"Only two kinds of people in this world, * and the **** man."
All things are implemented around a target. Therefore, in this chapter, we will discuss the objectives based on the importance of testing; and describe some in the absence of objective circumstances, vulnerability scanning, classic test failures and red team exercises. This chapter also made a summary of safety tests, describes how to set up a laboratory environment, focused on how to customize Kali to support some of the advanced content of the test. After reading this chapter, you will learn the following:
Overview 1. Safety tested
2. vulnerability scanning, classic test failures and red team exercises
3. Update and organize Kali
4. BASH script using a custom Kali
5. settings defined target
6. build runtime environment
1.1 The concept of safety tests
Each family around the world, each individual, public or private enterprises in cyberspace there are a variety of concerns, such as data loss, malware and cyber-terrorism and so on. These are built around a concept - protection. If you ask 100 different security adviser: "? What is the security test" may hear different answers. The simplest explanation for: safety testing is the process used to verify the information assets or systems are protected, and to verify whether the protection function in accordance with the desired effect.
1.2 Classic vulnerability scanning, testing and failure *** red team exercises
In this section, we will focus on traditional / classic vulnerability scanning, testing and *** red team exercises and explain their limitations. Now let's briefly discusses the practical significance of these three methods, and discusses their limitations:
· Vulnerability Scanner (Vulnerability scanning, Vscan): This is the process of identifying a system or network security vulnerabilities. Vulnerability scanning limitations are: only identify potential vulnerabilities. Which may include a large number of false positives, the user, there is the risk assessment of these vulnerabilities are not so much.
· Test (Penetration testing, Pentest): This is a vulnerability without affecting the safe use of the existing network or business process. After testers to try and simulate exploits, it will reduce the number of false alarms. Inadequate testing is currently only known use of public vulnerability, and most of them are project-focused test. *** In the test, we often hear "yeah! Get permission," but we never asked "what's next." This can have various causes, such as project reports immediately to limit your customers high-risk issues, or the customer only interested in part of the network, and you want to compromise.
· Red Team Training (Red Team Exercises, RTE): This is an effective defense network threats for evaluating the organization and improve its security procedures. During RTE, we note that there are many ways to achieve the project objectives, such as full coverage carried out for the project objectives activities, including phishing, wireless, physical and discarded boxes *** testing. RTE lack of use is that they have a time limit, with a predefined program, and they assume that the virtual reality environment.
Typically, three different test methods are directed terms: ** or cracking. We will be your network, and exposed the weaknesses of the network, however, customers or business owners to know whether these networks are penetrated or cracked? How do we measure or crack? What is the standard? When will we know that networks are *** or completely broken? All of these issues point to one thing - what is the main goal?
The main goal of the test / RTE is to determine the risk of each asset assessment organizations, business, brand image risk level. This is not to assess how much they have, but to assess how much they are exposed. If a threat is found not pose a risk, it is not required to be proved. For example, a brochure site XSS (Cross-Site Scripting, XSS) may not have a major impact on the business; however, the client may agree to use Web application firewall (Web Application Firewall, WAF) to prevent XSS ** *.
1.3 Test Methods
Why is rarely considered in the model to be tested, or what data is needed to protect business-critical data. This crucial step is missing, the test can not seize the key.
Many testers do not want to follow the existing model approach, they fear they will hinder the network model of creativity. Malicious test does not reflect the actual actors. Often, customers want to see if you can gain access to the management of a particular system ( "You can open this box?"). However, *** could replicate critical data to focus on the way - does not require access to the underlying, or cause a denial of service.
In order to address the limitations inherent in the test method, the frame must be integrated from the perspective of a person *** - killing chain (Rill chain).
In 2009, Lockheed Martin CERT's Mike Cloppert introduced the concept now known as " those who kill chain (attacker kill chain)". When the person accessing the network, the "kill chain" includes steps were taken. "Kill chain" is not always a linear flow presentation, as some steps may occur in parallel. Multiple may be a multiple of the same target transient , and may overlap *** at the same time step.
In this book, we have modified the kill chain Cloppert, making it more accurately reflects who *** how to apply these steps when using the network, applications and data services.
Figure 1.1 shows a typical chain kill *** person.
*** by a typical kill chain can be described as:
· Reconnaissance stage. Maxim: "reconnaissance never a waste of time." Most military organization admitted that before the attack the enemy, it is best to learn as much as possible all the information of the enemy. Similarly, those in before the target will be wide-ranging reconnaissance. In fact, it is estimated, for testing or at least 70% of the "work" is carried out reconnaissance! In general, two types of reconnaissance employed:
Passive reconnaissance. This approach does not directly interact with the target in a hostile manner. For example, who will be available for public review site, assess online media (especially social media sites), and trying to determine the target of " face."
A detailed task will generate a list of past and present employees names. These names will be the attempt to brute force basis or password guessing. As such they are also used for social engineering in.
This type of reconnaissance difficult to distinguish from normal user behavior.
• Active surveillance. This way it can be detected goal, but it is difficult to distinguish the performance of most online organization from a conventional background.
Activities during active surveillance, including physical access to the target front-end, remote port scanning and vulnerability scanning.
· Delivery phase. Delivery is the selection and development of weapons, weapons used to complete the task. Accurate weapon of choice depends on the intentions and the implementation of the road (for example, through the network, via wireless, or through a Web-based service). Affect the delivery phase will be studied in the second part of the book.
· Use or stage. A moment of particular vulnerability is successfully exploited, in which case those who achieve their goals. May have been in a particular situation occurs (for example: by buffer overflow exploits a known security risks operating system), or may occur in multiple scenarios (for example: a person with physical access to the company's domicile, steal their phone book, with the name of the company's employees to create a portal login brute force list. in addition, e-mail is sent to all employees in order to lure them to click on an embedded link to download a PDF file created, these documents would endanger the employee's computer). When a malicious person for a particular enterprise, multi-scenario is the norm.
· Post-use stages: action against targets. This is often referred to as "leakage stage" (exfiltration phase), which is wrong, because usually understood , only to steal sensitive information as the only purpose (such as login information, personal and financial information); however, usually under, who have different goals. For example, this phase must focus on a number of possible actors.
The most common use activities *** is trying to enhance their access to the most advanced (portrait upgrade), and break as many accounts (horizontal escalation).
· Post-use: persistence. If a network or system to be valuable, then this value is likely to continue to grow under. This requires that those who continue to maintain communication between a compromised system. From the guard's point of view, which is part of the chain the easiest to kill detected.
When attempts network or system-specific data, to kill chain is a basic model of behavior. As a meta-model, it can absorb any private or commercial testing methods. However, these methods are also different, so it 's concerned about how close to the network on a strategic level. *** This focus on those activities will guide the layout and content of the book.
1.4 Kali Linux Introduction - history and purpose
Kali Linux (Kali) inherited from the BackTrack test platform, BackTrack is generally considered safe test data and voice networks facto standard kit. It is composed of Mati Aharoni and Devon Kearns joint development of security tools. Kali course of development as follows:
· March 2013, based on the *** to test new tools Debian GNU / Linux Kali Linux open-source system to replace the BackTrack.
· Kali 1.1.0 (2015 Nian 2 9 May): This is the first time in two years kali upgrade its kernel patch to change to 3.18, with wireless injection patches ***, wireless drive - about 58 fixed bug. The other editions can be selectively mounted Kali 1.1.0a some programs.
· Kali 2.0 (2015 Nian 8 11 May): This is a major release, now is a rolling distribution, major changes in the UI. You can update from the old version to the new version Kali 2.0.
· Kali 2016.1 (2016 Nian 1 21 May): introduced the first Kali. Kernel 4.3 and the latest release version 3.18 of Gnome.
· Kali 2016.2 (2016 Nian 8 31 Mar): The second version of Kali rolling. Kernel 4.6 and Gnome 3.20.2 update fixes some bugs.
Kali 2.0 Other features include:
Containing more than 300 tests, data forensics and defensive tools. They are supported by hardware and wireless kernel patch, allowing some wireless packet injection .
Support for a variety of desktop environments, such as Gnome, KDE, LXDE and XFCE, also supports multiple languages.
Compatible Debian of Debian repository synchronization tool and at least four times a day, the update packages and support packages security fixes easier.
· There is a safe environment for the development and GPG signed packages and repos.
Support for ISO custom, that is, allows users to create their own version of Kali. Bootstrap function can also perform the installation of enterprise-class network, you can automate the installation with the previous seed file.
· With the ARM-based systems become more common, more and more low cost, so the support ARMEL and ARMHF of Kali can be installed on the following equipment, such as rk3306mk / ss808, Raspberry Pi, ODROID U2 / X2, Samsung Chromebook, EfikaMX, Beaglebone Black, CuBox and Galaxy Note 10.1.
· Kali retain a free open source project. Most importantly, it has been an active user base of support online.
Kali Linux's purpose is to protect and integrate all the tools to provide a unified platform for *** testers.
Kali Linux 1.5 Installation and update
We introduce the knowledge about kali *** related. Now Kali Linux will be more fully describes the different installation methods and updating technology.
1.6 use in portable devices Kali Linux
The Kali Linux installation to a portable device is quite simple. In some cases, customers are not allowed inside the secure facility using an external laptop. In this case, the client is usually provided to test computer vulnerability testers to scan. When vulnerability testing and RTE, running on a portable device Kali Linux has more benefits:
• When using a USB or mobile device, Kali in your pocket.
· No changes to the host operating system, Kali can be run directly.
• You can build custom Kali Linux, and even curing memory.
USB converter from a Windows PC to a portable Kali is a simple process that involves three steps:
1) Download the official URL Kali Linux image is: http://docs.kali.org/introduction/download-official-kali-linux-images .
2) Download Win32Disk Imager is: https://sourceforge.net/projects/win32diskimager/ .
3) Open Win32Disk Imager as an administrator. USB drive plugged into a PC USB port available, you can see the interface shown in Figure 1.2. Select the correct drive name, then click Write.
一旦完成,退出Win32Disk Imager,并安全移出USB。现在Kali Linux已经在便携式设备上准备好了,并可以插入任何笔记本电脑来直接启动。如果主机操作系统是Linux,则可以通过两个标准命令来实现,即--sudofdisk-1和dd if=kali linux.iso of=/dev/nameofthedrive bs=512k。前者将显示驱动器上安装的所有磁盘;对于后者,如果用于输入文件,dd命令行执行转换和复制,of是指输出文件,bs是指块大小。
1.7 将Kali安装到虚拟机中
本节将深入了解如何将Kali安装到VMware Workstation Player和Oracle VirtualBox中。
VMware Workstation Player
VMware Workstation Player以前称为VMware Player,可供个人免费使用。在主机操作系统中,VMware虚拟机作为桌面应用程序存在,允许商用。该应用程序可以从URL http://www.vmware.com/products/player/playerpro-evaluation.html 下载。
接下来,介绍将Kali Linux逐步安装到VMware Workstation Player中的过程。
一旦将文件下载到主机操作系统中,只需单击Open the executable(打开可执行文件)即可看到如图1.3所示的屏幕截图。
下一步是接受最终用户许可协议,单击Next,直至获得如图1.4所示的屏幕,屏幕显示了在主机操作系统上成功安装了VMware。
下一步将Kali Linux安装到VMware,我们已经从官方的Kali Linux下载了文件,现在点击Create a NewVirtual machine(创建新的虚拟机)并选择Installer disc image file(iso)(安装磁盘映像文件)。浏览下载的ISO文件,然后单击Next。现在可以输入所选择的名称(例如,HackBox),并选择要存储VMware映像的自定义位置。单击Next,然后指定运行Kali的最小磁盘容量(推荐为10GB),然后单击Next直到完成所有设置。完成后,应该可以看到如图1.5所示的屏幕。
可以选择将Kali Linux安装到主机操作系统或将其作为实时映像运行。一旦完成所有安装步骤,就可以从VMware成功启动Kali Linux,如图1.6所示。
注意: Sana存储库从新版本的kali-linux 2016.2中删除。Sana是由包组成的存储库的代码名称。所以建议安装/启动Kali Linux后的第一步是运行apt-get update,以便更新sources.lst文件。
VirtualBox
VirtualBox类似于VMware Workstation Player,它是一个完全开源的虚拟机管理程序,也是可以从主机操作系统运行任何虚拟机的免费桌面应用程序。可以从https://www.Virtualbox.org/wiki/Downloads 下载VirtualBox。
现在将在VirtualBox上安装Kali。与VMware类似,将执行所下载的可执行文件,这些可执行文件将引导我们进入如图1.7所示的屏幕。
一旦点击Next,VirtualBox应该提供自定义选项选择不同的存储方式,默认情况下,我们将选择VirtualBox Application,如图1.8所示。
点击Next,可以看到安装进度,如图1.9所示。
图1.10提供了成功安装Oracle VirtualBox的确认信息。
下一步是将Kali Linux安装到VirtualBox中。点击菜单中的New,出现如图1.11所示的屏幕,可以输入所选择的名称,并选择平台的正确版本。例如,根据我们下载的ISO映像,选择64位Debian或32位Debian。
单击Next,并提供Kali所需的RAM大小。我们建议RAM至少为1GB。通过点击Next,将在主机操作系统上为Kali Linux创建一个虚拟硬盘。单击Next选择硬盘文件类型,大多选择VDI(Virtualbox Disk Image),如图1.12所示。
点击Next,创建硬盘的大小,如图1.13所示。
最后,我们必须到Hackbox|Settings中,将ISO映像加载为外部驱动,如图1.14所示。
现在应该可以看到以下截图,已成功安装Kali Linux到VirtualBox,如图1.15所示。
1.8 将Kali安装到Docker设备
Docker是一个开源项目,旨在即时自动部署软件容器和应用程序。Docker还在Linux上提供了操作系统级的虚拟化附加抽象和自动化层。
Docker适用于Windows,MacOS、Linux、AWS(Amazon Web Services)和Azure。在Windows中,可从https://download.docker.com/win/stable/InstallDocker.msi 下载Docker。
以下步骤显示如何在Windows 10中安装Docker,如图1.16所示:
安装Docker到Windows,需要使用Microsoft Windows上的Hyper-V功能。如果没有启用Hyper-V,很可能会看到如图1.17所示的界面。
一旦点击Ok,Hyper-V将由Docker应用程序启用,可以通过简单地输入docker命令查看命令提示信息,如图1.18所示。
现在,我们已经将Docker设备安装到Windows主机操作系统。使用简单的docker pull kalilinux/kalilinux-docker命令安装Kali Linux,如图1.19所示。
一旦将Kali Linux下载到Docker应用程序,就可以立即从下载的Kali Docker设备运行run-t-i kalilinux/kal-linux-docker/bin/bash,如图1.20所示。
应该能够直接从Docker运行Kali Linux。另外,请注意,Docker在后台使用VirtualBox环境。因此,它是通过Docker设备在VirtualBox上运行的虚拟机。
1.9 将Kali安装到云——创建一个AWS实例
AWS是Amazon提供的一个基于云的平台,Amazon主要为客户提供随时随地的计算、存储和内容传送。测试者或可以利用AWS进行***测试,本节将介绍最简单地将Kali Linux安装到AWS中的方法,在外部命令和控制的情况下,这将非常方便。
首先,需要一个有效的AWS账户。可以通过访问https://console.aws.amazon.com/console/home 注册。
登录AWS账户后,可以看到所有的AWS服务,如图1.21所示。
第二步是在AWS上启动Kali Linux。我们将通过安装Debian操作系统来定制Kali Linux。开源社区使得在Amazon Marketplace中直接启动预配置的Kali Linux 2016.2变得非常简单。https://aws.amazon.com/marketplace/pp/B01M26MMTT 将使我们能够在几分钟内直接启动Kali Linux。
当访问该链接时,能够看到如图1.22所示的内容。
点击Accept Software Terms&Launch with 1-Click(接受软件条款并且启动)按钮,然后通过访问https://console.aws.amazon.com/ec2/v2/home?regin=us-east-1 ,来访问你的AWS控制台。现在可以通过在Launch Instance(创建实例)上选择Instance ID按钮来创建一个实例,如图1.23所示。
为了确保只有你可以访问Kali Linux,需要创建一个键值对。现在可以使用在键值对中生成的私钥登录到你的AWS云。然后,通过从命令shell输入以下命令来登录:
图1.24显示了Kali已在AWS上成功安装。
必须满足所有条款和条件才能利用AWS进行测试。在发起云主机的任何之前,必须遵守法律条款和条件。
1.10 小结
在文章中,我们介绍了不同的测试方法,以及针对实时进行测试的基于目标的测试的组织方法。我们介绍了测试人员如何在多个不同平台上使用Kali Linux来评估数据系统和网络的安全性。我们已经在不同的虚拟化平台上安装了Kali,并且看到在Windows平台上使用Docker运行Linux操作系统的快捷。