Kali Linux is the best Linux distribution in the cybersecurity industry. Kali Linux provides hundreds of useful security tools belonging to different categories, such as vulnerability analysis, wireless attacks, web applications, development tools, stress testing, and forensic tools. Kali Linux is an industry-standard platform for penetration testing by network security personnel. This paper will discuss the core components of Kali Linux and its technical characteristics over other operating systems.
Keywords: Kali Linux, Vulnerability, Penetration, Unix, Social Engineer, Open-Source
- Background
Linux is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system that was first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged in a Linux distribution. The Linux OS has the following advantages over other operating systems.
1. High Security
The program cannot change system settings and configurations under the Linux system unless the user logs on as ROOT. As a result, the permissions for downloaded files/malware will be restricted. And because Linux is open-source, developers around the world can view the code, which means most bugs have been fixed.
2. High Availability
Linux is very stable. Linux can operate for a few years and run much faster than the first installation, while Windows operating system would be much worse in terms of its processing and performance. Linux has a long uptime, high availability, and in many circumstances updates and fixes do not require users to restart the system.
3. Easy to Maintain
Linux systems are very easy to maintain, users can centrally update the operating system and all installed software. Each distribution has its own software management center, provide timed updates, security, and efficiency.
4. It can be run on any hardware.
Linux makes efficient use of system resources, allowing users to customize Linux installations or install for specific hardware requirements. The installation process is flexible, allowing users to choose which modules they need to install, which also allows them to install Linux on old hardware, helping to make the best use of all hardware resources.
5. Open-source
The biggest feature of Linux is that the source code is available. Developers in the FOSS category (free and open-source software) are free to view and modify the source code to find and resolve problems in a timely manner.
6. Super Customization
Linux has the flexibility to tailor the system to your needs. With more than 6 desktop environments, system administrators can enjoy a powerful command-line interface and SHELL scripts to automate routine maintenance and other tasks. This is extremely important for professionals.
7. Friendly to the research and development personnel
The system integrates mainstream development tools and environments, which are inexpensive and flexible in configuration. This is extremely friendly for professionals and development communities with research and development needs.
8. Technical Support
Linux has strong community support and many volunteers can respond quickly to any questions they ask. Enterprise-class services can also be purchased if required, and companies such as Red Hat and Novell provide support 24/7 for critical applications and services.
The definition on Kali Linux’s official website is “Kali Linux is a Debian-based Linux distribution aimed at advanced Penetration Testing and Security Auditing ”Our Most Advanced”, 2019) . Kali contains several hundred tools that are geared towards various information security tasks, such as Penetration Testing, Security research, Computer Forensics, and Reverse Engineering. Kali Linux is developed, funded and maintained by Offensive Security, a leading information security training company.”
Figure1. Kali Linux Desktop
Kali is a complete rebuild of BackTrack Linux that fully follows Debian’s development standards.
· More than 300 penetration testing tools: after reviewing each tool in BackTrack, a number of tools that are no longer valid or have duplicate features have been removed.
· Permanently free: Kali Linux is as free as ever. You never have to pay for Kali Linux.
· Open Source Git Tree: This is a loyal advocate of open-source software, and those who want to adjust or rebuild the package can browse the development tree to get all the source code.
· Follow FHS: Kali’s development follows the Linux directory structure standard, users can easily find command files, help files, library files, etc.
· Support for a large number of wireless devices: make Kali Linux support as many wireless devices as possible, work on a wide variety of hardware, and are compatible with a large number of USB and other wireless devices.
· Integrated injection patch-kernel: as penetration testers or development teams often need to do a wireless security assessment. The kernel used contains the latest injection patches.
· Secure development environment: the Kali Linux development team consists of a group of trusted people who can only submit packages or manage sources when using multiple security protocols.
· The package and source have GPG signature: each developer signs Kali’s package when it is compiled and submitted, and the source will sign it.
· Multi-language: while penetration tools tend to be in English, ensuring that Kali has multiple language support is a key feature for cybersecurity professionals.
· Fully customizable: fully understand that not everyone agrees with the design decision, so it’s as easy as possible for more innovative users to customize Kali Linux (and even customize kernels) to look how they like.
· ARMEL and ARMHF Support: Since ARM-based devices have become more common and inexpensive, you know that the arm support of Kali should be done well. So, with ARMEL and ARMHF architecture systems. Kali Linux has a complete mainline distribution of ARM source, which makes the ARM version of the tool able to be updated at the same time as other versions. Kali can run on the following ARM devices:
- K3306 MK/ss808
- Raspberry Pi
- ODROID U2/X2
- MK802/MK802 II
- Samsung Chromebook
Kali Linux is designed for professional penetration testing and security audits. As a result, Kali Linux has undergone several core modifications:
Single user, designed as root permission login: due to the nature of security audit, Kali Linux is designed to use the “single user, root permission” scheme.
Disabled network services by default: Kali Linux contains sysvinit hooks that by default disable network services. They allow users to install a variety of services on Linux, giving users the ability to install various packages. It also still ensures that the default release is secure. Additional services such as Bluetooth will also be blacklisted by default.
Custom kernel: Kali Linux uses upstream kernel spouts that have been wirelessly patched.
Kali Linux is based on Debian and uses a rolling publishing model, so it uses most of Debian’s software architecture, and Kali modified some packages to enhance security and fix some possible vulnerabilities. For example, the Linux kernel used by Kali is patched to allow wireless injection on a variety of devices. These patches are typically not available in normal kernels. In addition, Kali Linux does not rely on Debian servers and mirrors but builds packages from its own servers.
Kali Linux also modified the Linux user system, where the average user has an account and the root user has a separate account. This is not the case in Kali Linux. Kali Linux uses root accounts by default and does not provide regular user accounts. This is because almost all of the security tools available in Kali require root permissions, and this is the design to avoid requiring you to enter a root password every minute. This brings some potential security risks. Therefore, Kali Linux can only be used as a test platform tool, not as a server operating system for the production platform. It is also recommended to use virtual machine platforms such as VMWARE that are not easily compromised to reduce additional risk.
Information Collection: These tools can be used to collect DNS, IDS/IPS, network scanning, operating system, road, by, SSL, SMB, VPN, VoIP, SNMP information, and E-mail address.
Vulnerability Assessment: Such tools can scan for vulnerabilities on the target system. Some tools can detect defects in Cisco network systems, and some can also assess security issues for various database systems. Many fuzzy testing software is a vulnerability assessment tool.
Web Applications: Tools related to Web applications. It includes CMS (Content Management System) scanners, database exploiters, web application fuzzy testing, web application agents, web crawlers, and web vulnerability scanners.
Password Attack: Whether it’s an online attack or an offline crack, the tool that can implement the password attack is a password attack tool.
Exploits: Such tools can exploit vulnerabilities found in the target system. Software that attacks the network, Web, and database vulnerabilities are all exploitable tools. Some of Kali’s software can be used to target vulnerabilities in social engineering attacks.
Network Listening: These tools are used to listen for network and Web traffic. Web listening requires network spoofing, so software like Ettercap and Yersinia are also attributed to such software.
Access Maintenance: These tools help infiltrators maintain their access to the target host. In some cases, infiltrators must obtain the highest permissions from the host before they can install such software. Such software includes programs for installing backdoors in web applications and operating systems, as well as tunneling tools.
Reporting Tools: If you need to write a report file for penetration testing, you should have the software available.
System Services: This is a common service type software that cybersecurity professionals may use during penetration testing, including Apache services, MySQL services, SSH services, and Metasploit services.
To make penetration tester screening tools less difficult, Kali Linux separately divides one category of software. The top 10 tools are aircrack-ng, burp-suite, hydra, john, maltego, metasploit, nmap, sqlmap, wireshark and zaproxy.
In addition to the various tools that can be used for penetration testing, Kali Linux integrates the following types of tools.
Wireless Attacks: Tools that can attack Bluetooth, RFID/NFC, and other wireless devices.
Reverse Engineering: Tools that can be used for debugging programs or disassembling.
Stress Tests: Toolsets for all types of stress tests. They test the load capacity of network, wireless, web, and VoIP systems.
Hardware Hacking: A tool for debugging Android and Arduino programs.
Forensic Investigation: a tool for electronic forensics. Its various tools can be used to make hard disk images, file analysis, hard disk image analysis. To use such a program, first select Kali Linux Forensics in the launch menu. No Drives or Swap Mount. When this option is turned on, Kali Linux does not automatically load the hard drive to protect the integrity of the hard drive data.
The following is a description of the use of typical core tools for Kali Linux at each stage of penetration testing.
Dmitry
Deep Magic Information Gathering Tool is a versatile information gathering tool. The main ways it collects information can be divided into:
To inquire about the whois information of the target host based on the IP address (or domain name);
Mining host information on Netcraft.com’s website;
Find subdomains in the target domain;
Find the e-mail address of the target domain;
Probe open ports on the target host blocked ports and closed ports.
Although many of the tools in Kali Linux can be partially accessible, Dmitry is more convenient. It integrates these tools to record all the information available to multiple tools in the same report.
Figure 2. The Scan Process of Dmitry Tool
Figure 3. The Dmitry Scan Result
Nmap
Nmap is a very popular and powerful port scanner. It also recognizes the operating system of the operating system and enables active OS fingerprinting. To use the operating system recognition feature, you will need to add the -O option to the nmap instruction.
Figure 4. The Nmap Scan OS Result
Service enumeration is a kind of collection work, used to obtain the target host open port, operating system, and network services and other related information. Infiltrators typically identify the target host online first and then enumerate the service. In actual penetration testing, this phase of work is part of the probing process.
The nmap is a very powerful tool. It can be used as enumerating the remote server opened services just pass the server IP.
Figure 5. The Nmap Scan Services Result
4.4.Vulnerability Assessments
Vulnerability mapping is designed to identify and analyze decisive security vulnerabilities in the target environment, sometimes referred to as vulnerability assessments. It is an analytical method of exploring known weaknesses in the security control of the IT infrastructure and is a key component of the vulnerability management plan. Once the tester has completed the work related to the information collection, target identification, and service enumeration, he can begin to analyze possible security vulnerabilities in the target facility. Security vulnerabilities can result in security incidents on the target system that are detrimental to the confidentiality, integrity, and availability of the business system.
Burp Suite
Burp Suite combines a range of powerful security tools for Web applications. These tools demonstrate how attackers penetrate Web applications. They can scan, analyze, and exploit security vulnerabilities in Web applications, either manually or automatically. Burp Suite integrates tools to deliver and share information across multiple tools, making it a complete attack platform. This feature makes Burp Suite a simple and effective web application attack framework.
The steps to check for SQL injection vulnerabilities using Burp Suite are as follows.
1. First, select Proxy-> Options, check the properties of proxy listeners. In this example, the program’s default setting is to listen to 8080 ports. You can also set other options for this interface based on the actual nature of the evaluation task, such as host redirection, SSL certificates, client request blocking, server response blocking, page properties, and request header modifications.
2. Choose Proxy Intercept, check the intercept is on the tab.
3. Open your most accustomed browser (e.g. Firefox) and set the HTTP/HTTPS protocol to a local proxy (127.0.0.1, 8080). The proxy server is able to intercept, check, and modify client requests from the browser to the target Web application, and can record all responses sent back by the server. In this setting, Burp Suite functions like a man-in-the-middle proxy server.
4. Browse the target website and you can find it at The Proxy on Burp Suite The Intercept tab sees the request data sent by the browser (HTTP request). In this case, we do not make any modifications to the browser request and forward the request directly. To modify the request, you can modify it in the Raw, Headers, or Hex tabs. Note that when you visit a page, such as an index, the browser sends separate fetch requests to various resources on the web page, such as images and flash files.
5. Here, it is highly recommended to visit as many pages as possible to help Burp Suite list AVAILABLE pages for GET and POST requests. Of course, you can also use the program’s Spider feature to automate the analysis process. To use Spider’s reptile feature, check Target’S Site Map in the menu, right-click on the destination URL, and then select Spider this host. After that, the program will automatically discover and scan available pages and will prompt you for human intervention when you encounter a page that needs to submit data, such as logging in. At the end of this operation, you can see the accessible page manifest and page properties (methods, URLs, parameters, response codes, etc.) in the panel on the right side of the Target?Site map tab.
6. You can select a page that passes parameters in GET or POST mode and test with Intruder. The key is to find possible parameter identifiers, get useful data, and fuzz test those parameters to detect known vulnerabilities. Right-click the selected request and select send to the intruder.
7. Next, we’re going to specify the type of attack and the location of the payload (Intruder positions), for automated testing. The position of the payload is identified by the s2. Then, we go through the menu to the intruder. Payloads, select a predefined payload (payload) from a list of predefined character blocks, and in this example select Character Blocks. Of course, you can also specify custom payloads. Once set up, select menu Intruder . . . Start performs test tasks. At this point, the program displays all the requests sent when testing the target application in a pop-up window. After the program has processed all the specified payloads, we can determine the unexpected behavior of the Web application by the results of the remote response comparison. Use the right mouse button to click on the selected request and select the send to response comparer to compare the response. Burp Suite allows verbatim comparisons of two (or more) requests or responses. To learn more about the various types of attacks, visit http://www.portswigger.net/burp/help/intruder_positions. For more information about payload options, visit http://www.portswigger.net/burp/help/intruder_payloads_types.html.
8. In the process of comparing the response, we found that one of the payload requests had a SQL injection vulnerability. To verify its authenticity, we decided to reproduce the request with Repeater. Right-click the request, then select the send request to the repeater, and then click the go button in the Repeater tab to get the remote response to the specified request immediately. If you notice the following error message on the response page, there is a SQL injection vulnerability. “Error: Unix Column Warning : mysql_fetch_array (): Supplied argument is not a valid MySQL result”.
9. The above information is typical of SQL injection vulnerabilities. In addition to examining this type of security issue, we can also use Burp Suite’s sequencer to test the dispersion of the application session tokens to detect the predictable problems of the session.
Figure 6. The Burp Suite Running Interface
4.5.Social Engineering Attack
Social Engineering Toolkit (SET) is an advanced, versatile set of social engineering computer-aided tools. Written by the founder of TrustedSec (https://www.trustedsec.com), it can effectively exploit vulnerabilities in client applications to get the target’s interest (e.g. E-mail passwords). SET enables a variety of very effective and useful attack methods. Among the methods commonly used are E-mail phishing attacks on targets with malicious attachments, Java applet attacks, browser-based vulnerability attacks, collection of website authentication information, the establishment of infected portable media (USB/DVD/CD), mass mail attacks and other similar attacks. It is a synthetic attack platform for implementing these attack methods. Take advantage of the program’s compelling techniques to test the human factor in depth.
If we use this method of attack, we first create an E-mail template with malicious PDF attachments, then select the appropriate PDF exploit payload, then set the connection between the attack platform and the target host, and finally send this E-mail to the target via Gmail. Note that you can forge the original sender’s E-mail address and IP address through the send mail program that comes with Kali Linux. Sendmail’s profile is /usr/share/set/config/set_config. For more information about the program, please refer to the official instructions of Social Engineer Toolkit (SET): http://www.social-engineer.org/framework/Social_Engineering_Framework.
The following is the targeted phishing attacks steps that used the SET.
1. Select 1 in the initial menu of the SET program
2. We choose Spear-fishing Attack Vectors.
3. In the above options, we must select the template for creating a social engineering message. Then we write the body of the message
4. Although we wrote the body of the message in the previous step, we did not format the message. The template generator uses the formatting template as part of the template that you edit.
5. Next set the payload type. Such as Windows reverse TCP shell. Then set the IP and port of the attack platform (usually the Kali Linux host) that the target host should connect to.
6. Then we change the file name to make it stand out. Then we’re going to let SET know how it’s going to deal with us.
7. Next, we select the E-mail template we created earlier. In this way, SET will reuse this template in subsequent social engineering attacks. The quality of the templates you create largely determines the actual effect of the phishing campaign.
8. So far, we have launched an attack on the target. Now we wait for the victim to open our malicious PDF file. When he/she opens the PDF attachment, we connect to the shell of the victim’s computer via a reflective shell.
Figure 7. SET Main Interface
From the introduction of this paper, we can see that Kali Linux is a highly customized, integrated with hundreds of tools, a very powerful, very efficient penetration testing platform. It should have a unique technical advantage from the bottom of the operating system to the top. In the field of penetration testing it has gradually become a de facto industry standard, every technician engaged in information security needs to be proficient in the operation of penetration testing skills.
References
Allen, L. (2014). Kali Linux – Assuring Security by Penetration Testing. Packt Publishing Ltd.
Hertzog, R., O’Gorman, J., & Aharoni, M. (2017). MasteringthePenetrationTesting Distribution. Retrieved August 12, 2019, from https://kali.training/downloads/Kali-Linux-Revealed-1st-edition.pdf
Loshin, P. (2019, September 1). Top tips for using the Kali Linux pen testing distribution. Retrieved August 12, 2019, from https://searchsecurity.techtarget.com/feature/Top-tips-for-using-the-Kali-Linux-pen-testing-distribution
M.Babinceva, I., & V. Vuletic, D. (2016). WEB APPLICATION SECURITY ANALYSIS USING THE KALI LINUX OPERATING SYSTEM (p. 20). https://doi.org/ 10.5937/vojtehg64-9231
Our Most Advanced Penetration Testing Distribution, Ever. (2019, November 26). Retrieved December 9, 2019, from https://www.kali.org/.
What is Kali Linux? | Kali Linux Documentation. (2019, October 1). Retrieved August 12, 2019, from https://www.kali.org/docs/introduction/what-is-kali-linux/