Question

Some of the tools in Kali Linux have been discussed in previous chapters of this book—including NMAP, Burp, Wireshark, Social Engineer Toolkit, and Metasploit Framework—but there are so many more. Here are some of my favorites out of hundreds that are extremely specialized but can be put in the following categories:

• Information gathering
  • Maltego
  • Recon‐ng
  • Sparta
• Utilities
  • MacChanger
  • Nikto
• Wireless
  • Kismet
  • WiFite
• Brute forcing
  • John the Ripper
  • Hashcat

With these tools, you can test your computer system security using the same techniques that an attacker would. Kali Linux is specifically built to meet the requirements of security auditing and specifically geared toward security specialists. It is not a general‐purpose operating system and should be used only while working toward achieving your security requirements.

As you see in Figure 14.19 , by clicking Applications in the upper‐left corner, the menu that drops down already breaks down the tools into different genres such as information gathering, password attacks, and forensics. Explore the menus in your own Kali Linux instance to get familiar with the names of the tools and recognize the placement of those you already know.

Figure 14.19 : Kali Favorites menu

Maltego

In the beginning of any type of penetration test or campaign, you want to use your tools to gather as much information as you can. Maltego is one of the best. When you go to Applications ⇨ Information Gathering ⇨ Maltego, as shown in Figure 14.20 , you have several choices that require a key. But there is a Community Edition, which you can access by clicking the Run button under Maltego CE (Free).

Figure 14.20 : Starting Maltego CE in Kali Linux

After you have created a user login for Maltego, you will be able to fully utilize the features. As you see in Figure 14.21 , after logging in, you will access Maltego and have a choice to build a new graphic interface or use an example to get familiar. This is the default example of what data mining looks like. Maltego renders graphs full of links based on relationships between pieces of data sprinkled across the Internet. Maltego uses the visual node representation to assist you in finding the information that is out in the wild that could possibly be used to compromise your environment. There is no graphical export in the community version, but the data is still there at your fingertips.

Figure 14.21 : Data sources of Paterva, the owner of Maltego

Recon‐ng

While Maltego is one of my favorite ways to present the data, Recon‐ng is a tool written by one of my favorite organizations: Black Hills InfoSec. Recon‐ng is a Python web reconnaissance framework. It has modules, database interaction, and built‐in functions to help you gather information. It looks like Metasploit and SET to reduce the learning curve, but even with the obvious simplicity, it is a rather complex tool. Type help at the default prompt for a list of all commands.

Next, type show modules . You will get a list of all the discovery, exploit, import, recon, and reporting modules. Next, type user hackertarget and then show info , as you see in Figure 14.22 . You can use this module to enumerate hostnames, among other things.

Figure 14.22 : Recon‐ng welcome prompt

Sparta

Sparta is another Python tool that is a GUI application that assists in the scanning and enumeration phase. It feels like Zenmap in the beginning when you define the parameters of the network you would like to investigate, as shown in Figure 14.23 .

Figure 14.23 : Defining parameters in Sparta

However, when you launch Sparta, after the initial Nmap scan and some data collection, it proceeds to run additional tools against the discovered services such as nikto, smbenum, snmpcheck, and more. Figure 14.24 shows an example of some of the data that can be extracted, such as the Sign In screen for the ASUS router on 192.168.1.117.

Figure 14.24 : Sparta data collected while running a scan

Services that need a login like telnet or SSH can be sent to the brute‐force tool on the next tab to attempt to crack the password. Right‐click any service that has been discovered and select Send To Brute. Sparta attempts to automate several tasks that you would normally manual execute separately.

MacChanger

After you have all the information from the three previous tools, you may want to change or fake your MAC address if you are attempting to disguise any of your exploit attempts. First, to find a list of all MAC vendors, type macchanger ‐l in your terminal window. You will get a list of all hardware vendors if there is a specific one you want to impersonate.

Next, type ifconfig eth0 down in your terminal window so that you can reassign a new MAC address to eth0, as shown in Figure 14.25 . Then type macchanger ‐s eth0 to figure out what your current MAC is. Change ‐s to ‐r to reassign a random MAC to eth0 . To bring the eth0 back up, type ifconfig eth0 up . If you did happen to have a specific MAC address you want to use, the command you would type is macchanger ‐m 00:00:00:00:00:00 eth0 . A MAC address is hexadecimal, so instead of 0s, you could use any number from 0 to 9 and any letter from A to F.

Figure 14.25 : Spoofing your MAC address

Nikto

Now that you're flying incognito with a spoofed MAC address, you can use a tool like Perl‐based Nikto to find vulnerabilities in web servers. One caveat: Nikto is not very stealthy. In fact, just about any IDS or security measure will detect it. We are using it to test for security—it was never designed to be stealthy. I do find it a little funny that the Nikto icon is the same as my Alienware Start button.

Go to the grid array of nine dots at the bottom of your Start menu to bring up the Show Applications window. At the top of the page, search for nikto. Do you still have your Metasploitable2 VM from Chapter 10 , “Metasploit’’? Spin it up, find its IP address, and once you have the terminal window open, type nikto ‐host and then add the IP address of the web server you would like to scan for vulnerabilities. The ‐host option is used to specify host(s) to target for a scan. It can be an IP address, hostname, or text file of hosts. Try the example in Figure 14.26 ; in your Kali Linux terminal, type nikto ‐host http://webscantest.com .

Figure 14.26 : Nikto vulnerability scanning of http://webscantest.com

Kismet

For wireless, Kismet is a great way to view what is going on around you. Kismet uses a wireless network card in monitor mode to silently scan Wi‐Fi channels. By capturing all this data, Kismet can visualize the wireless networks around you as well as the activity of any devices. How useful the data is depends on who you are and what you want to do. Kismet can detect wireless cameras, smartphones, and laptops. By using Kismet, you can easily war drive in your neighborhood looking for Wi‐Fi signals and combine it with GPS data to build a map. In fact, you may not even have to get in your car. Visit https://wigle.net to see a global picture of Wi‐Fi networks. Those purple dots are Wi‐Fi networks geographically mapped for you. Guess what helped build this map. Yes, Kismet. Type in your address and zoom in. Do you recognize any of those networks? I recognize the names of networks that populate my Wi‐Fi list. Now I know where they live. Are any of those MAC addresses yours? If so, you may consider turning off your Wi‐Fi when you're not using it.

Starting Kismet is easy. Simply type kismet ‐cYourCardName . As you see in Figure 14.27 , you can make permanent changes to the configuration file and set up options for logging as well as the GPS location.

Figure 14.27 : Kismet server options

WiFite

If Kismet is the tool to use for Wi‐Fi network detection and sniffer and you need to take this a step further, then think about using Aircrack‐ng or WiFite. These tools can be used for auditing or cracking to recover WEP/WPA/WPS keys once enough packets have been captured. WiFite is called the “set it and forget it” Wi‐Fi cracking tool. As you see in Figure 14.28 , there are many options for you to set with WiFite. However, you can simply automate the wireless capture of access points over 40 dB of power using the WPS attack with the command wifite ‐pow 40 ‐wps .

Figure 14.28 : WiFite options

John the Ripper

Two community favorite password tools are Hashcat and John the Ripper. If you ask people which one is their favorite, chances are the answer will depend on the person. I like both. If I am not successful with one, I will try the other. I usually use John the Ripper first.

John the Ripper was originally designed to crack Unix passwords. Now it runs on pretty much everything and cracks almost any password. The original version is maintained by Openwall. The version that comes in Kali Linux is called the Jumbo version because it has more hash types and new attack modes. John the Ripper stores cracked passwords in the john.pot file, and its main configuration file is john.conf . There are lots of command‐line options and more options in the configuration file, as you see in Figure 14.29 .

Figure 14.29 : John the Ripper password cracker

At the simplest level, you can just point John the Ripper at a pwdump file, tell it what type of hashes you want it to crack (NTLM), and let it go. This is the tool that Metasploit Pro by Rapid7 uses to reverse engineer hashes. I've gotten to the point where I recognize the MD5 sum hash for a blank password as well as password for a password.

Hashcat

Hashcat provides much of the same functionality as John the Ripper. They are both open‐source and share the same features. Hashcat is built around using the GPU rather than the CPU for cracking as John the Ripper does. A CPU is the central processing unit, often called the brains of a PC. A GPU is the graphics processing unit, which comprises the chips that render the display images to the monitors. If the CPU is the brain, some call the GPU the brawn. A GPU is better at focusing all the computing power on a specific task. If you're looking to do password‐cracking on a system that has GPU, then use Hashcat. It will be better and faster for many complex passwords.

Remember, passwords should not be stored in clear text. They are stored in one‐way encryption called hashes. There are a couple different ways of obtaining these hashes, but once you grab them, the next step is to reverse‐engineer the hash, unless you want to Pass the Hash in Metasploit. There are gigs of wordlists available on the Internet, but Kali Linux already has some built in. A wordlist is a text file that contains a collection of words to be used in a dictionary attack.

The first thing you want to do is open a terminal window and type in locate wordlist . As you see in Figure 14.30 , there are many wordlists available. (I just happen to know that the wordlist built for sqlmap has more than a million words in it.)

Figure 14.30 : Hashcat wordlists

After you choose a wordlist, it's time to grab your hashes. In Kali Linux, they are stored in the /etc/ shadow file, so if you type in tail /etc/shadow , you should see something like what's shown in Figure 14.31 . (I cut off my hashes on purpose—you never know if someone would take the time to reverse engineer my hashes.)

Figure 14.31 : Hashes collected on Kali Linux

Now we need to figure out what hashing algorithm was used. To open that file, type more /etc/login.defs .

The more command allows you to page down line by line through this file. Once you're about 80 to 85 percent down the page, you should see what's shown in Figure 14.32 .

Figure 14.32 : Kali Linux using Encrypt_Method SHA512

Now you can put all the puzzle pieces together. Make a copy of your hashes in a separate file by using the following cp command:

cp /etc/shadow hash.lst

To make sure that it worked, type the following:

More hash.lst

To prepare this file for cracking, you need to remove everything but the hashes. Open the hash.lst file with gedit or vim and delete all the usernames and the colon. Remove the ending colons too. Now the file is only the raw hash itself.

To crack these hashes, I used the following:

hashcat -m 1800 -a 0 -o success.txt -remove hash.lst /usr/share/sqlmap/txt/wordlist.txt

where

• ‐m 1800 is the type of hash I'm cracking.
• ‐a 0 is a dictionary attack.
• ‐o success.txt is the output file.
• ‐remove says delete the hash after it was cracked.
• hash.lst is the input file.
• /usr/share/sqlmap/txt/wordlist.txt is the path to the wordlist.

Open your success.txt file. It took me a little over 10 minutes to get the cracked passwords. If you have issues, try running the command again with a ‐‐force at the end. If that doesn't work, you may have to give the Kali Linux box a few more than the default resources.

As I tell my classes, if at first you don't succeed, try again. You are attempting to force machines to behave in a way they were not originally intended to behave. We are trying to use these machines and vulnerabilities like attackers would. Using that mind‐set is critical to securing our environments. Kali was designed to work even when used in a very hostile environment. The Kali motto is “The quieter you become, the more you are able to hear”. Kali is designed to be as quiet as possible so that you can hide its presence on your network. This chapter was meant to be an introduction to penetration testing and what you have learned is a good foundation. You are now ready to learn more in order to fully exploit the power of Kali Linux, the best penetration testing framework.