Kali Linux

Ensuring Security by Penetration Testing

Denise Mangold
Denise.Mangold@villanova.edu
Villanova University Department of Electrical and Computer Engineering
ECE 8484 Fall 2014

Table of Contents
Abstract: ....................................................................................................................................... 3
Introduction: .............................................................................................................................. 3

What is Kali Linux: ............................................................................................................................. 4

Setting up the testing environment: .......................................................................................................5
Hardware and Software Setup: ................................................................................................................5

Penetration Testing: ................................................................................................................ 6

Pre-engagement Interactions phase: .......................................................................................... 6

Information Gathering:..................................................................................................................... 7
Threat Modeling: ................................................................................................................................ 7
Vulnerability Analysis: .......................................................................................................................... 8
Exploitation Phase: ......................................................................................................................... 10
Post Exploitation Phase:................................................................................................................ 14
Reporting Phase: .............................................................................................................................. 15
Example (condensed) Report of Penetration Test:....................................................................... 15

Conclusion: ............................................................................................................................... 16
Bibliography: ........................................................................................................................... 17
( a mix of internet research and books) .................................................................................. 17

Abstract:
Most companies as well as consumers rely on the Internet for business
transactions. This translates to roughly 10 trillion dollars in online transactions a
year. The world is vastly interconnected, while this gives rise to new business
models, it also exposes new risks of cyber-attacks by criminals, political activist, and
malicious actors. It is the responsibility of every person who uses and works with
connected devices to be knowledgeable and proactive in the area of cyber security,
for the protection of the companies they work for as well as their own personal
security. Learning how to discover vulnerabilities and remediate the vulnerabilities
is crucial to preventing costly breaches that can cost millions of dollars in revenue
also, the cost of lost confidence from consumers. In this paper Kali Linux will be
used to demonstrate penetration testing of a faux corporate system (image provided
by deterlab). The penetration testing standards for testing execution standard will
be used as if this were a real corporation. It is assumed that the pre-engagement
interaction has already taken place with the faux corporation being pen tested so
that section will not be completely detailed with legalities.

Introduction:
In the past year it appeared that no industry was immune from cyber attacks.
The following companies were victims of cyber-security breaches;
Adobe was hit for 152 million records, ebay 145 million; Bank and financial services
JP Morgan Chase 76 million; retails Target and The Home Depot for 70 million and
56 million records. [11] These breaches not only cost the companies millions they
also caused consumers; identify theft, time, and aggravation of having to notify their
banks, get credits if their cards were compromised, and ultimately the loss of
confidence in the retailers with being able to be trusted with bank information.
When a retailer is breached it affects not only the retailer, it also has an impact on
the consumer, and on the banks, passing the costs of cyber security breaches back
down to the consumer.
On November 24th 2014 a story broke that Sony Pictures computers were
hacked by a group called the GOP the attackers threatened to release data if their
demands were not met by a given deadline. It was reported that the hack on Sony
pictures was related to the release of a comedy film The Interview which depicts
the assassination of North Koreas leader. The data leaks of Sony were
unprecedented, the data included Torrents of unreleased Sony Pictures, which
undoubtedly would result in loss of revenue, financial and health information about
staff. The leak also included the salaries of Sony executives, security certificates and
other credential data. The most disturbing part of the hack was emails threatening
Sony employees. The hack is believed to be from North Korea, however, the FBI

traced the attack to a hotel in Bangkok, so the perpetrator or group has not been
positively identified, however, this caused severe damage to Sony Pictures
financially, as well as the reputation of the company as a whole.
Breaches like the one Sony experienced could have a major impact on the
economy. One security breach incident can cause a litany of costs that include legal
fees, software updates, customer reimbursement and public relations costs. Once a
company is breached it can also face serious fines for not complying with security
standards set forth by their specific industry, pharmaceutical, healthcare and
financial companies have stringent regulations to protect the information they have
about their customers.
In this paper I will demonstrate how a corporation could be victimized by
cyber security breaches. I will demonstrate vulnerabilities at the OS level; buffer
overflows, Web Application; file traversal where I will gain root by gaining access to
the /etc/shadow file, and sql injection where I am able to breach the company credit
union and transfer money. I will use Kali Linux to find these vulnerabilities, I will
remediate and document. The many tools within Kali Linux are used to find,
remediate and document these vulnerabilities.

What is Kali Linux:

Kali Linux is a Debian-derived Linux distribution. The main purpose of Kali
Linux is digital forensics and penetration testing. Kali Linux is a GPL-compliant
Linux distribution built by penetration testers. Kali Linux originally started as
BackTrack, when it was designed it was to be an all-in-one system to be used for
security audits, and interestingly, it was designed not to leave any remnants of itself
on the system.[7] Kali Linux is funded and developed by offensive security. Kali
Linux is supported on a variety of platforms; ARMEL and ARMFH support, Linux,
Virtual Machine, VirtualBox, Linux and Windows.
Since Kali Linux is a security suite of tools, one would have to ask the
question is Kali Linux itself secure? If I were a malicious actor one of the things I
would attack is the very security suite being used to audit a system. Since Kali Linux
is funded and maintained by Offensive Security a reputable firm they have taken
measurable steps to ensure the integrity of the Kali Linux system. The Kali Linux
team is made of a small group who can only commit packages and interact with the
repositories while using multiple secure protocols. Each individual developer signs
the packages developed for Kali Linux when they are built and committed also, the
repositories are signed as well.[3] Offensive security is a security company, they
offer courses, labs and certifications to train the next generation of hands on
security professionals.
Kali Linux is comprised of a number of tools for security. The categories of
tools are as follows: Information Gathering; Vulnerability Analysis; Wireless
Attacks; Web Applications; Exploitation Tools; Forensics Tools; Stress Testing;
Sniffing and Spoofing; Password Attacks; Maintaining Access; Reverse Engineering;
Hardware Hacking; and Reporting Tools. The tools I use for my project were the
following; zenmap, Vega, owasp-zap, sqlmap, hashid, rainbowcrack, edb-debugger.

Setting up the testing environment:

Deter test image was used for this project paper; Deter is a security testbed
and education version of Emulab. Deter is funded by the National Science
Foundation and the Department of Homeland Security it is hosted by USC/ISI and
UC Berkeley. [1]
A deterlab image of FrozbozzCo International, their business model is You
name it, we do it! So apparently they do everything. This image was provided for
another cyber security class ECE8476 in which we had to find and fix vulnerabilities
manually, Kali Linux was not used for that lab, but since this image provided
common vulnerabilities, it was an appropriate image to utilize for demonstrating
Kali Linux. The deterlab was port forwarded to the local machine, therefore the web
services would run on localhost.
Hardware and Software Setup:
The main system that was used for penetration testing the Frozbozz
International deterlab image: iMac 27inch 2.7 GHz Intel Core i5 with 16GB of Ram
with VirtualBox installed so Kali Linux could be installed as a virtual machine. Kali
Linux version 1.0.9a was installed on Oracles VirtualBox version 4.3.20, 2GB of
Ram, 2 virtual processors with PAE/NX enabled, the network was setup in a bridged
adapter mode to allow for the Kali Linux machine to talk on the local network.
Figure 1: VirutalBox settings

Figure 2: Deterlab Settings

Penetration Testing:
The methodology used for my research was from the Penetration Testing
Execution Standards, they have seven phases of Penetration testing the phases
cover everything related to penetration testing. The seven phases are Preengagement Interactions; Intelligence Gathering; Threat Modeling; Vulnerability
Analysis; Exploitation; Post Exploitation; and Reporting. [12]

Pre-engagement Interactions phase:

The pre-engagement phase of penetration testing is when scope of the
project is defined, this is extremely critical to penetration testing because neglecting
to properly complete pre-engagement activities can create scope creep, as well as
create serious legal consequences for the penetration tester. The scope of a project
is designed to accurately define what is to be tested, and how each test will be
conducted in the rules of engagement. Our faux client has given us scope to
penetration test a mirror of their pre-production system, the system we will be
testing is a quality assurance machine, which is a mirror of pre-production but the
data is NOT production data. The client has assured us that all the data on the
machine is their property as well as the equipment it runs on. The client has
specifically requested we conduct the penetration test as if we were malicious

actors to get the best analysis of the state of their machines. The client is trying to
financially justify advanced penetration testing to management in order to avoid
costly breaches in the future.

Information Gathering:
The first step Ill use for this demonstration in penetration testing is
Intelligence gathering. It is always important to keep in mind the Rules of
Engagement Limitations!! Never go outside the agreed rules of engagement as this
could have serious legal consequences.
Intelligence gathering is performing reconnaissance against the target to
gather as much information as possible to be utilized when penetrating the target
during the vulnerability assessment and exploitation phases. The more information
gathered the more vectors of attack that can be used.[12] The first act of
reconnaissance will be to scan the server using zenmap, the output of zenmap
showed that port 8080 was open and filtered. It also provided a lot of information
about the system such as Apache httpd 2.2.14 was running on Ubuntu, it also
showed that there is php code for the webserver. This is very useful information!
Figure 3: Zenmap output of Frozozzco.com

From the information gathered from the zenmap scan I am able to pull up
their website and poke around. I am also able to run web vulnerability scans on the
discovered site, I can customize my scans because I now have a deeper knowledge of
the system, I know its Linux, running Apache, and PHP.

Threat Modeling:
During the threat analysis phase only the website might be in scope, however
after close review and discussions with the company it appears there is a back end
database that is easily identifiable. Since we identified this server as a whole in our
Pre-engagement Interaction and have full permission to continue testing all
applications including databases we are free to penetration test the database. In our
Faux Corporation the company believes that its web server poses a significant
threat. However, since it houses a SQL database for the credit union in which
employees move, deposit and withdraw money. In general SQL Injections should be
considered a high impact security. The sql database for Frozbozz Intl. contains

sensitive information about the employees, such as social security numbers, bank
routing information, full name and email, this information gives a strong motive to
malicious attackers to exploit this system since there is financial gain to be had from
the exploitation.

Vulnerability Analysis:
The first part of vulnerability testing is the process of finding the flaws in the
system that can be exploited by a malicious attacker. Since I know that the system is
running a web server on port 8080 I start there. Ill use Web Application Scanners
to get an idea of system vulnerabilities. I run two separate scans one using Vega, the
other using OSWASP-ZAP for comparison and verification.
Figure 4: Vega output of sca

n
Vulnerabilities Found Vega:
Figure 5: alerts

The vulnerabilities found as follows :

1. Cross Site scripting
a. Local file include (file traversal)
b. Page Fingerprint Differential Detected local file include
2. SQL Error, this means possible SQL injection vulnerability. In SQL injection
techniques actors often look for errors to show the system is vulnerable to a
SQL Injection.
a. /cgi-bin/FCCU.php
b. /cgi-bin/FCCU.php
3. SQL Injection These are actual SQL Injection
a. /cgi-bin/FCCU.php
b. /cgi-bin/FCCU.php
As we promised the customer we would do more than just one type of scan of
vulnerabilities for their systems for a comparison of vulnerabilities found. The next
choice of scanner was OSWASP-ZAP, we ran the OSWASP-ZAP with the default
parameters for the vulnerability scanning.
Vulnerabilities Found OSWASP-ZAP
Figure 6: OWASP-ZAP sca

n
The default settings for scans on Vega found more vulnerability, however, both
found the one that was exploited for root access to the machine.

Exploitation Phase:
File Traversal:
The one high alert that was particularly useful is one of a file traversal as
seen in figure 4. The HTTP request was able to view the /etc/shadow file, giving me
the users and hashes of their passwords. Having the output of the /etc/shadow
allows me to know the user names and hashes of their passwords. I will use Kali to
break the hash of the passwords of a user and of root so I can gain access to the
Linux system and su to the root user. Its always safe to assume that direct login
for root is disabled, but since all we need is a username of regular privilege and the
root password to gain root access, that is more than sufficient to own the box. The
next Kali Linux application I used was HashID. I was able to determine that the hash
used for the /etc/shadow file was MD5, from that knowledge Im able to use the
appropriate cracking software for that particular hash.
The next application to be used was RainbowCrack, since the type of hash was
known to be MD5 rainbow tables were created in RainbowCrack with the following
procedure:
Password Cracking:
1. Create rainbow tables
a. rtgen md5 loweralpha 1 5 0 2000 8000 testing
b. rtgen md5 loweralpha 1 5 1 2000 8000 0
2. After creating the tables the next step is to sort the tables. This is done
for all rainbow tables created.
a. rtsort md5_loweralpha#1-5_0_2000x8000_0.rt
3. The next stage is to run rcrack
a. rcrack /usr/share/rainbowcrack/*.rt h
$1$UKoOQUPw$vtrmLJpKLSKoV6LTlbJBD1
I was able to crack the hash of wilbars account. I used this same procedure
on the roots hash, which gave me the root password as well. I am all set to actually
break into the system. On a UNIX system root has power over everything! So
gaining root access from the file traversal and password cracking this vulnerability
would need to be addressed quickly. This vulnerability will be discussed in
reporting, remediating section regarding password policies.
Buffer Overflow:
Since I was able to gain root access to the Linux system I had a look around,
the first order of business was to investigate the web server code. I was able to do
this having root access. I logged on as Wilbur and did a su root using the hashed
root password. The webserver code was found in /usr/local/fhttpd/server and I
see that the webserver is written in C code.
Being a security professional hired by Frozbozz, I know that OWASP
identifies buffer overflows as vulnerabilities, I know I should check the C code that
the webserver is written in to ensure that it is protected from buffer overflow

attacks. A buffer overflow is when the buffer, which is an amount of contiguous

memory set aside for storing information. A program has to remember certain
things, such as what data was imputed prior to the current operation, this
information is stored in a memory buffer.[4]
Buffer Overflow Penetration
My exploit is done directly on the server for this one. I was able to gain
access and peruse the server with the help of Kali, however executing the buffer
overflow was done by crafting my own exploit against the webserver code.
My exploit utilized nc (net cat which is often termed the swiss army knife) I create a
text file that contains a lot of characters, from the webserver C code I was able to
identify the malloc and buffsize in the code. I want to make sure that the code is
protected by bounds checking to prevent buffer overflows.
1. Create payload text file.
2. Open second terminal window and run gdb.
3. Create exploit.sh script to deliver the payload via nc
a. nc localhost 8080 < payload
4. I was able to create a segfault/buffer overflow.
Figure 7: Segmentation Fault

After I successfully demonstrated buffer overflow vulnerability. I use Kali

Linux reverse engineer program edb-debugger to find where the buffer overflow is
happening in which part of the code. I am able to reverse engineer the webserver.c
code to find where the coding error took place, and make recommendations to the
company on remediating the vulnerability. A buffer overflow could be devastating
to a company because by using the jump to address stored in a register technique is
reliable enough to automate an attack with almost a guarantee of success when its

run. For this very reason, this is the common technique for worms to exploit stack
buffer overflow vulnerabilities.
Figure 8: edb-debugger

SQL Injection:
From the vulnerability scan it is shown that the clients server is also subject
to sql injection attacks. Because of the file traversal attack with me being able to
gain root into the system, I go to the directory where the php code is stored, which is
located in /usr/lib/cgi-bin/FCCU.php. I open this file to investigate how well its
written. I can see that the DB user and password are stored in this file, I also notice
that there are no real escape string, which is used to prevent MySQL injections.

Figure 9: php code

for sql
I know I could get into the database from the server, but I had to show the client that
their website was vulnerable to SQL injections as Vega and OSWASP-ZAP had both
reported. The clients in this situation decided to link this server to a test database
so we could demonstrate an sql injection and prove the severity of such an attack. I
also used sqlmap
Figure 10: SQLMap

Web SQL-Injection attack:

I navigated to the following website. http://localhost:8080/cgi-bin/FCCU.php
The credit union page was displayed.
. Issued the following attack, after the url id=2
FCCU.php&submit=Submit&password=letmein

. The page gave the following

SELECT * FROM accounts WHERE id = /FCCU.php AND password = 'letmein'
You have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near '/FCCU.php AND password =
'letmein'' at line 1
. I checked the version of MySQL and it's greater than 5 so I was able to exploit the
information schema
. I was able to determine the number of columns from issuing the order by 1,2,3,4
until I came to an error. 9 columns. x. I was able to see the columns from the
information schema exploit.
I was able to determine the local dba user was FCCU and that user did NOT have
grant access, but had insert, so I did an INSERT query where I gave myself 10 million
dollars. Since I did not have a linked account to the credit union no money was
transferred. The sql injection where I transfer money was done to demonstrate
severity of the vulnerability because we had a solid pre-engagement phase we knew
that the system was just a mirror of production and not actual production, and that
permission was granted to perform this type of attack.
. INSERT INTO `accounts`
(`id`,`bal`,`first`,`last`,`phone`,`ssn`,`bday`,`email`,`password`) VALUES
("1170","10000000","Denise","Mangold","7721","555-555555","32510602","unixgrl","welcome");
I know the columns I should be interested in are id and password in the table of
accounts.
. I know that I need to access 2 tables id and password.
. SELECT * FROM accounts WHERE id = id -- AND password = '$password'
This gave me all the user ID and passwords of the other users.

Post Exploitation Phase:

The purpose of the post exploitation phase is to determine the value of the
machine that was penetration tested. The value of the machine is determined by the
value of the information stored on the machine, and the usefulness of that machine
for gaining further unauthorized access into the network. Our penetration test
showed that this machine is a critical security liability for the company. We
demonstrated using more than one tool to verify the validity and criticality of the
penetration-tested machine.

Reporting Phase:
The reporting phase is the phase in which a detailed document of the
penetration test is documented with recommendations to the client. The report
should be well structured with the following sections as examples.
Summary; Background; Risk Ranking; General Findings/Observations;
Recommendations; Technical Report and a Roadmap for remediating the security
risks. Kali Linux does have reporting features that were not utilized for this paper,
some of the reporting tools that come with Kali Linux are ones for evidence
management, documentation, and Media capture tools, with each section having a
variable number of tools for each purpose.
Example (condensed) Report of Penetration Test:
1. Background: Frozbozz has started a new initiative to have penetration
testing all pre-production systems as part of the quality assurance cycle.
They would like to have it company policy to security test all systems before
they go into production. Their goal is to minimize the possibility of a costly
security breach as well as to protect customer, employee and company data.
2. Systematic issues: The penetration testing was successful in breaching the
OS, web application and the database.
3. Risk Ranking/Profile:
a. EXTREME: SQL Injection of the database; The MySQL database
allows for sql injections and the ability to transfer, grant and
manipulate financial information contained in that database; it also
exposes sensitive information such as employee SS#, phone, address,
and bank information.
b. EXTREME: File traversal within the web application; this
vulnerability exposes the users, and their hashed passwords; this was
easily exploited and elevated privilege was gained at the OS level.
c. HIGH: Buffer Overflow; A buffer overflow vulnerability exposes the
server to malicious code such as worms.
4. General Findings: The OS was behind on critical patches; lack of OS
hardening, there is a lack of application hardening, the credentials were
easily guessed for MySQL as well as the OS users. Lack of quality testing of
application coding; web application design flaws.
5. Recommendation Summary: Patch OS; insert mysql_real_escape_string to
protect against SQL Injection attacks. Redesign the cgi-bin web application
to run in a chroot environment to protect against file traversal attacks
exposing OS file system. The webserver.c code should have memory bounds
checking to prevent buffer overflow attacks.
6. Strategic Roadmap: This usually includes the roadmap to remediate the
security issues found. The frozbozz would have a roadmap stating the OS
would be first to be remediated, the DB and Webserver would have
dependencies on the developers time, as both would have to be re-written,
however, this would be defined in a project plan; probably utilizing the Agile
methodology.

7. Technical Report: This section of the report would focus on technical

details of the test, attack path, parameters used within tools such as Vega or
OSWASP-ZAP, tools used, and outcome.

Conclusion:
No company or individual is immune to security breaches. The past few
years has seen unprecedented breaches costing millions of dollars; security
breaches have a severe impact on the economy as a whole. The financial loss a
company takes from the breach alone, the loss in consumer confidence, and the loss
of a once solid reputation. Once a reputation has been damaged it is exceptionally
hard to overcome negative perceptions. Companies need to incorporate security
testing and governance into their IT infrastructure. Security should not be an after
thought but a continued part of the IT lifecycle. Being proactive with security is
analogist to purchasing car insurance, its not valuable until the need arises, and
however not having it can cause great devastation that can be difficult or even
impossible to recover.

Bibliography:
( a mix of internet research and books)
1. "About DeterLab | DETER." About DeterLab | DETER. N.p., n.d. Web. 16 Dec. 2014.
(http://www.isi.deterlab.net )
2. Alcorn, Wade, Christian Frichot, and
N.p.: n.p., n.d. Print.

The Browser Hacker's Handbook.

3. Ali, S. Kali Linux: Assuring Security by Penetration Testing. S.l.: Packt Limited,
2014. Print.
4. "Behind the App: The Story of Kali Linux." Lifehacker. N.p., n.d. Web. 12 Dec. 2014.
(http://lifehacker.com/behind-the-app-the-story-of-kali-linux-1666168491)
5. Erickson, Jon. Hacking: The Art of Exploitation. San Francisco, CA: No Starch, 2008.
Print.
6. "Infographic: 2014's Top Breaches So Far." - BankInfoSecurity. N.p., n.d. Web. 16
Dec. 2014. (http://www.bankinfosecurity.com/infographic-2014s-top-breachesso-far-a-7408 )
7. "Kali Linux | Rebirth of BackTrack, the Penetration Testing Distribution." Kali Linux.
N.p., n.d. Web. 11 Dec. 2014. (https://www.kali.org )
8. "Kali Linux." BlackMORE Ops. N.p., n.d. Web. 12 Dec. 2014.
9. Kim, Peter. The Hacker Playbook: Practical Guide to Penetration Testing. North
Charleston, SC: Secure Planet, LLC, 2014. Print.
10. "Offensive Security Training and Services." Offensive Security. N.p., n.d. Web. 16
Dec. 2014. (http://www.offensive-security.com )
11. "Survey Shows the Cost of Security Breaches Is on the Rise." CSO Online. N.p., n.d.
Web. 16 Dec. 2014. (http://www.csoonline.com/article/2689346/big-datasecurity/survey-shows-the-cost-of-security-breaches-are-on-the-rise.html )
12. "Main Page." The Penetration Testing Execution Standard. N.p., n.d. Web. 16 Dec.
2014. (http://www.pentest-standard.org/index.php/Main_Page )