Preparing Kali linux for penetration testing/vulnerability assessment

24-Nov-2014 2-43-32 PM

We all know what Kali linux is and what it’s used for. What we need is a comprehensive guide or reminder how to install it and set it up from the scratch. And make it more powerful by adding some cool stuff such as vulnerability scanners. We don’t want to google up every step, do we?

Here is what we will cover in this blog post:

 

 

But before we do – a standard disclaimer: don’t do anything you are not authorized to do. In written!

Ok, let us begin…

 

1. Preparing our virtual environment
First of all, some things may work better in a physical environment. Or may not work in virtual setup at all. Some wireless stuff, perhaps. Anyhow, we will do our setup virtualized. This way we can put away our virtual machine, reuse it, share it, … Although I did this installation in both VMware and Hyper-V, this tutorial will be in Hyper-V. Creating a virtual machine is a minor step, anyway. So, let’s start our Hyper-V Manager, click New from the Actions pane, and select Virtual Machine. A wizard pops up.

We give our machine a name and choose a location where we want it to be stored:

11-17-2014 8-23-47 PM

We need “Generation 1” virtual machine:

11-17-2014 8-26-45 PM

Let’s give as much RAM as we can. Although Kali will run with a gig or even less, we will be adding more stuff later:

11-17-2014 8-28-53 PM

Then select the way we will connect our virtual Kali to the external world. This could be wired or wireless connection. In our case, it is wireless:

11-17-2014 8-32-57 PM

When specifying the hard disk size, we may be tempted to use, say, 20-30 gigs. This may be enough for Kali alone, but we will add a bunch of stuff later. So, let’s not limit the hard disk space. After we are done with the installation, the whole virtual machine will be around 30 gigs:

11-17-2014 8-35-53 PM

We will tweak our VM before powering it on, so we pick to install the OS later:

11-17-2014 8-38-34 PM

Now our VM is almost ready. We click it from Hyper-V Manager and select Settings. Let’s give it at least two vCPUs:

11-17-2014 8-42-24 PM

For the IDE controller one, we select the ISO image which contains the Kali installation. This image can be downloaded from https://www.kali.org/downloads/. It is important to verify the installation media checksum, and this page explains how we can do that.

From the Hyper-V Manager we click our VM and click Connect. This will open the console to the VM.  Now we click the power on button and we go to the next step…

11-17-2014 8-50-50 PM

 

2. Installing and setting up Kali linux
After initial boot, we scroll down and select Install. Kali version used here is 1.0.9a. Installation of other versions may vary slightly. Installation of additional packages shown in this blog may also be different with other versions.

11-17-2014 8-54-26 PM

Select our language:

11-17-2014 8-56-57 PM

For this installation, we are in Europe, so we need to select Other first:

11-17-2014 8-58-26 PM

Then Europe…

11-17-2014 9-00-15 PM

… and then the country:

11-17-2014 9-01-30 PM

The keyboard layout:

11-17-2014 9-02-40 PM

11-17-2014 9-03-55 PM

If we didn’t have a DHCP or something went wrong with it…

11-17-2014 9-06-15 PM

… we might need setting up our network manually:

11-17-2014 9-06-54 PM

We give our IP address in the x.y.z.w/n form:

11-17-2014 9-09-07 PM

And the default gateway:

11-17-2014 9-11-13 PM

If we had more than one DNS server, we list them one by one separated with <SPACE>:

11-17-2014 9-13-29 PM

And now the hostname and domain name:

11-17-2014 9-15-30 PM

11-17-2014 9-16-49 PM

Before disk partitioning we give a root password and confirm it. As for disk partitioning, we could use LVM with the encryption. This could be nice because we will probably have confidential data on our VM. Otherwise we could just go with “Guided – use entire disk” option:

11-17-2014 9-21-23 PM

If we had more than one disk, for example separate disk for collected data, we could select disk for OS installation. We have only one, so the choice is obvious:

11-17-2014 9-22-45 PM

For simplicity, we won’t separate partitions:

11-17-2014 9-24-50 PM

We now commit our disk settings:

11-17-2014 9-26-34 PM

Because we want our disk to be encrypted, the installation process starts erasing or zeroing our disk now. This can be a time consuming process, so we can interrupt it by selecting Cancel:

11-17-2014 9-28-33 PM

We now give a decryption pass phrase. This is needed every time our system boots. We lose this pass phrase – we can say our data goodbye:

11-17-2014 9-31-29 PM

Finally, we confirm our settings…

11-17-2014 9-33-43 PM

11-17-2014 9-35-52 PM

… and we are ready for packages installation:

11-17-2014 9-38-10 PM

A time for a coffee 😀

Ok, for additional packages, we will use a mirror and we don’t need a proxy:

11-17-2014 9-51-43 PM

11-17-2014 9-52-47 PM

One more coffee 🙂

After second coffee, we are ready to install our boot loader:

11-17-2014 10-04-04 PM

And we are done:

11-17-2014 10-06-35 PM

Before we click Continue, we need to “unplug” our virtual CD/DVD. From Hyper-V Manager, we select our VM and click Settings. We make sure that no CD/DVD or ISO image is selected:

11-17-2014 10-08-57 PM

After restarting, because our disk is encrypted, we need to provide a pass phrase for decryption:

11-17-2014 10-13-32 PM

After system is booted, we log in with root credentials, and first verify our Internet connectivity. For now, we are logging to Hyper-V Manager console, aka direct keyboard/mouse way.

11-17-2014 10-18-02 PM

Before, moving on, it is a good idea to update our freshly installed system. We do that with:

apt-get update
apt-get upgrade

This could take a while… After it’s done, but before we switch from Hyper-V console to SSH access, we need to tweak a SSH server a bit. The tweak consists of replacing default SSH keys with new ones. This will prevent man-in-the-middle attacks. Imagine being hacked while hacking 🙂

mkdir /etc/ssh/backup_keys
mv /etc/ssh/ssh_host_* /etc/ssh/backup_keys
dpkg-reconfigure openssh-server
service ssh restart

Now we can connect to the Kali box with SSH and continue our setup from there.

If we during installation received IP parameters via DHCP and we want to switch to static parameters, because DHCP server is not present with all customers we are doing penetration tests for, here is what we need to do. We need to edit the file “/etc/network/interface” which now looks like this:

allow-hotplug eth0
iface eth0 inet dhcp

And change it to something like this:

allow-hotplug eth0
iface eth0 inet static
address 192.168.0.1
netmask 255.255.255.0
network 10.77.3.0
broadcast 10.77.3.255
gateway 192.168.0.254
dns-nameservers 8.8.8.8 4.2.2.2  # or by resolvconf
dns-search popravak.local           # or by resolvconf

Finally, we need to restart our networking:

service networking restart

 

3. Preparing Metasploit framework
In order to use Metasploit framework, we need to start the PostgresSQL and Metasploit services. They are already present on Kali system. We also need them to start up on every boot.  Let’s first start services:

root@PENTEST-L:~#
root@PENTEST-L:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.
root@PENTEST-L:~#
root@PENTEST-L:~# service metasploit start
Configuring Metasploit…
Creating metasploit database user ‘msf3’…
Creating metasploit database ‘msf3’…
insserv: warning: current start runlevel(s) (empty) of script `metasploit’ overrides LSB defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (0 1 2 3 4 5 6) of script `metasploit’ overrides LSB defaults (0 1 6).
[ ok ] Starting Metasploit rpc server: prosvc.
[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.
root@PENTEST-L:~#

We can now start our Metasploit console by issuing msfconsole command. If we run it for the first time, it will connect to the PostgresSQL, create database, tables, indexes and so on. This could take some time… After we get the msf> prompt, we issue db_status and verify our connection to the database:

root@PENTEST-L:~#
root@PENTEST-L:~# msfconsole
msf > db_status
[*] postgresql connected to msf3
msf >

We exit the console with exit and update the framework:

root@PENTEST-L:~#
root@PENTEST-L:~# msfupdate
[*]
[*] Attempting to update the Metasploit Framework…
[*]

[*] Checking for updates via the APT repository
[*] Note: expect weekly(ish) updates using this method
[*] No updates available
root@PENTEST-L:~#

We don’t have any updates. This is because the framework gets updated as part of the Kali update we did previously. If we didn’t update Kali, this would be the way to go.

Let’s now make sure that the framework is available to us upon system reboot:

root@PENTEST-L:~#
root@PENTEST-L:~# update-rc.d postgresql enable
update-rc.d: using dependency based boot sequencing
root@PENTEST-L:~#
root@PENTEST-L:~# update-rc.d metasploit enable
update-rc.d: using dependency based boot sequencing
root@PENTEST-L:~#

Our Metasploit framework is now ready.

 

4. Setting up Veil Evasion
The Veil Evasion is used to hide our payloads from AV software. The msfpayload with msfencode worked some time ago, but these days we could have lots of trouble evading modern antivirus software with just those two. This is where the Veil comes into a play. With our browser we go to https://github.com/Veil-Framework/Veil-Evasion and from the right bottom side we select and copy the clone URL:

24-Nov-2014 10-54-47 AM

Then from our Kali SSH console, we issue:

git clone https: //github.com/Veil-Framework/Veil-Evasion.git

where the URL is the one we copied from our browser in previous step. Now we wait …

/root# git clone https://github.com/Veil-Framework/Veil-Evasion.git
Cloning into ‘Veil-Evasion’…
remote: Counting objects: 2003, done.
remote: Total 2003 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (2003/2003), 33.74 MiB | 153 KiB/s, done.
Resolving deltas: 100% (1027/1027), done.
/root#

After the the clone process has completed, we navigate to the Veil setup directory and start setup.sh. This step we want to do from GUI, for example Hyper-V Manager Console, because the setup will open a few dialog boxes during installation:

 cd Veil-Evasion/setup
./setup.sh

We confirm that we want to continue with the setup and then wait again… After a while, we need to answer to several dialog boxes presented to us during the setup process. We mostly accept the defaults. These are snaps of those dialog boxes:

26-Nov-2014 9-41-11 AM

26-Nov-2014 9-43-08 AM

26-Nov-2014 9-44-08 AM

26-Nov-2014 9-44-42 AM

26-Nov-2014 9-45-40 AM

26-Nov-2014 9-46-25 AM

26-Nov-2014 9-47-00 AM

26-Nov-2014 9-48-05 AM

26-Nov-2014 9-49-25 AM

26-Nov-2014 9-50-00 AM

26-Nov-2014 9-50-30 AM

26-Nov-2014 9-51-06 AM

26-Nov-2014 9-51-35 AM

 

Another way of installing the Veil Evasion is from the Kali repo:

apt-get update
apt-get install veil

cd /usr/share/veil-evasion/setup
./setup.sh

After a while, we will have our Veil framework ready. We can invoke it with “/usr/share/veil-evasion/Veil-Evasion.py” or “/root/Veil-Evasion/Veil-Evasion.py“. The usage is very similar to that of “Social Engineering Toolset” or SET:

=========================================================================
Veil-Evasion | [Version]: 2.13.4
=========================================================================
[Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework
=========================================================================

Main Menu

35 payloads loaded

Available commands:

use             use a specific payload
info            information on a specific payload
list            list available payloads
update          update Veil to the latest version
clean           clean out payload folders
checkvt         check payload hashes vs. VirusTotal
exit            exit Veil

[>] Please enter a command:

 

5. Setting up Nessus
The Nessus is very powerful vulnerability scanner. There is a community version which is free for personal use and can only scan private IP address spaces, such as 10.0.0.0/8. In order to install the Nessus, we need to obtain the activation code and download appropriate installation binaries. The activation code can be obtained from http://www.tenable.com/products/nessus/nessus-plugins/obtain-an-activation-code by clicking “Register Now” under “Nessus Home”. Or we can go directly to http://www.tenable.com/products/nessus-home and fill a registration form in. We will receive our activation code to the e-mail address we provide in this form. After we submit our form, we click the Download button and select appropriate installation package. For Kali linux, we need “Debian (64 bits)“. At the time of writing this blog, the package we need is Nessus-6.1.0-debian6_amd64.deb. After we download the package, we can transfer it to the Kali box and start installation:

/tmp#
/tmp# dpkg -i Nessus-6.1.0-debian6_amd64.deb
Selecting previously unselected package nessus.
(Reading database … 316809 files and directories currently installed.)
Unpacking nessus (from Nessus-6.1.0-debian6_amd64.deb) …
Setting up nessus (6.1.0) …
Unpacking Nessus Core Components…
nessusd (Nessus) 6.1.0 [build M20005] for Linux
Copyright (C) 1998 – 2014 Tenable Network Security, Inc

Processing the Nessus plugins…
[##################################################]

All plugins loaded

– You can start nessusd by typing /etc/init.d/nessusd start
– Then go to https: //PENTEST-L:8834/ to configure your scanner

/tmp#

We can now point our browser to https: //PENTEST-L:8834 to continue with the Nessus set up. But before we do that, we need to start the service and make sure it starts every time our Kali boots:

/etc/init.d/nessusd start
update-rc.d nessusd enable

After logging to the Nessus service, we begin configuration by clicking “Continue“. We then create admin account and give it a password:

24-Nov-2014 9-49-19 AM

Now we type our activation code in. This code is one-time only, for community edition:

24-Nov-2014 9-51-06 AM

Finally, we wait for plugins to download:

24-Nov-2014 9-55-44 AM

After plugins are downloaded, the Nessus is ready for our first scan:

24-Nov-2014 10-37-25 AM

 

6. Setting up OpenVAS
The installation of OpenVAS is pretty straight forward. We log in to the Hyper-V Kali console and select “Applications->Kali Linux->Vulnerability Analysis->OpenVAS->openvas initial setup“:

11-18-2014 7-39-23 PM

This step could take a while, so let’s grab yet another cup of coffee… Wait a sec. I drink a lot of this stuff 🙂

After a very, very long wait, the installation completes with the line:

User created with password ‘1e6c4515-d827-4940-9d1c-9facd6c06e28’.

Still from Hyper-V console, we start the Iceweasel and go to

https: //localhost:9392

and log in with the username admin and the above listed password (without single quotes, of course).

Once logged in, we should create a separate user under “Administration->Users“. Here we create new user, assign a password and administration role:

26-Nov-2014 1-55-31 PM

11-18-2014 9-02-50 PM

Now, there is one more thing we should take care of. By default we can only log in to the OpenVAS from the machine it was installed on. Going to “https: //localhost:9392“, that is. We would like to access the OpenVAS from remote PC as well. This task proved to be tricky with some of my istallations. This is one way we solve this problem. We create a startup file such as this:

#!/bin/bash
function start {
       /usr/sbin/openvassd
       sleep 120
       /usr/sbin/openvasmd –listen=127.0.0.1 –port=9393
       /usr/sbin/gsad –listen=0.0.0.0 –port=9392 –mlisten=127.0.0.1 –mport=9393
}
function stop {
       killall gsad
       killall openvasmd
       killall openvassd
}
case “$1” in
       start)
               start
               ;;
       stop)
               stop
               ;;
       restart)
               stop
               sleep 5
               start
               ;;
       update)
               /usr/sbin/openvas-scapdata-sync
               /usr/sbin/openvas-certdata-sync
               ;;
esac

We save it in “/etc/init.d” folder, name it “openvas-mystart” and give it an execute permission:

chmod +x /etc/init.d/openvas-mystart

Key line part in this file is:

/usr/sbin/gsad –listen=0.0.0.0 –port=9392

which says that the front end to the OpenVAS will listen on all IP addresses and port 9392.

We utilize this script to start, stop, restart and update OpenVAS by issuing:

service openvas-mystart start|stop|restart|update

Now we can reach OpenVAS  from anywhere by going to “https: //PENTEST-L:9392“, if the PENTEST-L was the name of our Kali box and this name is resolvable by some mean.

Before we begin vulnerability assessment, we should update the OpenVAS by going to “Applications->Kali Linux->Vulnerability Analysis->OpenVAS->openvas feed update”,
or by running above script with the update switch:

service openvas-mystart update

manually or automatically by cron.

Finally, we can edit file “/etc/rc.local” and add a line:

service openvas-mystart start

to make OpenVAS start when Kali powers on.

There is another way we can make OpenVAS starts automatically. We open this file “/etc/default/greenbone-security-assistant“. We need to change these two fields:

GSA_ADDRESS=0.0.0.0    ! the default is 127.0.0.1
GSA_PORT=9392               ! this is the default

Then we insert these lines in “/etc/rc.local

service openvas-scanner start
sleep 120
service openvas-manager start
service greenbone-security-assistant start

 

7. Setting up Nexpose
First we need to register and obtain our community key and download Nexpose community edition from here: http://www.rapid7.com/products/nexpose/nexpose-community.jsp. This edition has some limitations, but for basic vulnerability assessment will do.

We transfer the installation file to our Kali box to /tmp folder. Then we begin our setup by going to /tmp folder and executing:

chmod +x NeXposeSetup-Linux64.bin
./NeXposeSetup-Linux64.bin -c

The most important step during the installation process is changing the default port number for PostgresSQL database instance, because the Nexpose installation uses the default, which may make conflict with other products we have or may have in the future:

….. many, many lines omitted ….
Database port
Enter the number for the port that the database will listen on:
[5432] <– This is the default port
54322 <– This is what we typed in

The port number is valid.
….. many, many lines omitted ….

All other installation procedure’s questions we can answer just by hitting <ENTER> or typing answers in. After all questions are answered, the installation begins. After the installation is done, we just hit <ENTER>. Nexpose is already configured to start upon system boot, so we don’t need to take care of it. We do need, however, to start it up first time:

cd /opt/rapid7/nexpose/nsc/
./nsc.sh

This will make needed system changes such as creating database structures, tables, indexes, download updates, … This also could take a while …

After all is done, we can log to the Nexpose  by going to:

https: //PENTEST-L:3780

It could take a few minutes for the console to initialize. Once it’s done, we are presented with the login screen:

11-22-2014 12-50-42 PM

After successful logon, we need to type in our community key, and activate the product:

11-22-2014 12-53-08 PM

If the activation is successful, we are ready to make our first scan.

 

8. Final thoughts
After completing all steps above, we have very powerful tool for penetration testing and/or vulnerability assessment.  We should use it wisely. And always with written permission! This Kali setup has a bunch of tools built in, and we made it even better by adding some stuff and tweaking it a bit. There is of course a room to make it even better, to customize it to fit everybody’s needs. As a final steps, we can backup this VM and use it two ways: bring it on our laptops when going to perform tests and/or import it in our data center for doing day-to-day security analysis in our company.

When it comes to choosing a platform, physical or virtual, Hyper-V or VMware, … I did this blog with Hyper-V on Windows 8.1 with no issues. I also made a successful setup on VMware Workstation 10 on Windows 8.1. However, I had some minor glitches with VMware ESX 5.1. Although the Kali version was the same, some things on VMware I had to do differently, and some did not work at all, such as installation of Nexpose. This is something that I will deal with some time in the future, as well as installation on a physical laptop. Although 4GB or less of RAM seems to be enough, my experiments showed that bellow 5GB Nexpose won’t work. So, let’s start with 5GB and see if we need more.

 

Thanks for reading!

 

 

 

Advertisements
This entry was posted in LINUX, PENTEST, Security and tagged , , , , , , , , . Bookmark the permalink.

One Response to Preparing Kali linux for penetration testing/vulnerability assessment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s