Happy Birthday Kali Linux!

Today Kali Linux turned 1 year and we are extremely happy to congratulate the developers and testers with such an occasion!:)

Many discussions have been started up and yet to be finished, many questions were asked but yet to be answered!

Your point of view is very important, you might know better what has been changed in the tool for the passed year and state if it matched your expectations.

The following article is another comparison to sum up the differences of Kali Linux and BackTrack. Objectively, it is an experts non skeptical overview of the tools features.

We encourage you to make your own conclusion after reading and share it with us!

Comparison Of Kali Linux And Previous
Backtrack Versions

As Pen testers and information security specialists, we often use various tools to help us secure our systems, infrastructures and networks. One of the most used Swiss-knife tools is called Backtrack that had its name changed to Kali. In this article, we will compare the new Kali to its predecessors in various categories, see the benefits we can get from Kali, and look at various tools and examples that Kali provides us. Backtrack/Kali is a Linux based OS, configured with a vast majority of tools and software that are designed mostly for penetration tests, vulnerability assessments and etc.
Backtrack/Kali is a bootable, portable and preconfigured Swiss-knife, meaning that a penetration tester is able to boot the OS using a flash drive or a DVD, however, any change made during runtime will be undone and restored to its original state in each boot.
Backtrack/Kali also provides the option to install itself locally, thus enabling changes to become persistent. Backtrack/Kali provides a menu that is divided into main categories and sub-categories that provide shortcuts to either GUI based or command-line based. Backtrack/Kali is ideal for internal as well as external penetration tests due to the vast variety of tools provide a vast set of tools, it also allows the user to install more applications and software, to a fully customized OS. Backtrack/Kali provide other related tools such as a web browser, office tools, programming tools and etc.
While Backtrack was a distribution that was based on Ubuntu, Kali is a distribution of Debian, meaning that the software libraries were completely or almost-completely altered and providing what seems to be a better
user experience.
Both Kali and Backtrack are free for use and are downloadable at:

Kali – http://www.kali.org/downloads/. Backtrack – http://www.backtrack linux.org/downloads/.

Backtrack
BackTrack is a Linux-based penetration testing arsenal that aids security professionals in the ability to perform assessments in a purely native environment dedicated to hacking. Regardless if you’re making BackTrack you Install BackTrack, boot it from a Live DVD or thumbdrive, the penetration distribution has been customized down to every package, kernel configuration, script and patch solely for the purpose of the penetration tester. backtrack-linux.org

Kali
The most advanced and versatile penetration testing distribution ever created. BackTrack has grown far beyond its humble roots as a live CD and has now become a full-fledged operating system. Kali.org

Reviews of kali by other penetration testers

BackTrack Linux no more. The popular open source package of penetration testing tools now has a new platform and a new name. Better than BackTrack? Kali Linux offers new brand of pen-testing tools By Selena Frye in Linux and Open Source, March 25, 2013, 2:22 PM

BackTrack is intended for all audiences from the most savvy security professionals to early newcomers to the information security field. BackTrack promotes a quick and easy way to find and update the largest database of security tools collection to-date,Now as we know, The Backtrack Project Is Funded By Offensive Security And Informatik Org, The New Backtrack 6 Is Nothing like the earlier backtrack,This one has got a revamped interface, new libraries, NEW METASPOILT (yayy), and other security tools.
Backtrack 6 “Kali Linux” Review.
by Sameer Iqubal Siddiqui Thursday,
March 14, 2013

A popular distro of Linux used for penetration testing has a new version and a new name. Backtrack 6 from Offensive Security is now known as Kali Linux and remains completely free to download and use. What’s new? The company says it is mix between “everything” and “not much”, depending on how one used BackTrack. This page itemizing a few changes.
The biggest change is from Ubuntu Linux to Debian Linux. Kali Linux (BackTrack 6)

Now Available By
Robert Vamosi, March 25, 2013

A brief explanation of the categories

Some of the categories in kali tend to be a little bit confusing, so I’ll provide list with a brief explanation of the main categories:

indeks

Figure 2. Kali’s Main categories

*This section describes the categories in general; specific and preferable tools will be reviewed further on in this article

Top 10 Security Tools

A list of 10 tools features by kali that were chosen as commonly used by most penetration test.

Information Gathering

A list of sub-categories and tools that are used in penetration tests for gathering details and information regarding the target (OS, Network and Infrastructure).
Normally, we start our penetration tests with information gathering to get a better sense of what we are up against, what type of systems exist (finger printing – identifying OS and applications), what ports are open
(using various scanning tools) and etc.

Vulnerability analysis

Vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the vulnerabilities in a system.
The sub-categories and tools that are featured by this category are mostly used in white box scenarios, for risk assessments and identifications.

Web Applications

Web application scanning helps enterprise organizations safeguard web applications, protect critical data and satisfy regulatory compliance.
The sub-categories and tools that are provided in this category are related to the evaluation of different aspects of web-based scanning. Such as: Web Application Fuzzers, Web Application Proxy, Database exploitation tools and etc.

Password Attacks

Password attacks are tools that design to crack passwords that are from either a file of some sort (Offline password cracking) or directly against a live system login interface (Online password cracking).

Wireless Attacks

Wireless attacks category provides tools for cracking wireless communication for and authentications. This is used mostly in scenarios where a company or enterprise provides either both wire and wireless communication or at times, only wireless but separate the environments (for example: Secure and Guest).

Exploitation Tools

Tools that are under the exploitation tools category are used for the next stage, after information gathering. The tools offer mechanisms for attacking (or evaluating) Cisco-based devices, Database exploitation, Social engineering toolkit and the powerful Metasploit and are used for vulnerability exploitation.

Sniffing/Spoofing
This category provides mostly network-based tools that are used for either passive information gathering (sniffing) or active network man in the middle (Spoofing). This category also provides means for eavesdropping VOIP communication and sniffing web communication.

Maintaining Access

This category provides mostly post-exploitation tools that help penetration tester gain a foothold inside the network, maintaining a backdoor for future tests and etc. Tools offered in the category are either for network/infrastructure backdoors, or web backdoors.

Reverse engineering

Reverse engineering is the process of discovering the technological principles of a device, object, or system through analysis of its structure, function, and operation. It often involves taking something (a mechanical device, electronic component, computer program, or biological, chemical, or organic matter) apart and analyzing its workings in detail to be used in maintenance, or to try to make a new device or program that does the same thing without using or simply duplicating (without understanding) the original. This category is used mostly by security specialists that specialize in reverse engineering, and can dissect either Trojans or other malware of some sort.
For further reading, regarding the practice of reverse engineering: http://hackeracademy.com/lesson/reverse_engineering.

Stress Testing

Stress testing is a form of deliberately intense or thorough testing used to determine the stability of a given system or entity.
It involves testing beyond normal operational capacity, often to a breaking point, in order to observe the results. Stress testing is mostly used for measuring the robustness of software or a system to help prepare against attacks such as denial of service.

Denial of Service(DOS) – (In computing, a denial-of-service attack (DoS attack) or distributed denialof- service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of efforts to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet).

Hardware Hacking

This category is used mostly to hack Android or Adriano based devices, for cracking and hacking software, and developing applications for android using Android-SDK.

Forensics

Computer is a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media. The goal of computer forensics is to examine digital media in a forensically sound manner with the aim of identifying, preserving, recovering, analyzing and presenting facts and opinions about the information.
Although it is most often associated with the investigation of a wide variety of computer crime, computer forensics may also be used in civil proceedings. The discipline involves similar techniques and principles to data recovery, but with additional guidelines and practices designed to create a legal audit trail.
Evidence from computer forensics investigations is usually subjected to the same guidelines and practices of other digital evidence. It has been used in a number of high-profile cases and is becoming widely accepted as reliable within U.S. and European court systems. Forensics is not normally used during a penetration test, but as a response to a Trojan or malware, data theft and etc.

The benefit that Kali offers in terms of forensic is that it does not require to be installed locally, that is to say,
if a computer was infected by a virus that could delete all evidence upon startup, Kali offers to the ability to
go under the OS and extract evidence, however this might not be applicable if the OS was encrypted.

Reporting Tools

Tools in this category are used for generating reports and managing evidences collected, to be presented in a manner that could be later investigated and analyzed.

System Services

Shortcuts for System related operations, such as the local HTTP server startup/shutdown, Metasploit start/ stop etc.

Installing Kali

Before we install Kali, we need to meet the following prerequisites:
• A minimum of 8 GB disk space for the Kali Linux install.
• For i386 and amd64 architectures, a minimum of 512MB RAM.
• CD-DVD Drive / USB boot support.

Preparing for the installation

• Download Kali linux.
• Burn The Kali Linux ISO to DVD or Image Kali Linux Live to USB.
• Ensure that your computer is set to boot from CD / USB in your BIOS.

Installing Kali
• Upon booting, we are presented by a Graphical Boot Menu where we can either choose Text-Mode Install or Graphical Install (The other options are used for running Kali live without installing). For the sake of this article, we choose the graphical installation .
• At the next screen, we can select our preferred language following our country location. We then are
prompted to choose our preferred keymap.
• The installer does the following:
• Copies the image to the local hard disk.
• Scans the local system for network interfaces.
• Asks us to provide a hostname.
For the sake of this article, we choose our system’s name to be Kali.
• Next, we choose a password for our root account.
• Note that it is important to choose a complex, long and robust password at each time we are prompted for choosing a password .

• At the next screen, we are prompted for choosing our time zone.
• Now, we are prompted by the installer to choose one of four choices regarding partitioning after scanning our local hard disks. In this article, we’re using the entire disk and not configuring LVM (logical volume manager).Advanced users can use the “Manual” partitioning method for more granular configuration options. The other choices are outside the scope of this article.
• Next, we are shown with a summarized review of our disk configuration.
• Note. After we press continue the changes become irreversible.
• Now, we Configure network mirrors. Kali uses a central repository to distribute applications. We need to enter any appropriate proxy information as needed. Note. Take caution while choosing an answer because in case we choose NO, we will NOT be able to install packages from Kali repositories.
• Next, we install GRUB
• GRUB – A very powerful multi-boot loader, which can load a wide variety of free operating systems, as well as proprietary operating systems with chain-loading. GRUB is designed to address the complexity of booting a personal computer. One of the important features in GRUB is flexibility;
GRUB understands file systems and kernel executable formats, so you can load an arbitrary operating system the way you like, without recording the physical position of your kernel on the disk. Thus you can load the kernel just by specifying its file name and the drive and partition where the kernel resides.
• Please also read the warning message.
• Finally, we reach the end of the installation, after choosing continue, we reboot to the new Kali local installation.

Working with Kali – Basic operation and configuration

After we installed kali, and we boot into the OS, we prompted for entering the username and password (which was set during the installation).
We can now perform the following basic operations:

Configuring network adapters – IP and gateway

• We press the terminal button ( ) to get a command line terminal screen.
• We enter ifconfig to let Kali list our network interfaces.
• We can see if the network interface that we want to configure has already been assigned an IP from a DHCP server.
• If we want to choose a different IP (Or set an IP to a network interface without one)
For the sake of this explanation, our network interface is called eth0
• We enter ifconfig eth0 [IP of our choosing] – for example 192.168.44.150
If no error has occurred, we get no response and prompted for the next command.
• If we want to verify our changes, we can type ifconfig again.

Now, we might want to configure our gateway for the newly configured network interface.

• We press the command route to get the list of the internal IP routing
• Now we type the following: route add default gw [the ip of our gateway] – to add a gateway.
• For example: route add default gw 192.168.44.1
If no error has occurred, we get no response and prompted for the next command.
• If we want to verify our changes, we can type route again.

Installing a local Kali offered feature – OpenVAS on Kali Linux 1.0.3

OpenVas – A framework of several services and tools offering a comprehensive and powerful vulnerability scanning and vulnerability management solution.
The most recent dist-upgrade breaks OpenVAS and tko fix it you can follow these steps. Below are the steps for a vanilla Kali install.
• If not broken, update and break it with:
• apt-get update
• apt-get upgrade
• apt-get dist-upgrade
• Next, we move to the edge repository.
• Note. Items stored here breaks fast, but also gets fixed fast here! (This can be skipped if you prefer).
• echo deb http://repo.kali.org/kali kali-bleeding-edge main >> /etc/apt/sources.list
• apt-get update
• apt-get upgrade
• We can reboot at this moment.
• We continue and do the following commands:
• apt-get remove --purge greenbone-security-assistant libopenvas6 openvas-administrator openvasmanager
openvas-cli openvas-scanner
• mkdir openvasfix
• cd openvasfix
• wget http://repo.kali.org/kali/pool/main/o/openvas-manager/openvas manager_3.0.4-1kali0_amd64.deb
• wget http://repo.kali.org/kali/pool/main/o/openvas-administrator/openvas-administrator_1.2.1-1kali0_amd64.
deb
• wget http://repo.kali.org/kali/pool/main/o/openvas-cli/openvas-cli_1.1.5-1kali0_amd64.deb
• wget http://repo.kali.org/kali/pool/main/o/openvas-scanner/openvas-scanner_3.3.1-1kali1_amd64.deb
• wget http://repo.kali.org/kali/pool/main/o/openvas/openvas_1.1_amd64.deb

• wget http://repo.kali.org/kali/pool/main/g/greenbone-security-assistant/greenbone-security-assistant_3.0.3-
1kali0_amd64.deb
• wget http://repo.kali.org/kali/pool/main/libo/libopenvas/libopenvas5_5.0.4-1kali0_amd64.deb
• Now, installing these will require dependencies that aren’t installed, fastest way to progress is to type the following:
• dpkg -i *
• apt-get -f install
• apt-get remove --purge greenbone-security-assistant libopenvas6 openvas administrator openvasmanager openvas-cli openvas-scanner
• dpkg -i *
• Run the next two steps:
• apt-get install gsd kali-linux kali-linux-full
The next line, instructs wget to skip checking the certificate (otherwise we might get an invalid certificate error)
• wget https://svn.wald.intevation.org/svn/openvas/trunk/tools/openvas-check-setup --no-check-certificate
• At this point we can run the check script with the --v5 switch and follow along. But to get us moving faster, here’s how to setup OpenVAS:
• Generate server certificate – openvas-mkcert command.
• We will be prompted with a series of questions to complete the certificate
• Next, we need to update the vulnerability database – openvas-nvt-sync
• Generate a client certificate – openvas-mkcert-client -n om –i
• Start the scanner and rebuild the database
• Openvassd
• openvasmd –rebuild
• Sync the SCAP database
• Note this will take some time.

SCAP

The Security Content Automation Protocol (SCAP) is a synthesis of interoperable specifications derived from community ideas. Community participation is a great strength for SCAP, because the security
automation community ensures the broadest possible range of use cases is reflected in SCAP functionality. This Web site is provided to support continued community involvement. From this site, you will find
information about both existing SCAP specifications and emerging specifications relevant to NIST’s security automation agenda. You are invited to participate, whether monitoring community dialog or leading
more substantive activities like specification authorship. NIST’s security automation agenda is broader than the vulnerability management application of modern day SCAP. Many different security activities and disciplines can benefit from standardized expression and reporting. We envision further expansion in compliance, remediation, and network monitoring, and encourage your contribution relative to these and additional disciplines. NIST is also working on this expansion plan, so please communicate with the SCAP Team early and often to ensure proper coordination of efforts.
• openvas-scapdata-sync
• Add a user replacing [username] with your preferred username and type a password when prompted.
• openvasad -c ‘add_user’ -n [username] --role=Admin
• Start the OpenVAS Daemons
• Openvasmd
• Openvasad
• Gsad
• Run the installation checker.
• ./openvas-check-setup --v5
• Everything should be installed correctly.
• We can now then login to https://localhost to our new OpenVas Console.

Tools in Kali – List of useful tools and explanations

We will now list several tools, providing some information regarding the tool, what it is commonly used for, and if possible, basic switches and forms.

DNS Analysis

The purpose of Dnsenum is to gather as much information as possible about a domain. The program currently performs the following operations:
• Get the host’s addresse (A record).
• Get the namservers (threaded).
• Get the MX record (threaded).
• Perform axfr queries on nameservers and get BIND versions(threaded).
• Get extra names and subdomains via google scraping (google query = “allinurl: -www site:domain”).
• Brute force subdomains from file, can also perform recursion on subdomain that have NS records (all threaded).
• Calculate C class domain network ranges and perform whois queries on them (threaded).
• Perform reverse lookups on netranges (C class or/and whois netranges) (threaded). 9) Write to domain_ips.
txt file ip-blocks.
• Basic usage of dnsenum is ./dnsenum.pl
• Gather DNS information of example.pl, type ./dnsenum.pl example.com

• To bruteforce, type ./dnsenum.pl -f dns.txt example.com
• To use DNSENUM to scrap the sub domains of a website from Google, type ./dnsenum.pl -p 1 -s 1
example.com.
Read more: http://www.hackingloops.com/2013/07/
dnsenum-tutorial-dns-information.html#ixzz2bMp XA767.

IDS / IPS Identification

WAFW00F allows one to identify and fingerprint WAF products protecting a website. This tool can only detect limited numbers of firewalls, listed below.
• Profense
• NetContinuum
• Barracuda
• HyperGuard
• BinarySec
• Teros
• F5 Trafficshield
• F5 ASM
• Airlock
• Citrix NetScaler
• ModSecurity
• DenyALL
• dotDefender
• webApp.secure
• BIG-IP
• URLScan
• WebKnight
• SecureIIS
• Imperva
Usage:
• Basic – ./wafw00f.py <url>
• To use it in verbose mode, run this command ./wafw00f.py <url> -v.

• Help command – ./wafw00f.py –h

SMB Analysis
Nbtscan – a quick tool which gives instant result relating to which are the hosts that are currently running on the targeted network and are configured to reply to netbios queries. Basic usage – nbtscan [ip range as CIDR notation] – nbtscan 192.168.44.1/24 or nbtscan 192.168.44.1-254.
For further information on CIDR:

http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_
notation.

SSL Analysis

ssldump – ssldump is an SSL/TLS network protocol analyzer. It identifies TCP connections on the chosen network interface and attempts to interpret them as SSL/TLS traffic.When it identifies SSL/TLS traffic, it
decodes the records and displays them in a textual form to stdout. If provided with the appropriate keying material, it will also decrypt the connections and display the application data traffic.
Basic syntax – ssldump –i interface port portnumber. For example: ssldump –i eth0 port 80. This command displays the application data traffic. This usually means decrypting it, but when -d is used ssldump will also decode application data traffic before the SSL session initiates. This allows you to see
HTTPS CONNECT behavior as well as SMTP STARTTLS. As a side effect, since ssldump can’t tell whether plaintext is traffic before the initiation of an SSL connection or just a regular TCP connection, this allows you to use ssldump to sniff any TCP connection.
ssldump will automatically detect ASCII data and display it directly to the screen.non-ASCII data is displayed as hex dumps.
For more information: http://geekyshow.blogspot.co.il/2013/07/how-to use-ssldump-in-kali-linux.html.

Network Scanners

Nmap – a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine
against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Basic usage – nmap targerip/network/dns name.

Advanced Usage – nmap -Pn -sT -vv -n -p1-1000 -T4
-oNmapTCPConnect.txt 117.X.X.X.
-n does not do reverse DNS, thus saving time.
-T4 is for faster execution of the command.

Database assessment

sqlninja – Sqlninja’s goal is to exploit SQL injection vulnerabilities on web applications that use Microsoft
SQL Server as back end. It is released under the GPLv3.
Attack modes: sqlninja -m u.

Test: sqlninja –t.
Fingerprint: sqlninja f -p <sa password> (optional).
Bruteforce: sqlninja b -w <wordlist> (optional).
Escalation: sqlninja e -p <sa password> (optional).
Resurrectxp: sqlninja x -p <sa password> (optional).
For more information: http://sqlninja.sourceforge.net/sqlninja-howto.html.

Exploitation Tools

Metasploit – The Metasploit Project is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development.
Its best-known sub-project is the open source. Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. Other important sub-projects include the Opcode Database, shellcode archive and related research.
The Metasploit Project is well known for its anti-forensic and evasion tools, some of which are built into the Metasploit Framework.
For more information: http://www.metasploit.com/.
OpenVas – Previously discussed.

Web Scanner

nikto – Nikto is a an open source software which acts as a web server scanner which performs multiple tests against web servers for many items which include 6500 potentially dangerous CGIs or files. It also checks for outdated versions of about 1250 servers. It also checks for about the problems on specific servers of about 270 kinds. It checks for server configuration items.
Now this is how to use it.
• If you want to perform a database check then you need to type in nikto –dbcheck
• If you want to update your software( which in this case you won’t need to as Kali Linux is not old enough, but you would need to update it in future) then type in nikto –update
• Before and after updating the software you can check the version of the software and to do the same you need to type in nikto -Version
• Now if in case you need to find out the plugins then you can type in nikto –list-plugins
• Now, the real game, the vulnerability check can be done by typing in the following syntax: nikto -h
<domain name>
• for example: nikto -h www.anything(domain).com

There are much more useful tools that penetration testers can use, to get better results in every test.
Lastly, let’s make a little comparison between the old Backtrack and the new Kali

indek2s

In conclusion

As we’ve seen throughout the article, the new Kali offers great help and support to a penetration tester, as well as providing great visual view, faster and rapid work, and so much more. I hope that it’s been informative, and I’d like to thank you for reading.

About the Author

indeks3

Gilad Ofir has years of experience as a System Administrator and Integrator, he have been working mostly with Windows OS and Linux OS, working with many AD environments, integrated with other Microsoft-related products. Computer Programmer, best at C# language. He is Information Security Consultant at Defensia Company now, advising customers in
Information Security related issued, pentesting, vulnerability assessment, code review and many more. He works also as Instructor for Defensia Company in many Information Security related issued.

We hope that you already have some comments to add, so don't hesitate to share them with us and the author!

What useful features in Kali Linux you also can tell us about?

Respectively,

Karina Radzikowska and PenTest Magazine Team

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013