part0009

In this section we will go through the various tools available in Kali Linux for security and penetration testing. There are a number of tools in Kali which are classified as per the task that they are used for. They are as follows.

On a network of computers, usually over the Internet, there are several web applications, which leave a system vulnerable due to bad code or open ports on the server which are publicly accessible. Exploitation tools help you to target a system and exploit the vulnerabilities in that system, thus helping you to patch a vulnerability. Let’s go through all the Exploitation Tools available in Kali Linux one at a time.

Armitage was developed by Raphael Mudge to be used with the Metasploit framework as its GUI frontend. Armitage is a tool that recommends exploits and is fairly simple to use as cyber-attack management tool which is available in the graphical form. It is open source and available for free security tool and is mostly known for the data it provides on shared sessions and the communication it provides through a single instance of Metasploit. Armitage helps a user to launch exploits and scans, get recommendations of exploits and explore the advanced features that are available in the Metasploit framework.

The Backdoor Factory is a tool commonly used by researchers and security professionals. This tool allows a user to include his desirable code in executable binaries of a system or an application and continue execution of the binaries in normal state as if there was no additional code added to it.

You can install this tool on your Kali Linux system using the following commands on the terminal.

apt-getupdate

apt-getinstallbackdoor-factory

The Browser Exploitation Framework is penetration testing tool built for testing exploits on the web browser. There has been an observation wherein web browsers have been targeted using vulnerabilities on the client-side. BeEF helps the user analyse these attack vectors on the client side. Unlike other tools, BeEF focuses on assessing the Web Browser which serves as an open door and it looks past the network layer and client’s system.

Providing use cases for penetration tester, web developers, and researchers, Commix (short for COMMand Injection eXploiter) works in a simple environment to test web applications. It basically allows a user to find the errors, bugs or vulnerabilities with respect to command injections in web applications. This tool easily allows you to identify and exploit a vulnerability of command injection. The Commix tool has been developed using the Python language.

The Crackle tool in Kali Linux is a brute force utility used for cracking and intercepting traffic between bluetooth devices. Most bluetooth devices have a 4-6 digit pairing code, which is in an encrypted format. Using Crackle, these codes can be decrypted if the pairing process between 2 devices is intercepted and thus allowing you to listen to all communication happening between the 2 devices.

jboss-autopwn

JBoss Autopwn is a penetration testing tool used in JBoss applications. The Github version of JBoss Autopwn is outdated and the last update is from 2011. It is a historical tool and not used much now.

The Linux Exploit Suggester tool provides a script that keeps track of vulnerabilities and shows all possible exploits that help a user get root access during a penetration test.

The script uses the uname -r command to find the kernel version of the Linux operating system. Additionally, it will also provide the -k parameter through which user can manually enter the version for the kernel of the Linux operating system.

Maltego is a tool that is used for data mining and is interactive. It provides an interactive interface that outputs graphs which help in link analysis. Since it allows link analysis, Maltego is used for investigations on the Internet to find the relationship between information that is scattered over various web pages on the Internet. Maltego Teeth was developed later with an added functionality that gives penetration testers the ability to do password breaking, SQL injections and vulnerability detection, all using a graphical interface.

sqlmap is a Kali tool that is open source and is used for penetration testing. It allows automating the detection of SQL injection vulnerabilities and exploiting it to take over database servers. It comes equipped with a very powerful detection engine, a range of tools which will help an extreme penetration tester and switches that help fetch information like database fingerprinting, retrieving data from databases, access to the file system of the operating system and execute commands on the operating system.

Yersinia is a tool that detects exploits weaknesses in network protocols and takes advantage of it. It is a tool which is a solid framework for testing and analyzing deployment of networks and systems. It comprises of layer-2 attacks which exploit the weaknesses in various layer-2 protocols in a given network thus allowing a penetration tester to detect flaws in a layer-2 network. Yersinia is used during penetration tests to start attacks on network devices such as DHCP servers,switches, etc which use the spanning tree protocol.

The Cisco Global Exploiter (CGE) tool is a security testing exploit engine/tool, which is simple yet fast and advanced. Cisco switches and routers have 14 vulnerabilities which can be exploited using the Cisco Global Exploiter tool. The Cisco Global Exploiter is basically a perl script, which is driven using the command line and has a front-end that is simple and easy to use.

We will now list down and learn tools available in Kali Linux which are used in the Forensics domain.

The Binwalk tool is useful while working on binary image file. It lets you scan through the image file for executable code that may be embedded in the image file. It is a very powerful and useful tool for users who know what they are doing as it can be used to detect coveted information that is hidden in images of firmware. This can help in uncovering a loophole or a hack that is hidden in the image file, which is used with the intention to exploit the system.

The Binwalk tool is developed in python and makes use of the libmagic library from python, therefore making it an apt tool for magic signatures that are created for the Unix file system. To make it even more comfortable for testers in the investigation domain, it contains a database of signatures that are commonly found in firmware around the world. This makes it a convenient tool to detect anomalies.

The bulk-extractor tool is an interesting tool used by investigators who want to fetch specific data from a digital file. The tools helps retrieve URLs, email addresses, credit/debit card numbers, etc. The tools can be used to scan through files, directories and even images of disks. The best part is that even if the data is corrupted partially or in a compressed format, the tool will still reach its depth to find the data.

Another interesting feature of this tool is that if there is data that you keep finding repeatedly, such as email addresses, URLs, you can create a search pattern for them, which can be displayed in the form of a histogram. It also ends up creating a list of words that are found in a given set of data that may be used to crack a password for files that have been encrypted.

The chkrootkit tool is usually used in a live boot scenario. It is used locally to check the host machine for any rootkits that may be installed on the host. It therefore helps in the hardening of a system, thus ensuring that the system is not compromised and vulnerable to a hacker.

The chkrootkit tool also has the ability to scan through system binaries for any modifications made to the rootkit, temporary deletion, string replacements, and latest log deletions made. These are just a few of the things that this little tool can do. It looks like a fairly simple tool but the power it possesses can be invaluable to a forensic investigator.

The p0f tool can help the user know the operating system of a host that is being targeted just by intercepting the transmitted packages and examining them and it does this irrespective of whether the targeted host is behind a firewall or not. The use of p0f does not lead to any increase in network traffic, no lookup of names, and no probes that may be found to be mysterious. Given all these features, p0f in the hands of an advanced user, can help detect presence of firewalls, use of NAT devices, and presence of load balancers as well.

The pdf-parser tool is used in parsing PDF files to classify elements that are used in the file. The output of the tool on a PDF file will not be a PDF file. One may not recommend it for textbook cases of PDF parsers but it does help to get the job done. Mostly, its use case is PDF files, which you may suspect of being embedded with scripts in them.

The Dumpzilla tool is a tool that is developed in python. The purpose of this tool is to extract all information that may be of interest to forensics from web browsers like Seamonkey, Mozilla Firefox and Iceweasel.

The ddrescue tool is a savior of a tool. It helps in copying data from one block device such as a hard disc or a CD ROM to another block device. But the reason it is a savior is because it copies the good parts first to avoid any read errors on the source.

The ddrescue tool’s basic operation is completely automatic which means that once you have started it, you do not need to wait for any prompts like an error, wherein you will need to stop the program or restart it.

By using the mapfule feature of the tool, data will be recovered in an efficient fashion as it will only read the blocks that are required. You also get the option to stop the ddrescue process at any time and resume it again later from the same point.

Have you ever deleted files on purpose or by mistake and realized that you needed them later? The Foremost tool is there to your rescue. This tool is an open source package which is easy to use and helps you retrieve data off of disks that may have been formatted. It may not help recover the filename but the will recover the data it held. A magical feature is that even of the directory information is lost, it can help retrieve data by referencing to the header or footer of the file, making it a fast and reliable tool for data recovery.

An interesting piece of fact is that Foremost was developed by special agents of the US Air Force.

The Galleta tool helps you parse a cookie trail that you have been following and convert it into a spreadsheet format, which can be exported for future reference.

Cookies can be evidence in a case of cyber-crime and it can be a challenging task to understand them in their original format. The Galleta tool comes handy here as it helps in structuring data that is retrieved from cookie trails, which then can be run through other software for deeper analysis. The inputs for this analysis software need the date to be in a spreadsheet format, which is where the Galleta tool proves to be very useful.

When it comes to memory forensics, Volatility is a very popular tool. Developed in the python language, this tool facilitates the extraction of data from volatile memory such as RAM. It is compatible with 32 bit and 64 bit architectures of almost all Windows variants and limited flavors of Linux and Android. The tool accepts memory dumps in various formats such as crash dumps, raw memory dumps, hibernation files, virtual snapshots, etc. The tool allows you to get an idea of the run-time state of the host machine and is independent of the investigation of the host.

Password that are decrypted during run-time are stored in the RAM. Thus by retrieving the details of a password, Volatility comes as a savior for investigation of files that lie on the hard disk and may be encrypted with a password. This helps in decreasing the overall time that may be required for a particular case to be investigated.

Sleuth Kit is a digital forensics toolkit which is open source and can be used with a wide range of file systems such as FAT, NTFS, EXT2, EXT3(and raw images) to perform analysis that can be in depth. The graphical interface developed for Sleuth Kit (which is a command line tool) is called Autopsy. Autopsy brags of features such as Hash Filtering, Timeline analysis, File System analysis and searching for keywords. It is also very versatile as it lets you add other modules to the existing set for extended functionality.

You get the option to launch a fresh new case or use one which already exists when you launch the Autopsy tool.

The beginning of any attacks initiates from the stage of information gathering. When you gather as much information about the target, the attack becomes an easy process. Having information about the target also results in a higher success rate of the attack. A hacker finds all kinds of information to be helpful.

The process of information gathering includes:

Gathering information that will help in social engineering and ultimately in the attack

Understanding the range of the network and computers that will be the targets of the attack

Identifying and understanding all the complete surface of the attack i.e. processes and systems that are exposed

Identifying the services of a system that are exposed, and collecting as much information about them as possible

Querying specific service that will help fetch useful data such as usernames

We will now go through Information Gathering tools available in Kali Linux one by one.

Ethical hacking is a phase in Kali Linux for which the tools NMap and ZenMap are used. NMap and ZenMap are basically the same tool. ZenMap is a Graphical Interface for the NMap tool which works on the command line.

The NMap tool which is for security auditing and discovery of network is a free tool. Apart from penetration testers, it is also used by system administrators and network administrators for daily tasks such as monitoring the uptime of the server or a service and managing schedules for service upgrades.

NMap identifies available hosts on a network by using IP packets which are raw. This also helps NMap identify the service being hosted on the host which includes the name of the application and the version. Basically, the most important application it helps identify on a network is the filter or the firewall set up on a host.

The Stealth scan is also popularly known as the hal open scan or SYN. It is called the half open scan because it refrains from completing the usual three-way handshake of TCP. So how it works is a SYN packet is sent by an attacker to the target host. The target host will acknowledge the SYN and sent a SYN/ACK in return. If a SYN/ACK is received, it can be safely assumed that the connection to the target host will complete and the port is open and listening on the target host. If the response received is RST instead, it is safe to assume that the port is close or not active on the target host.

The acccheck tool was developed has an attack tool consisting of a password dictionary to target Windows Authentication processes which use the SMB protocol. The accccheck is basically a wrapper script which is injected in the binary of ‘smbclient’ and therefore depends on the smbclient binary for execution.

Server Message Block (SMB) protocol is an implementation of Microsoft for file sharing over a network and is popularly known as the Microsoft SMB Protocol.

Amap is a scanning too of the next generation that allows a good number of options and flags in its command line syntax making it possible to identify applications and processes even if the ports that they are running on are different.

For example, a web server by default accepts connections on port 80. But most companies may change this port to something else such as 1253 to make the server secure. This change would be easily discovered by Amap.

Furthermore, if the services or applications are not based on ASCII, Amap is still able to discover them. Amap also has a set of interesting tools, which have the ability to send customized packets which will generate specific responses from the target host.

Amap, unlike other network tools is not just a simple scanner, which was developed with the intention of just pinging a network to detect active hosts on the network. Amap is equipped with amapcrap, which is a module that sends bogus and completely random data to a port. The target port can be UDP, TCP, SSL, etc. The motive is to force the target port to generate a response.

CaseFile is known as the younger sibling of Maltego. Casefile has the same ability as Maltego to create graphs but it cannot run transforms on it. Although, you can quickly add data and then link and analyze it using CaseFile. The CaseFile tool is for investigators who work on data that is fetched from offline sources since the data they require can be queried by automation or programming. These are investigators who are getting their data from other team members and are using that data to build an information map based on their investigation.

A huge number of Maltegousers were using Maltego to try and build graphical data from offline investigations and that is how CaseFile was born. Since there was no need of the transform provided by Maltego and the real need was just the graphing capability of Maltego in and more flexible way, CaseFile was developed.

CaseFile, being an application of visual intelligence, helps to determine the relationships, connections and links in the real world between information of different types. CaseFile lets you understand the connections between data that may apart from each other by multiple degrees of separation by plotting the relationships between them graphically. Additionally, CaseFile comes bundled with many more entities that are useful in investigations making it a tool that is efficient. You can also add your custom entities to CaseFile, which allows you to extend this tool to your own custom data sets.

Braa is a tool that is used for scanning mass Simple Network Management Protocol (SNMP). The tool lets you make SNMP queries, but unlike other tools which make single queries at a time to the SNMP service, braa has the capability to make queries to multiple hosts simultaneously, using one single process. The advantage of braa is that it scans multiple hosts very fast and that too by using very limited system resources.

Unlike other SNMP tools, which require libraries from SNMP to function, braa implements and maintains its own stack of SNMP. The implementation is very complex and dirty. Supports limited data types and cannot be called up to standard in any case. However, braa was developed to be a fast tool and it is fast indeed.

dnsmap is a tool that came into existence originally in 2006 after being inspired from the fictional story “The Thief No One Saw” by Paul Craig.

A tool used by penetration testers in the information gathering stage, dnsmap helps discover the IP of the target company, domain names, netblocks, phone numbers, etc.

Dnsmap also helps on subdomain brute forcing which helps in cases where zone transfers of DNS do not work. Zone transfers are not allowed publicly anymore nowadays which makes dnsmap the need of the hour.

The dotdotpwn tool can be defined simply to call it a fuzzer. What is a fuzzer? A fuzzer is a testing tool that targets software for vulnerabilities by debugging and penetrating through it. It scans the code and looks for flaws and loopholes, bad data, validation errors, parameters that may be incorrect and other anomalies of programming.

Whenever an anomaly is encountered by the software, the software may become unresponsive, making way for the flaws to give an open door to an attack. For example, if you are an attacker whose target is a company’s web server, with the help of dotdotpwn, you will be able to find a loophole in the code of the web server. Perhaps there has been a latest HTTP update on the server overnight. Using a fuzzer on the web server shows you there is an exploit with respect to data validation which leaves an open door for a DoS attack. You can now exploit this vulnerability, which will make the server crash and server access will be denied to genuine employees of the company. There are many such errors that can be discovered using a fuzzer and it is very common for technology to have error when it releases something new in the market and it takes time to identify the error and fix it.

Another example would be an attack with respect to SQL called SQLi where ‘i’ stands for injection. SQL injection attacks are achieved by injecting SQL database queries through web forms that are available on a website. The conclusion is that software will always be vulnerable allowing attackers to find a way to break their way into the system.

Fierce

Fierce is a Kali tool which is used to scan ports and map networks. Discovery of hostnames across multiple networks and scanning of IP spaces that are non-contiguous can be achieved by using Fierce. It is a tool much like Nmap but in case of Fierce, it is used specifically for networks within a corporate.

Once the target network has been defined by a penetration tester, Fierce runs a whole lot of tests on the domains in the target network and retrieves information that is valuable and which can be analyzed and exploited by the attacker.

Fierce has the following features.

- Capabilities for a brute-force attack through custom and built-in test list

- Discovery of nameservers

- Zone transfer attacks

- Scan through IP ranges both internal and external

- Ability to modify the DNS server for reverse host lookups

Wireshark is a kali too that is an open source analyzer for network and works on multiple platforms such as Linux, BSD, OS X and Windows.

It helps one understand about the functioning of a network thus making it of use in government infrastructure, education industries and other corporates.

It is similar to the tcpdump tool, but WIreshark is a notch above as it has a graphical interface through which you can filter and organize the data that has been captured, which means that it takes less time to analyze the data further. There is also an only text based version known as tshark, which has almost the same amount of features.

Wireshark has the following features.

- The interface has a user-friendly GUI

- Live capture of packets and offline analysis

- Support for Gzip compression and extraction

- Inspection of full protocol

- Complete VOiP analysis

- Supports decryption for IPsec, Kerberos, SSL/TLS, WPA/WPA2

URLCrazy is a Kali tool that can that tests and generates typos and variations in domains to target and perform URL hijacking, typo squatting and corporate espionage. It has a database that can generate variants of up to 15 types for domains, and misspellings of up to 8000 common spellings. URLCrazy supports a variety of keyboard layouts, checks if a particular domain is in use and figures how popular a typo is.

The Harvester is a Kali tool that is not your regular hacking tool. Whenever there is a mention of hacking tools that are implemented using the command line, one usually thinks of tools like Nmap, Reaver, Metasploit and other utilities for wireless password cracking. However, the harvester refrains from using algorithms that are advanced to break into firewalls, or crack passwords, or capture the data of the local network.

Instead, the Harvester simply gathers publicly available information such as employee names, email addresses, banners, subdomains and other information in the same range. You may wonder as to why it collects this data. Because this data is very useful in the primary stage of information gathering. All this data helps study and understand the target system which makes attacking easier for the hacker or the penetration tester.

Furthermore, it helps the attacker understand as to how big and Internet footprint the target has. It also helps organizations to know how much publicly available information their employees have across the Internet. The latest version of the Harvester has updates which lets it keep intervals between the requests it makes to pages on the Internet, improves search sources, plotting of graphs and statistics, etc.

The Harvester crawls through the Internet as your surrogate, looking for information on your behalf as long as the criteria provided by you matches the information on the Internet. Given that you can also gather email addresses using the Harvester, this tool can be very useful to a hacker who is trying to penetrate an online login by gaining access to the email account of an individual.

Metagoofil is a kali tool that is aimed at fetching publicly available such as pdf, xls, doc, ppt, etc. documents of a company on the Internet.

The tool makes a Google search to scan through documents and download them to the local machine. It then extracts the metadata of the documents using libraries such as pdfminer, hachoir, etc. It then feeds the information gathering process with the results of its report which contains usernames, server or machine names and software version which helps penetration testers with their investigation.

Miranda is a Kali tool that is actively or passively used to detect UPnP hosts, its services, its devices and actions, all through on single command. The Service state parameters and their associated actions are correlated automatically and are then processed as input/output variables for every action. Miranda uses a single data structure to store information of all the hosts and allows you access to that data structure and all its contents.

Let's discuss what exactly ÚPnP is. Universal Plug and Play or UPnP is a protocol for networking that allows devices on the network such as computers, printers, routers mobile devices, etc. to discover each other seamlessly over a network and established services between them for sharing of data, entertainment and other communication. It is ideally for networks inside a private residence as opposed to corporate infrastructure.

Ghost Phisher is a Kali tool, which is used as an attack software program and also for security auditing of wired and wireless networks. It is developed using the Python programming language and the Python GUI library. The program basically emulates access points of a network therefore, deploying its own internal server into a network.

Fragroute is a Kali tool that is used for intercepting, modifying and rewriting traffic that is moving toward a specific host. Simply put, the packets from attacking system known as frag route packets are routed to the destination system. It is used for bypassing firewalls mostly by attackers and security personnel. Information gathering is a well-known use case for fragroute as well which used by penetration testers who use a remote host, which is highly secured.

Masscan is a Kali tool, which is used by penetration testers all around the world and has been in the industry for a long time. It is a tool of reconnaissance which has the capability to transmit up to 10 million packets every second. The transmission used by masscan is asynchronous and it has custom stack of TCP/IP. Therefore, the threads used for sending and receiving packets are unique.

Masscan is used to simultaneously attack a large number of hosts and that too quickly. The tool developer claims that masscan can scan the entire Internet in 6 minutes. Given its super high transmission rate, it has a use case in the domain of stress testing as well.

However, to achieve those high transmission rates, special drives and NICs are required. The communication of the tool with the users is very similar to that between the user and the Nmap tool.

Feature of masscan are as follows.

- It can be used to enumerate the whole Internet

- It can be used to enumerate a huge number of hosts

- Various subnets within an organization can be enumerated

We can learn how to make and break things from something as simple as a Lego toy to a car engine simply by dismantling the parts one by one and then putting them back together. This process wherein we break things down to study it deeply and further improves it is called Reverse Engineering.

The technique of Reverse Engineering in its initial days would only be used with hardware. As the process evolved over the years, engineers started applying it to software, and now to human DNA as well. Reverse engineering, in the domain of cyber security helps understand that if a system was breached, how the attacker entered the system and the steps that he took to break and enter into the system.

While getting into the network of a corporate infrastructure, attackers endure that they are utilizing all the tools available to them in the domain of computer intrusion tools. Most of the attackers are funded and skilled and have a specific objective for an attack towards which they are highly motivated. Reverse Engineering empowers us to put up a fight against such attackers in the future. Kali Linux comes equipped with a lot of tools that are useful in the process of reverse engineering in the digital world. We will list down some of these tools and learn their use.

Apktool is a Kali Linux tool that is used in the process of reverse engineering. This tool has the ability to break down resources to a form that is almost the original form and then recreate the resource by making adjustments. It can also debug code that is small in size,step by step. It has a file structure, which is project-like, thus making it easy to work with an app. Using apktool you can also automate tasks that are repetitive in nature like the building of an apk.

Dex2jar is a Kali tool which is a lightweight API and was developed to work with the Dalvik Executable that is the .dex/.odex file formats. The tool basically helps to work with the .class files of Java and Android.

It has the following components.

- Dex2jar has an API, which is lightweight similar to that of ASM.

- dex-translator component does the action of converting a job. It reads instructions from dex to the dex-ir format and converts it to ASM format after optimizing it.

- Dex-ir component, which is used by the dex-translator component basically represents the dex instructions.

- dex-tools component works with the .class files. It is used for tasks such as modifying an apk, etc.

diStorm is a Kali tool which is an easy to use decomposer library and is lightweight at the same time. Instructions can be disassembled in 16 bit, 32 bit and 64 bit modes using diStorm. It is also popular amongst penetration testers as it is the fast disassembler library. The source code, which depends on the C library is very clean, portable, readable and independent of a particular platform which allows it to be used in embedded modules and kernel modules.

diStorm3 is the latest version which is backward compatible with diStorm64’s old interface. However, using the new header files is essential.

edb debugger is a Kali tool which is the Linux equivalent for the popular Windows tool called “Olly debugger.” It is a debugging tool with modularity as one of its main goals. Some of its features are as follows.

- An intuitive Graphical User InterfaceI

- All the regular debugging operations such as step-into, step-over, run and break

- Breakpoints for conditions

- Basic analysis for instructions

- View or Dump memory regions

- Address inspection which is effective

- Generation and import of symbol maps

- Various available plugins

- The core that is used for debugging is integrated as a plugin so that it can be replaced when needed as per requirement.

- The view of the data dump is in tabbed format. This feature allows the user to open several views of the memory at a given time while allowing you to switch between them

Jad is a Kali Linux tool that is a Java decompiler and the most popular one in the world. It is a tool, which runs on the command line and is written in the C++ language. Over the years, there have been many graphical interfaces which have been developed which run Jad in the background and provide a comfortable front end to the users to perform tasks such as project management, source browsing, etc. Kali Linux powers Jad in its releases to be used for Java application debugging and other processes of reverse engineering.

JavaSnoop is a tool developed by Aspect Security tool for Kali Linux that allows testing of Java application security. By developing JavaSnoop, Aspect has proved how it is a leader in the security industry in providing verification services for all applications and not just web based applications.

JavaSnoop allows you to begin tampering with method calls, run customized code or sit back and see what’s going on the system by just attaching an existing process such as a debugger.

OllyDbg is a Kali Linux tool, which is a debugger at a level of a 32 bit Assembler developed for Microsoft Windows. What makes it particularly useful is its emphasis on code that is in binary in times when the source is not available.

OllyDbg brags of the following features.

- Has an interactive user interface and no command line hassle

- Loads and debugs DLLs directly

- Allows function descriptions, comments and labels to be defined by the user

- No trash files in the registry or system directories post installation

- Can be used to debug multi threaded applications

- Many third party applications can be integrated as it has an open architecture

- Attaches itself to running programs

Valgrind is a tool in Kali Linux tool, which is used for profiling and debugging Linux based systems. The tool allows you to manage threading bugs and memory management bugs automatically. It helps eliminate hours that one would waste on hunting down bugs and therefore, stabilizes the program to a very great extent. A program’s processing speed can be increased by doing a detailed profiling on the program by using Valgrind too.suite for debugging and profiling Linux programs. The Valgrind distribution has the following production quality tools currently.

- Memcheck which detects errors in memory

- DRD and Helgrind which are two other thread error detectors

- Cachegrind which is a branch prediction and cache profiling tool

- Callgrind which branch detection profile and a call graph generating cache profiler

- Massif which profiles heaps

Three experimental tools are also included in the Valgrind distribution

- SGCheck which detector for stack or global array overrun

- DHAT which is a second profiler for heap and helps understand how heap blocks are being used

- BBV which basic block vector generator

In this chapter, we will look at various tools that are available in Kali Linux, which can be used for penetrating wireless devices and other devices which are accessible through wireless networks.

Aircrack is a Kali Linux tool, which is used for cracking passwords wirelessly and is the most popular tool in the world for what it does. It is used for cracking keys of 802.11 WEP and WPA-PSK around the world. It tries to figure out the password from the packets that are being transmitted by analyzing the packets that were caught by it initially. It can also recover the password or crack the password of a network by implementing FMS attacks that are standard in nature by optimizing the attack to some extent. PTW attacks and KoreK attacks are some of the optimizations used as make the attack work faster than other tools, which are used for cracking WEP passwords. Aircrack is a very powerful tool and is used the most all over the world.

The interface it offers is in console format. The company that has manufactured Aircrack offers online tutorials to get hands on experience.

AirSnort is another Kali Linux tool which is used for cracking passwords of wireless LANS and is very popular. Wi-Fi802.11b network’s WEP keys can be cracked by using AirSnort. This tool basically monitors the packets that are being transmitted on the network passively. When it has sufficient packets, it computes the encryption key from the packets it has gathered. AirSnort is available for free on both Linux and Windows platforms and is fairly simple to use as well. The tool has not seen any development or updates in 3 years but the company, which created the tool is now looking to develop and maintain it further. The tool due to its direct involvement in cracking WEP is popular around the globe. Kismet

Kismet is another Kali Linux tool, which is basically used in troubleshooting issues on wireless networks. It can be used with any wi-fi device, which supports rfmon, which is a monitoring mode. It is available on most of the platforms, which include Linux, Windows, OS X and other BSD platforms. Kismet again collects packets passively to understand the network standard and can also detect networks that are hidden in nature. It is built on the client-server architecture and it can sniff traffic from802.11b, 802.11a, 802.11g, and 802.11n. It supports the recent wireless standards, which are faster as well.

Cain & Able is Kali Linux tool that is popular amongst penetration testers for its ability to crack wireless networks. The tool was originally developed to intercept traffic on a network. Later developments turned it into a tool, which could brute force its way into cracking passwords of wireless networks. The tool analyzes routing protocols of a network and helps in finding the passwords of the network. This is another popular tool used for cracking wireless network passwords. This tool was developed to intercept the network traffic and then use the brute forcing to discover the passwords.

Fern WiFi Wireless Cracker

Fern Wi-Fi Wireless Cracker is another Kali Linux tool that is very helpful with respect to network security. The tool helps you identify hosts by monitoring all network traffic in real time. The tool was initially developed to detect flaws on networks and fix the flaws that were detected. The tool is available on Linux, Windows and Apple platforms.

CoWPAtty is another Kali Linux too that is used for cracking passwords of wireless networks. It cracks passwords of the WPA-PSK networks using an automated dictionary attack. It maintains a database, which contains thousands of passwords which it uses during the attack. The chances of the tool cracking the password are very high if the password is there in its database. The drawback is that the speed of the tool can be slow and it depends on the password strength and the number of words in its database. The fact that the tool uses SHA1 algorithm with a seed of SSID is another reason for its slow speed. What this means is that thee SSIM of the password will be different. Thus the rainbow table of the tool may be ineffective while being used for the access points. Therefore, for each word that is being used for the SSID, the password dictionary of the tool generates a hash for each word. The tool is fairly simple to use with a list of commands that are to be used.

The newer versions of CoWPAtty use hash files which are pre computed and therefore the time used for computation during the process of cracking is brought down significantly, resulting in increasing the speed of the process. The hash file which is pre computed already contains 172000 dictionary files which contain at least 1000 of the most popular SSIDs. It is important for your SSID to be in that list for the attack to be successful. If the SSID is not in that list, you are just plain unlucky.

Airjack is a Kali Linux too which is used for packet injection in Wi-Fi 802.11. DOS and MIM attacks are a specialty of this tool. This tool forces the network to give a denial of service by injecting bogus packets into the network. The tool can also help create a man in the middle attack in a given network. The tool is both powerful and popular among users.

WepAttack is another Kali Linux tool built on open source platform for breaking keys of 802.11 WEP. It maintains a dictionary of millions of words, which it uses to crack the password of a network. The only requirement to perform an attack using WepAttack is a WLAN card that is in a working condition. The usability of WepAttack is very limited but it works amazingly well on WLAN cards that are supported.

Wifiphisher is a Kali Linux tool, which is again used to crack the password of a wireless network. The tool steals passwords of a wireless network by executing fast paced phishing attacks. Kali Linux has Wifiphisher pre-installed on it. It is a tool that is available on Linux, Windows and MAC and completely free to use.

Reaver is an open-source Kali Linux tool, which is used for creating attacks which are brute force in nature against WPS. The tool is used to crack the passwords WPA/WPA2 encryptions. The tool is hosted on code developed by Google and there are high chances that the tool will be taken down if there is no local backup made for it. The last time Reaver was updated was about 4 years ago. It is a good to have tool, in addition to all the other password cracking tools that a penetration tester may want to have as it uses the same attack method.

Wifite is also a Kali Linux tool which helps crack networks that are encrypted with WPS via reaver. It works on all Linux based operating systems. Many features related to cracking passwords are offered by Wifite.

WepDecrypt is Kali Linux tool written in C language to target wireless networks. It performs a dictionary attack and tries to guess WEP keys. Additionally it also uses key generators and performs distributed network attacks and other methods to figure out the key of a wireless network. It depends on a few libraries to function. It i snot a very popular tool among users but advisable for beginners to understand the functions of dictionary attacks.

CommonView for Wi-Fi is Kali Linux tool, which is a network monitor for wireless networks and also used for analyzing packets. It is a simple tool, which comes with a graphical user interface that is easy to understand. The tool was developed for wireless network admins and security professionals who are interested in monitoring and troubleshooting problems related to wireless networks. The tool works with Wi-Fi 802.11 a/b/g/n/ac networks. The tool comfortably captures every packet and lets you view the network information. It also gives you other information like access points, protocol distribution, signal strength etc. The tools provides valuable information about a wireless network and comes across as a handy tool for network administrators.

Pyrit is also a very good Kali Linux tool which allows you to attack lets you perform attack IEEE 802.11 WPA/WPA2-PSK encrypted wireless networks. This is a freely available tool, which is hosted on Google Code. Again since it is hosted by Google, it may be taken off in the coming months and therefore, it is good to have a local copy of it. It supports a wide range of operating systems such as Linux, OS X, FreeBSD, etc.

The report you get as a result of the penetration test that you have conducted is a key deliverable in an activity carried out for security assessment. The final deliverable of penetration testing is the report, which gives a record of the service that was provided, the methods that were used, the findings or results of the tests and the recommendations that come as an output to better the security. Report making is most of the times ignored as it is found to be boring by many penetration testers. In this part, we will talk about the Kali Linux tools that are available to make the process of making reports simple. The tools help you store your penetration test results, which can be referred to when you are working on making the report. The tools will also help you communicate and share data with your team.

We are covering the 2 main tools, which are Dradis and Magic Tree.

The Dradis framework is an open source Kali tool which functions as a platform to collaborate and report for security exports in the network security domain. The tool is developed in Ruby language and is independent of platform. Dradis provides the option to export reports and all the activities can be recorded in one single report. Exporting the report in file formats that are PDF or DOC is currently only supported in the pro version and is missing from the community version.

Magic Tree is a Kali Linux tool, which is used for reporting and data management and it is much like Dradis. It is designed in a way such that data consolidation, execution of external commands, querying and generation of reports becomes an easy and straightforward process. Kali Linux has this tool pre-installed and it is located at “Reporting Tools” category. It manages the host and its associated data using the tree node structure.

Stress testing can be defined as a software testing methodology, which is carried out to find out the reliability and stability of a system. The test makes a system go through extreme conditions to find out how robust it can be how efficiently is can handle the errors under such circumstances.

Stress tests are designed to test systems even beyond the regular points of operation to understand how well it can handle pressure. Stress testing was introduced to ensure that a system, which is in production would not crash under extreme situations.

Let us see the various stress testing tools that are available in Kali Linux.

DHCPig is a Kali Linux tool that exhausts the DHCP server system by initiating an exhaustion attack on it. This tool will use up all the IPs available on the network and stop new users from being assigned any IPs, release IPs that have been already assigned to genuine devices, and then for a good amount of time, it will send out gratuitous ARP and kick all the Windows hosts from the network. The tool requires admin privileges and scapy >=2.1 library to execute. The tool does not need any configuration as such, and you just have to pass the environment as a parameter on which you plan to release the test. It has been successfully tested on multiple DHCP server in Windows and on several Linux distributions.

Inviteflood is a Kali Linux tool, which is used to send SIP/SDP INVITE message to cause a flooding over UDP/IP.

It has been tested over several Linux platforms and it performs well on all distributions.

MSK is a Kali Linux too which is proof-of-concept tool used to exploit the protocol weaknesses of IEEE 802.11

Note: Ensure that the network owner has permitted you to run MDK on it before you run it on the network.

FunkLoad is a Kali Linux too that web tester for functions and load on a system. It is developed in Python and has the following use cases.

Testing web projects for their functionality and regression testing as well.

Test the performance of the web application by applying load on it. This helps to understand bottlenecks and helps you to get a detailed report of the test.

Primary testing like volume testing or longevity testing would not result in showing bugs that would show up on load testing. This is achieved through FunkLoad.

It is a stress testing tool which will end up overwhelming a web application and its resources. This also helps in understanding the recoverability of the application.

You can also write scripts to automate repetitive tasks.

The IPV6 toolkit by SI6 Network is a set of tools to test the security of IPv6 networks and troubleshoot any problems that arise on it. You can perform real-time attacks on an IPv6 network which will help you assess the security, resiliency, and will help you troubleshoot the networking problem on IPv6 networks. The tools in this suite include tools from packet crafting tools to the most elaborate IPv6 tool out there for network scanning which is scan6 tool.

The following list will give you an idea of all the tools in the suite.

- addr6: A tool which analyzes an manipulates the IPv6 network

- flow6: And IPv6 security assessment tool

- frag6:A tool that performs fragmentation based attacks on an IPv6 network to perform a number of fragmentation related aspects and security assessment

- icmp6: A tool that performs attacks on the basis of errors thrown by ICMPv6 network protocol.

- jumbo6: A tool that looks at the handling of IPv6 jumbograms andassesses potential flaws in it.

- na6:A tool that sends arbitrary messages of neighbor advertisements.

- ni6: A tool that checks the potential flaws in processing ICMPv6 packages by sending information messages of the ICMPv6 node.

- s6: A tool that sends messages of arbitrary neighbor solicitation.

- ra6: A tool that sends messages of arbitrary router advertisements.

- rd6: A tool that sends messages of arbitrary ICMPv6 redirects.

- scan6: A tool that scans IPv6 networks

The SlowHTTPTest is a Kali Linux tool that can simulate the Denial of Service attacks in the application layer. It is supported on most platforms such as Linx, OS X and the command line interface on Windows systems.

The tool basically implements Dos attacks of application layer which are low bandwidth in nature such as Slow HTTP POST, slowloris, Slow Read attack by leeching the concurrent pools of connection, and also the Apache Range Header attack which causes high load on the CPU and memory of a server.

Once we have cracked into a target machine by using the many methods that we have looked at, our next step should be ensuring techniques that will help us maintain the precious access that we have gained. This is to make sure that if the vulnerability that let you into the system gets patched in the future, you still have some way through which you can access the system.

We will look at the various tools available in Kali Linux, which will help us to maintain access to a system.

CryptCat is a simple Kali Linux utility, which reads all data that it sees across network connections and writes data to it too. It uses the UDP or TCP protocol to do this and even encrypts the data that is sent over the network. It is designed in a way such that it can be integrated in a program or a script that runs in the front-end on a graphical interface while the tool runs in the backend in a very reliable manner. At the same time, it is also a tool, which is rich in features and allows network debugging and exploration. It is a very interesting tool as it will allow you to create the connection of your choice and has many other built-in features as well.

The HTTPTunnel is a Kali Linux tunneling software. It can create tunnels through network connections. It basically has two components.

The client side which exists behind a firewall and will accept connections on ports that are connected to a remote server or will play the role of SOCKS proxy. The authentication source for SOCKS source can be a list of fixed users which is fetched from a MySQL or LDAP directory. The client component is aPerl script that is independent of platform or is also available as a Win32 binary.

The server side component exists on the Internet to which the client makes HTTP requests. The server side then translates and forwards these requests to network connections on upstream servers, which are remote.

There are two available servers. A web server, which basically hosts a PHP script. The PHP script that you host on the web server will allow your web server to act as the server to run HTTP tunnel.

The second server is a standalone server, which runs a Perl script independent of the platform or a Win32 binary. If you have your own box like a home computer, which is connected to the Internet, it can be used as the standalone server. Hosted server may pose restrictions to the PHP script (such as maximum execution time for the PHP script which will result in limiting the time for your connections) that you are hosting on it based on the company that is providing you the hosted server. Therefore, having a standalone server of your own has an advantage over the hosted server as you have complete access to your home computer.

Intersect 2.5 is a Kali Linux tool that is the second major release in the version that have been released so far. There is a vast difference between this release and its previous versions. This version lets the user control which features are to be included in the intersect script and has also made room for importing customized features.

When it comes to network security, Sniffing and Spoofing of packets are two very important concepts as these are two of the major threats to the security of a network. If you want to deploy security measures for a network infrastructure, understanding the treats of packet sniffing and spoofing is very important. There are many tools available on the Internet, which facilitate sniffing and spoofing such as Tcpdump, Wireshark, Netwox, etc. The tools are used extensively by both attackers and security researchers. Students should also be able to use these tools. However, it is important to understand network security to be able to learn how to make use of these tools and how packet sniffing and spoofing is used in software.

Let’s go through a few tools, which are used for packet sniffing and spoofing.

Burp Suite is a Kali Linux tool, which serves as a platform to run security tests on web applications. It has a number of tools that work together and make the whole testing process work seamlessly right from the initial mapping of the test and analyzing the attack surface of the application, to finding the vulnerabilities in the security and exploiting them.

Burp lets a user have full control as it allows manual techniques to be combined with automation. This helps in making the whole process effective, fast and more fun.

DNSChef is a highly configurable Kali Linux tool for configuring DNS proxy for Malware analysts and Penetration Testers. A DNS proxy is a fake DNS is a tool that is used for analyzing network traffic.

For example, if someone is requesting for example.com over the Internet, a DNS proxy can be used to redirect them to an incorrect page over the Internet as opposed to the real server on which the website for example.com resides.

There are a lot of tools for DNS proxy available on the Internet. Most will allow you to point the incoming DNS queries to one single IP. DNSChef was developed a complete solution for a DNS proxy tool, which would provide a user with every kind of configuration that is needed. As a result of this vision, DNSChef is a tool that works across all platforms and is capable to create fake responses while supporting multiple types of DNS records

The use of a DNS proxy is advisable in times when you cannot force a web application to use a specific proxy server. For example, there are some mobile applications, which discard proxy settings in the OS HTTP settings. In cases like these, use of a tool like DNSChecf as a DNS proxy server will come handy. It will allow you to redirect the incoming HTTP request to a desired destination by tricking the application.

As the name suggests, password attack tools in Kali Linux help crack passwords of applications and devices.

Let us go through a few of the password cracking devices that are available in Kali Linux.

Crowbar, which was previously known as Levye is a Kali Linux tool which is used for penetration testing. According to authors of regular brute forcing tools, crowbar was developed to brute force protocols in a manner, which was different than the regular tools. For example, during an SSH brute force attack, most tools use the username and the password to carry the attack but crowbar unlike the majority of the tools, uses SSH keys. This means that is there was any kind of a private key that was retrieved during any of the penetration tests, it could then be used to attack servers which have SSH access.

John the Ripper is Kali Linux tool, which is both fast and feature-rich in its design. You can customize it to your specific needs and it also combines many other cracking methods in one simple program. There is a built-in compiler, which is a part of the C compiler, which will even allow you to define a cracking mode which is completely custom. John is available on all platforms, which means you can use the same tool everywhere you go. Additionally, if you started cracking a session on one platform, you could very well continue it on another platform. Such is the portability of John.

John, out of the box, auto detects and supports the following crypt types in Unix by default.

DES based tripcodes, Windows and Kerberos/AFS hashes, OpenBSD Blowfish, FreeBSD MD5, BSDI extended DES, bigcrypt and traditional DES.

Ncrack is a Kali Linus tool, which is high speed and used to crack network authentication. The motive for building this tool was that corporates could check their network infrastructure and devices proactively for any flaws and loopholes such as poor passwords. Ncrack is also used by security professionals while conducting audits for their clients. A command line syntax similar to Nmap, a modular approach, and a dynamic engine that would take feedback from network and adapt its behavior, were the foundations that Ncrack was built up on. Nmap allows auditing of hosts on a large scale and that too in a reliable way.

Ncrack’s list of features provide an interface that is very flexible and gives the user full control of the network operations, making it possible to perform brute force attacks that are very sophisticated in nature, providing time templates for easy usage, a runtime interaction that is much like Nmap’s and many other things. Ncrack supports the protocols such as OWA, WinRM, MongoDB, Cassandra, MySQL, MSSQL, PostgreSQL, Redis, SIP, SMB, VNC, POP, IMAP, HTTP and HTTPS, Telnet, FTP, RDP and SSH

RainbowCrack is a general propose Kali Linux tool, which was an implementation of Philippe Oechslin. It is used to crack hashes, which have rainbow tables. Rainbow Crack cracks hashes of rainbow tables by making use of the time-memory tradeoff algorithm. This makes it different from hash crackers that are brute force.

A brute force hash cracker will generate all the plaintexts that are possible and then compute the hashes that correspond to the plaintext, all during runtime. It will then compare the hashes that need to be cracked with the hashes in hand. If no match is found even after comparing all available plaintexts, all results of the intermediate computation are discarded.

A time-memory tradeoff hash cracker sets up a stage for pre-computation, and all results of all hashes are stored in rainbow table. This is a time-consuming computation. But on the first stage of pre-computing is over, hashes that were stored in the rainbow table can be cracked with a performance that is much better and efficient as compared to a brute force cracker.