two VMs can be built for practice, which can be downloaded from:https://github.com/rapid7/metasploitable3. You can download the ZIP file and unzip it in your favorite Windows location (typically, we segregate in the
D:\HackTools\ folder) or you can
git clone https://github.com/rapid7/metasploitable3 using Bash command. Install all of the relevant supporting software such as Packer (https://www.packer.io/downloads.html), Vagrant (https://www.vagrantup.com/downloads.html), VirtualBox, and the Vagrant reload plugin. The following commands should install all of the relevant vulnerable services and software:
- On Windows 10 as the host operating system, you can run the following commands:
./build.ps1 windows2008 ./build.ps1 ubuntu1404
- On Linux or macOS, you can run the following commands:
./build.sh windows2008 ./build.sh ubuntu1404
After the VirtualBox file download, you'll just have to run
vagrant up win2k8 and
vagrant up ub1404 in the same PowerShell. This should bring up your new VM in your VirtualBox without any problem as shown in the following screenshot:
Mutillidae is an open source insecure web application, which is designed for penetration testers to practice all of the web-app specific vulnerability exploitation. XAMPP is another free and open source cross-platform web server solution stack package developed by Apache Friends. The XAMPP can be downloaded from: https://www.apachefriends.org/download.html.
We will now be installing the Mutillidae to our newly installed Microsoft windows 2008 R2 server to host it:
- Once XAMPP is downloaded, let's go ahead and install the executable by following the wizard. Once the installation is complete and the XAMPP launched, you should be able to see the following screen. We will be using XAMPP version 5.6.36 / PHP 5.6.36:
- Mutillidae can be downloaded from: https://sourceforge.net/projects/mutillidae/files/latest/download.
- Unzip the file and copy the folder to
- You have to ensure XAMPP is running Apache and MySQL/MariaDB and finally access the
.htacessfile inside the
mutillidaefolder and ensure that
127.0.0.1and the IP range are allowed. We should be able to see the web application installed successfully as shown in the following screenshot and it can be accessed by visiting http://localhost/mutillidae/:
In the previous edition of Mastering Kali Linux for Advanced Penetration Testing, we learned how to set up an Active Directory in Windows 2008 R2. In this section, we will install Active Directory on Windows 2008 R2. Once you've downloaded the ISO from Microsoft and installed the operating system on VMware workstation player or VirtualBox, you should be able to do the following steps:
- Open the Server Manager from the taskbar.
- From the Server Manager, click on
Add roles and features.
eatures-based installationfrom the
Installation Type screenand click
- By default, the same server will be selected.
- From the
Server Rolespage place a checkmark in the checkbox next to
Active Directory Domain Services. Additional roles, services, or features are also required to install Domain Services: click
- Select optional features to install during the AD DS installation by placing a check in the box next to any desired features, and then click
Next, operating system compatibility checks, then select
Create a new domain in a new formatand click
- Enter the FQDN (Fully Qualified Domain Name). In the example, we will create a new FQDN as
mastering.kali.thirdedition; that should take us to forest functional level. We can select
Windows 2008 R2and click
Next; that will enable us to install the DNS (Domain Name System). During this installation, it is recommended to set a static IP to this machine so that the domain controller features can be enabled; in our case, we set the static IP of this server to
192.168.x.x. Finally, you'll need to set the
Directory Services Restore mode administratorpassword; a summary of the configuration will be present.
- On the
Confirm installationselections screen, review the installation and then click
- Once everything is complete, you should be able to see the following screenshot:
To demonstrate the privilege escalation in later chapters, we will create a normal user with domain user privilege and a domain administrator user with full privileges.
net user normaluser Passw0rd12 /add /domain
net user admin Passw0rd123 /add /domain net group "domain admins" admin /add /domain
To validate these users are created, you can use the domain controller by simply running
net user from the command line and you should be able to see the users, as shown in the following screenshot:
Now we will go back to the Metasaploitable3 Windows that we installed and add it to our newly created domain by following the steps:
Add the IP address of the domain controller to the DNS setting by editing the Ethernet adapter properties. This is to resolve the FQDN; Metasploitable3 will need to query the domain controller for the domain name resolution.
Click Start button and right click on
My Computerand select
Computer name, Domain and Workgroup settingsclick on
Change settings, that should pop up a system properties windows. On the window click, on
- Select the radio button from
Domainand enter the domain name as shown in the following screenshot; in our case, the domain name is
This should provide us with a wide range of exposure to multiple vulnerabilities on the network:
- A vulnerable Windows 2008 R2 (Metasploitable3 server) that is connected to a domain (
- A vulnerable web application hosted on a vulnerable Windows 2008 R2 Server (Metasploitable3)
- A vulnerable services Linux machine (Metasploitable3) running Ubuntu 14.04
- A domain controller with one domain admin and one normal user
One of the most difficult aspects of penetration testing is remembering to test all of the relevant parts of the network or system target or trying to remember whether the target was actually tested after the testing has been completed. In some cases, a single client may have multiple penetration testers performing scanning activities from multiple locations and management would like to have a single view. Faraday can provide a single view, assuming all of the penetration testers are able to ping each other on the same network or on the internet for external assessment.
Faraday is a multiuser penetration test IDE (Integrated Development Environment). It is designed for testers to distribute, index, and analyze all of the data that is generated during the process of a penetration testing or technical security audit to provide different views such as
Executive Summary, and
Overall Issues lists.
This IDE platform is developed in Python by InfoByte and version 2.7.2 is installed by default in the latest version of Kali Linux. You can navigate from the menu
Applications, click on
12-Reporting tools, and then click on
Faraday IDE. That should open up the new workspace to be created by the testers, as shown in the following screenshot:
Launching Faraday should be able to open up the Faraday shell console to us, as shown in the following screenshot:
One of the features of the application is that following any scanning that you or any other penetration testers in your team do, you'll be able to visualize the information by clicking on
Faraday Web and you'll be able to see the following:
In this chapter, we took a journey into different methodologies and goal-based penetration testing that help organizations to test themselves against real-time attacks. We learned how penetration testers can use Kali Linux in multiple different platforms to assess the security of data systems and networks. We've taken a quick look into installing Kali on different virtualized platforms and how we can run a Linux operating system on a Windows platform using Docker.
We've built our own verification lab, set up Active Directory Domain Services, and set up two different VMs on the same network, one of which is part of the Active Directory. Most importantly, we learned how to customize Kali to increase the security of our tools and the data that they collect. We're working to achieve the goal of making tools support our process, instead of the other way around!
In the next chapter (Chapter 2, Open Source Intelligence and Passive Reconnaissance), we will learn how effectively we can master Open Source Intelligence (OSINT) to identify the vulnerable attack surfaces of our target and create customized username and password lists to facilitate more focused attacks, extract these details from the dark web, and use other exploits.