Kali Linux: Penetration Testing

Alan Hancock • CIST 1451 Capstone • December 12, 2018

ContentsIntroduction.................................................................................................................................................3

Background of the Project.......................................................................................................................3

Why I chose Kali Linux.............................................................................................................................3

Project Goals...........................................................................................................................................3

The environment for project...................................................................................................................3

Tools............................................................................................................................................................4

Nmap/Zenmap........................................................................................................................................4

Metasploit...............................................................................................................................................5

Wireshark................................................................................................................................................7

John The Ripper.....................................................................................................................................10

Maltego.................................................................................................................................................13

Burp.......................................................................................................................................................14

Problems...................................................................................................................................................18

Eternalblue_Doublepulsar Module........................................................................................................18

Metasploit.............................................................................................................................................20

John The Ripper.....................................................................................................................................21

Maltego.................................................................................................................................................22

General Problems..................................................................................................................................23

Conclusion.................................................................................................................................................25

What did I accomplish...........................................................................................................................25

Analysis..................................................................................................................................................25

Sources......................................................................................................................................................26

IntroductionBackground of the ProjectFor my encompassing capstone project I wanted to pick something I knew would be beneficial to my future career in cybersecurity. In all of my classes there had only been a few that touched specifically on the spectrum of cybersecurity/forensics so I wanted to beef up on that knowledge. Within the field there are many paths to choose and knew I wanted to focus on penetration testing.

Penetration testing encompasses an array of programs that help users find vulnerabilities in single or multiple items connected to a network. This is useful in discovering applications, services or technologies that have been compromised and are no longer secure. The goal is to find and fix these vulnerabilities before someone with nefarious intentions does. A popular tool used for this purpose is the operating system Kali Linux.

Why I chose Kali LinuxKali Linux is a specially formulated Linux based operating system that is useful in the field of penetration testing. Kali has a lot of traction and is the biggest brand when it comes to penetration testing and ethical hacking. It has been mentioned in class, online and in the media quite a bit and wanted to start there. On top of that there are all kinds of tools, resources and a large repository of knowledge about the operating system. Even Lynda.com has 17 courses and 185 videos featuring Kali Linux.

Project GoalsThe goals of the project were to successfully use a variety of applications, showcase their use and familiarize myself with a Linux based operating system. All of these were to be done while taking the course objectives in mind, particularly problem solving, having good work habits, staying on task and completing it on time.

Because using tools within Kali is a relatively open concept I wanted to narrow it a bit and focus on some of the more popular applications while doing something a bit different in each one to show the diversity and depth Kali has to offer.

The environment for projectFor the technical environment I chose to use a laptop computer for ease of portability and configuration. This will be particularly helpful during the live presentation and showcase of my project. The only hardware I would need would be the laptop and a wireless mouse for ease of navigation, both of which I already had.

As far as deploying and testing Kali it made the most sense to use virtual machines because they can be setup quickly, moved around if need be and do not take up any extra physical space. With this in mind I would need to choose the right software for virtualization. There are three main ones to choose from Hyper-V, VMware and VirtualBox. I chose VirtualBox because I had previously used the other two and wanted to gain experience using another tool.

In this scenario I would install Kali as one virtual machine and put my testing or attack target on another virtual machine with a different operating system. I originally planned on using multiple operating systems but felt it would work better in a demonstration if I could stick with one and layer them so they would be complimentary to the overall project. In other words I could use one to build upon another and show how one tool can be used with another to achieve results.

ToolsAs previously stated the tools selected were done so based on research that indicated the most popular and useful within the operating system. After picking what appeared to be the top six I had a bit of freedom in figuring out what I wanted to do with each one. I was careful in thinking about the presentation and video when deciding how I wanted to use each of the tools and how these tools could be used together. The following are the tools and how I used them.

Nmap/ZenmapNmap and Zenmap do basically the same thing except one is terminal or console based and the other is GUI based. They are part of the same company where Zenmap’s GUI interface utilizes Nmap commands. It is used for network discover and auditing of systems. You can also use it to search subnets and try to detect the operating system a target is using.

For this project I wanted to simulate where a user would start and this was the perfect tool. We start by running “ifconfig” to show what our Kali IP address. We run it and get 10.0.2.5. From here we can search the current subnet of 10.0.2.1-255 by using the command “nmap -sP 10.0.2.1/24”. We get several discoveries and we can run tests on all of them but the one we are particularly interested in is 10.0.2.15 which is the Windows 7 VM.

Now we can find more information about this target by using some other commands and to do this we will switch to Zenmap. The input is straightforward as all we need to do is input the IP address and select

what type of scan you want to perform. The process takes a couple of minutes. The scan reveals all kinds of important information we can use to exploit this target. Specifically that port 445 is open and the OS is running on Windows 7 service pack 1.

Unpatched and without a firewall this vulnerability could be exploited with the right code which we will get to next.

MetasploitMetasploit is a large framework of exploitable code through a variety of modules and payloads one can use to take advantage of vulnerabilites. I did a bit of searching to find a popular exploit using Metasploit and found the NSA leaked EternalBlue and Doublepulsar to be a great candidate. A particular combination of these two was put in a repository on GitHub. This module, eternalblue_doublepulsar, needs to be added manually to the Metasploit library.

The first component is the installation of a program called wine which is a Windows simulation for Linux. In order to create the root folder you need to enter “winecfg” into the terminal after it has been installed. After that was installed I could install the scanner to test a machine if it is exploitable. After this was installed I had to put it in the correct folder. The last component was to download the

Eternalblue module to add to the Metasploit Framework as it does not come pre-installed. I was now able to get started with Metaploit.

Start Metasploit on Kali terminal by entering

msfconsole

Once this gets going I can test a scan of my target Windows 7 machine which resides at 10.0.2.15

Use auxiliary/scanner/smb/smb_ms17_010

Now that the scan was good I could test the actual expoit.

Use exploit/windows/smb/eternalblue_doublepulsar

I had to set the ip of my target machine

Set RHOST 10.0.2.15

Set PROCESSINJECT explorer.exe

Run

From here it opens up the meterpreter which has all kinds of commands one can perform on the target.

I created a txt file on the target machine to download onto the host machine which was successful. There are many other things you can do once the computer is breached but we will get to that a bit later.

WiresharkWireshark is a traffic sniffing program that can be configured many ways with several kinds of filters to narrow results to what the user wants. It allows you to see the traffic across your network and analyze the results to look for anything suspicious. I wanted to utilize three programs that use network traffic to get an idea of what everything looks like.

First was a simple opening of the Firefox browser within Kali just to make sure everything was working and indeed it was.

Next I wanted to check pinging my Windows 7 VM with ICMP traffic. I sent pings to the Windows 7 VM (10.0.2.15) and was able to see the traffic in Wireshark from my Kali VM (10.0.2.5).

For the next example I thought I would look at the traffic generated during an exploit so I used the Doublepulsar exploit within Metasploit I used earlier and captured that traffic.

From here I was able to generate various statistics within Wireshark. It makes sense that there is traffic on port 445, SMB protocol, as that is how this exploit works.

I also used some display filtering to narrow down the results by typing SMB and having the window only show packets using that protocol.

John The RipperThere are several programs within Kali that can be used for password cracking and one of the biggest is John the Ripper (referred to as John). The strategy for the use of this tool will be to gain access to a computer, install a hash generating application, send the hash to a txt file and resend it to the Kali VM for analysis against a wordlist.

We already have a way to gain access to a Win7 machine based on a previous exploit used in Metasploit. Once we gain the meterpreter shell we need to download Windows Credential Editor (wce.exe) file that is used to retrieve the hash for users on a Windows system. There are two versions of this program for 32-bit and 64-bit architectures. Be sure to use the correct one for your Windows target.

Once this file is downloaded onto your Kali VM you can upload it using the meterpreter shell.

I used the command getprivs to show what limited functions I could use before I was able to escalate my privileges.

To escalate I would need to use another exploit within Metasploit. This requires me to use the background command which essentially lets you put the current module in the background and start a new one. The one I wanted to try was bypassuac which could be loaded by using the following command.

Use exploit/windows/local/bypassuac

Once this was loaded I could check the connections, sessions, between the two by typing sessions -l. This brings up the active sessions. There was only one session and that is the one I needed to use. Each session has a specific ID and that is what I need to assign to the new module. In my instance it was session ID 2. I also had to set the payload, LHOST (my Kali’s address) and LPORT. Then select run.

It worked!

I checked the getprivs command again to see if anything has changed.

The real test was uploading the file that gave me this problem last week. I tried it and was successful!

I could run it from a shell like I was on the VM and output the user account and hash to a txt file using the following command.

wce –l –o remhash.txt

From here I just had to exit the shell on to get back to meterpreter so I could download the newly created txt file.

Once I have the file I can now point John towards the file and use a wordlist to check against the hash. To save time and resources I looked up the default password for Win7 VM which is “Passw0rd!” and added that to the default password.lst file used by John.

Now all that was required was to use John with appropriate syntax and see what we come up with.

It was successful! I now decided it would be smart to delete the wce.exe and txt file from the target machine to remove evidence. This just required going back to the shell instead of being within meterpreter.

MaltegoThe first part about using Maltego involves using the free version which requires creating an account. After that I decided it would be wise to get a baseline idea of what Maltego is and what it can do. Lynda “Learning Kali Linux” to the rescue. It’s used for information gathering and uses graphs to visually organize the information you are looking for. This is new to me on Kali as everything else thus far has been terminal based text queries.

In the entity palette to the left you have all sorts of different things you can search for like someone’s name, email, phone number, a company name, domain, IP address, etc. I first searched for information for me as in my email hancock@pitt.edu and my gmail account. For better or worse both did not get very many hits. Part of this may be the lack of information out there, the limited availability of tools in the free version of Maltego or my query not being sufficient with my knowledge of the program.

I looked up the upb.pitt.edu within the internet domain search and finally got some information.

It was interesting that once the search completed there were only two people found. One being Bob Ellison and the other was Richard Bell. I know Bob but only vaguely remember Rich Bell. From here I tried “thepanthershop.com” and looked around at the different results. I found “www.thepanthershop.com” as a separate found object and ran a transform, search, on that entity and received many familiar hits.

Maltego is a great tool for gathering information about a target. Through the use of transfers it can find more targets associated with the original target thus providing a larger pool of the possibility of finding a vulnerability.

BurpBurp Suite, or BS, has many features but the focus of this project was to use it as a proxy for a man-in-the-middle attack for checking login/passwords for a website. I chose a live website that I have a known

username/password for. I have redacted any information relating to this website for security purposes. Before starting I changed my actual password to one that I could test against and so that nobody gets my real password if they read this.

The first thing I need to do is configure Firefox to use a proxy which is not too hard.

Once this is configured I can start BS and wait to turn on the feature “intercept is on”. Once I have the website loaded I can type information into the form fields. Before I hit the Logon button have to turn on intercept and receive the notification like so.

From here you right click and select “send to intruder” which is another component of the BS package. Once this is done you select the payload options which let you configure what parts of the message you would like to test strings against. These are highlighted with $ at the both ends.

From here you can either type in manually or upload wordlists for each payload. I did it both ways to prove it could be done.

You then select the “Start attack” button and it runs each string from payload 1 against payload 2 and we get our results. Because this is the free version the results are throttled and slow. Successful results

have a different status code or different length from non-successful attempts.

From here I noted that was the correct login and changed my password back to something more secure and less obvious.

ProblemsEternalblue_Doublepulsar ModuleIn preparing for my video presentation I found that this Metasploit module no longer worked for me. It had been working fine for many weeks before this and I needed to get this to work as it was central to my presentation. Shown here is the error I received.

I read through a bunch of solutions online and tried to manually set the payload as that is where it was getting hung up.

I was able to get a bit further.

I tried to uninstall and reinstall wine and maybe that was unsuccessful.

I looked into rolling back my updates to Linux and that was also unsuccessful.

I rechecked when it worked all the way back in week five and saw that some of the errors were there but it was still able to work. Now I wanted to try the vulnerability scanner as it is showing that maybe it is unreachable. I tried that and it can discover the OS using the scanner.

Over the next week I delved deeper into getting the EternalBlue_DoublePulsar exploit to work correctly. I posted my findings on GitHub after noticing someone else had the same error as me. I was hoping someone might have an answer but nobody offered a solution.

At this point a couple of weeks had gone by and I decided I would try some other exploits that would accomplish the same thing as a reasonable alternative as I needed to get something working for my video and presentation. Many of those require interaction on the user of the VM. One I tried would cause my Win7 VM to crash and reboot – certainly not the results I was hoping for. I decided to try different tactics with the original module.

I tried downloaded an earlier VM appliance of Windows 7 (IE8 instead of IE9). I fired it up, turned off updates and disabled the firewall like my other machine had. Unfortunately I received the same error in both targets.

I decided to try the VMs in the SNAP lab as maybe something is up with my computer and/or VMs. When downloading the module which inherently uses malicious code don’t try to use a Windows computer with any kind of antivirus. My desktop, laptop and work computers all made it so I could not do anything with the files. I was trying to download them on the Windows VM then copy paste them into Kali. It was having none of that. I needed to download them directly from the Kali computer and I was good to go.

I had issues re-installing wine32. This command fixed that.

“dpkg --add-architecture i386 && apt-get update && apt-get install wine32”

After misspelling “Metasploit” and putting the directory in the wrong file location I was able to get it to work but it still doesn’t start a session!

I tried converting VMware Kali to VirtualBox but the files would not transfer. I tried it three times, once directly onto my computer and the other two onto a flash drive.

I also attempted to download a newer Kali appliance but that would not install as it was corrupted. I was able to try it again and was able to get it started. The new VM worked and I was able to start a session and have the module work correctly. I thought it must have some special update. I tried the following update command on my original Kali VM and was able to get the module working correctly again.

apt-get clean && apt-get update && apt-get upgrade –y && apt-get dist-upgrade –y

MetasploitIn Metasploit I had several smaller issues. When I was first tried downloading the module I inadvertently downloaded the HTML code for the website and not the actual code of the program. After some troubleshooting it for a bit I realized my error and replaced the code.

The wine installation also took some figuring out as I had to specify the 32 bit version instead of the default 64 bit one. At first I was not able to connect to the Win7 VM so I needed to turn off Windows Firewall which I thought I had done already. After this was fixed I was able to communicate between the two and successfully found the VM.

When I first tried to run the eternalblue_doublepulsar module I received the following error.

The solution was to move the downloaded Eternalblue-Doublepulsar-Metasploitable onto the root and have all of the files in there.

John The RipperWhen I downloaded the Windows Credential Editor tool to create hashes for system users I downloaded the 64-bit version instead of the 32-bit which I needed for my particular Windows 7 VM. Once it failed I backtracked and realized my error as I assumed it would have been the former.

As part of this attack I needed to use Metasploit and upload the credential editor.

At first I ran into issues with the upload being unsuccessful. I googled the error I received and it turns out I did not have sufficient privileges on the VM to be able to upload a file. From here I researched several methods for privilege escalation through reverse TCP connections and several ways of using the bypassuac exploit. Initially I was not able to get them to work. I spent a lot of time going nowhere so I decided I would lower the UAC protection right from the VM so I could continue with the project.

The following week I was able to figure out how to background my current session and use another module. What I was trying to do was start another instance of Metasploit but you cannot share sessions between instances. Once I figured this out I was able to get the bypassuac module to work correctly.

Another slight issue in John was that of previously cracked passwords. If I already the program and successfully retrieved the plaintext password against a hash, by default it does not show that again when you run the same command. John stores successfully cracked hashes so it doesn’t have to run them again if it sees the same hash. I did not know this and would re-run the command and it would not show the password. I needed it to show the plaintext password during the demonstration and video so it looked like it worked. My solution to the problem was to change the password on the Windows 7 VM to something different for every time I used John which would only be a few times.

MaltegoI tried phone numbers for my home, UPB’s main line, the Postal Service’s main line and did not get any hits. I tried adding and removing country code for the US but still nothing. I watched a video on YouTube and saw two things. The first is that he had a +1 instead of 1 for the USA country code. I immediately tried this and it failed. I then continued watching the video and noticed a setting that I did not have in my version of Maltego. It was a setting to add Google to search for the number.

I looked around at a couple other tutorials online and could not find specifically what I needed to add this feature. I decided to update Maltego to see if that would help. The update was successfully installed but it failed to help me in regards to the phone number situation.

General ProblemsI was watching a Lynda video on Wireshark and my laptop crashed. I was not able to get a screen shot but was able to google how to find the report and it’s as easy as searching for “View Reliability History” and found this message.

I then googled the error and found that running chkdsk in prompt might solve the issue. I tried it and the Virtual Machines no longer crash after a minute as this was the error I was receiving.

Another issue I had was a login loop within Kali. The login screen appears and you type your username and password. It works but the login page appears again. I tried putting in an incorrect password to see if the results were different. Authentication failed and it notified me accordingly. I tried the correct password and got the loop again. Google would have to help me once again. When booting Kali I needed to hold ctrl+alt+F1 in order for it to start at a terminal. I could enter the username and password then launch general updates. The updates cleared up the problem and was able to get to my home desktop.

Another minor issue I had was getting the mouse stuck inside of the virtual machine. I would not let me access my real computer that was hosting the VMs. I figured out by pressing the right ctrl key would release the mouse pointer so I could use it again. Well that worked until I used the VM again and had to get back out of it. The same thing would happen and I didn’t want to have to use the ctrl button every time. I found some answers online and there was a setting that got changed within Oracle’s VirtualBox. This fixed my issue.

ConclusionWhat did I accomplishI was successful in gaining experience with Kali and learning how its tools can be used to find exploits. Another thing out of necessity I became good at was googling problems I encountered. Some were easy fixes and others took quite a bit of work. In the end I was able to get things working in a way I was able to show in the video and presentation.

It would have been nice to learn the tools more in-depth or learn additional ones. Unfortunately I ran into one significant problem that took up any additional time I would have had. The lesson learned here is that you will run into issues and try to do your best to remedy them. My presentation and video may have not had any issues but it was not easy. It took time and several rehearsals to get it together and run relatively smoothly.

Time is a precious commodity and when looking at short term vs long term at some point you have to determine how much time spent on the problem can be warranted vs abandoning the original idea to go with something else. At some point you have to ask yourself how effective is the return on investment of my time? We want as much return for the least amount of time. That is human nature.

AnalysisKali Linux is a powerful operating system with a wide variety of tools to gather information, find vulnerabilities, exploit them and find remedies. Through this project it was made clearer just how much there is to learn and remember. Within each of the tools used in this project there are more settings to tweak, parameters to filter and features to use that were not covered. This project really is just the tip of the iceberg when it comes to these things. The top three things I learned in this project were as follows.

1. Use Google to research problems as they will happen.

2. The field is constantly changing and there are always things to learn.

3. Humbly realize that though this project partly marks the end of my CIST program, it’s just the beginning.

Sources

https://www.youtube.com/watch?v=zKizx80w4Rk

https://computingforgeeks.com/how-to-install-wine-on-kali-linux-and-debian-64-bit/

https://www.offensive-security.com/metasploit-unleashed/meterpreter-basics/

www.lynda.com

https://www.youtube.com/watch?v=-4ell2N3kj4

https://www.youtube.com/watch?v=onFBy-rnyAw

https://www.youtube.com/watch?v=OXIjNfX7BW8

https://www.lynda.com/Wireshark-tutorials/Display-filters/624305/706367-4.html?autoplay=true

https://www.drivereasy.com/knowledge/solved-windows-resource-protection-could-not-perform-the-requested-operation/

http://www.tomshardware.com/answers/id-2329865/blue-screen-crash-1000007e.html

https://www.howtogeek.com/222730/how-to-find-out-why-your-windows-pc-crashed-or-froze/

https://www.wireshark.org/docs/wsug_html_chunked/ChCustColorizationSection.html

https://www.lynda.com/Linux-tutorials/Use-John-Windows-passwords/455715/630530-4.html?srchtrk=index%3a1%0alinktypeid%3a2%0aq%3ajohn+the+ripper%0apage%3a1%0as%3arelevance%0asa%3atrue%0aproducttypeid%3a2

https://github.com/rapid7/metasploit-framework/issues/8416

https://www.youtube.com/watch?v=2OvvJouuxS4

https://www.openwall.com/john/doc/

https://knowledge.autodesk.com/search-result/caas/sfdcarticles/sfdcarticles/How-to-turn-off-User-Account-Control-in-Windows.html

https://www.youtube.com/watch?v=PClnz7oa6Hc

https://nmap.org/zenmap/

https://www.lynda.com/Linux-tutorials/Use-John-Windows-passwords/455715/630530-4.html?srchtrk=index%3a1%0alinktypeid%3a2%0aq%3ajohn+the+ripper%0apage%3a1%0as%3arelevance%0asa%3atrue%0aproducttypeid%3a2

https://www.youtube.com/watch?v=2OvvJouuxS4

https://www.openwall.com/john/doc/

https://knowledge.autodesk.com/search-result/caas/sfdcarticles/sfdcarticles/How-to-turn-off-User-Account-Control-in-Windows.html

https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit/issues/80

https://computingforgeeks.com/how-to-install-wine-on-kali-linux-and-debian-64-bit/

https://www.cyberciti.biz/howto/debian-linux/ubuntu-linux-rollback-an-apt-get-upgrade/

https://security.stackexchange.com/questions/36198/how-to-find-live-hosts-on-my-network

https://www.hackingarticles.in/exploit-windows-pc-using-eternalblue-smb-remote-windows-kernel-pool-corruption/

https://computingforgeeks.com/how-to-install-wine-on-kali-linux-and-debian-64-bit/

https://www.youtube.com/watch?v=8dZkQxasuIo