Penetration testing using Kali Linux - Network Discovery

Transcription

1 Penetration testing using Kali Linux - Network Discovery by Riazul H. Rozen Sept. 14, minute read Table of Contents Importance of penetration testing Kali Linux in penetration testing Network Discovery using Kali Nmap Usage Host discovery Netdiscover Importance of penetration testing We have experienced a lot of security breaches in recent times. These breaches have caused a focus shift, from cyber security prevention measures to detection and problem solving methods. This new approach is beneficial to organizations that are heavily invested in information. It is important to state the necessity for constant and continuous improvement on cyber security systems through penetration testing, to strengthen and take care of the security flaws. Pen testing or penetration testing, is a procedure which focuses on organizations and how they can be attacked by hackers. This includes security assessments and compliance audits, but does far more than these two security checks. Penetration testing works this way - It carries out real-time attacks, to determine the ways that a real attack would affect the company s sensitive data, financial assets, employees and business systems. It also exposes weaknesses It also discovers how strong the organizations security system is, by determining its ability to detect internal and external breaches. Kali Linux in penetration testing

2 Kali Linux is known for its immense contribution to premium security auditing and penetration testing. Kali is created and maintained by one of the top information security companies, called offensive security. This Debian-based Linux distribution encompasses a number of tools designed to carry out varying security affairs such as security research, computer forensics, reverse engineering and penetration testing. Kali is mostly designed to be run in real time, so as to ensure an efficient attack scheme on the organizations network structure and local storage. This is not to say it cannot be installed. Kali is fitted with windows and Linux tools. Kali is an open source application, which means you don t have to pay to install the app on your system. It has more than 200 built in tools for penetration testing. Figure 1 - Kali Linux tools So you can call Kali Linux a Swiss army knife. You don t need to be a hardcore Linux expert to use Kali Linux. That is the significance of using Kali Linux.

3 Network Discovery using Kali Network discovery is highly necessary in information gathering, and it carries out the tasks of discovering live hosts on the network architecture. You may ask, Why should I discover my own network? The answer is simple. The very first step of securing your system is to secure your network. Firstly you need to identify what are devices on your network and secondly to identify how secure those devices are. Network discovery works by comprehending the logical position of vulnerabilities and targets inside network architecture. This is similar to mapping and is ultimately useful for organizations. As I have already mentioned, several penetration tools are already installed in Kali. Since Kali is Debian based, you can install additional tools by using - apt-get install *TOOL_NAME* command. However, in this article I will discuss on the use of Nmap and NetDiscover tool. In this article a test scenario is created using virtual box. Nmap Nmap is used for scanning and discovering networks. The application covers a wide range of task completion procedure. Nmap comes as an additional feature to kali-linux. It is already installed in Kali. Still you can double check by using apt-get install nmap command from terminal. Figure 2 - Installing Nmap Usage Nmap can be launched from the application menu by clicking application, next information gathering and finally click Nmap.

4 Figure 3 - Launching Nmap However, if you are comfortable with the Linux terminal then you can launch Namp by entering nmap from terminal. All the usage and commands will be shown at screen. You can also check all the commands by using nmap h command.

5 figure 4 -Launching nmap from terminal A lot of structures are available within Nmap to carry out many tasks which are: For host discovery - Port scanning Firewall/IDS evasion and spoofing Running scripts with Nmap Scripting Engine (NSE) Service/version detection * OS detection Host discovery Host discovery methods are a salient point that will be addressed in this article. Nmap can scan the network for a single host or multiple hosts or even a subnet. For example the command nmap /24 will search the whole subnet of /24

6 Figure 5 - NMAP Scanning a subnet The Nmap scan identifies 6 hosts from /24 subnet. It also provides the list of open ports of all the discovered hosts. This way a security expert can easily identify the opened or closed port of the hosts also. There several other filter in Nmap which can be used for different purpose. To find the mac address of all the hosts in a network use -sn with Nmap commands. Note that Nmap commands are case sensitive. This -sn switch sends requests for Address Resolution Protocol (ARP). ARP is a layer 2 protocol and as such cannot identify remote systems. This causes Nmap switches on default to ICMP requests. ICMP are layer 3 protocol. Hosts on the local subnet can be made more efficient by using the ARP discovery

7 Figure 6 - Finding MAC Address On describing networks with a range , seven hosts (including the Wi-Fi router) responded to the ARP requests. All the hosts found were recounted by its Media Access Control (MAC) address. To identify further details about each host including OS name, Host name, user name etc -A switch can be used Figure 7 - Finding host information using Nmap

8 From the host discovery the following can be discovered - Number of Closes post closed ports Open ports MAC Address: 08:00:27:E2:7B:50 (Cadmus Computer Systems) Device type: general purpose OS: Microsoft Windows XP Computer name: user-13e366075d Workgroup: WORKGROUP Account name: guest Authentication level: user There are several other advanced Nmap switches that can be used to gather in detailed information on the ports. Some of the advanced switches are -ss TCP SYN port scan -st TCP connect port scan -su UDP port scan -sa TCP ACK port scan - sw TCP Window port scan -sm TCP Maimon port scan Netdiscover Netdiscover is commonly used to discover local networks. The app is popular for its efficiency, quick action, and options template for both dynamic and inactive ARP inspection. This tool is pre-installed in the latest Kali Linux. Like NMAP, netdiscover can be launched both from applications and terminal. To learn about the switch and flags of netdiscover enter netdiscover -h.

9 Figure 8 - netdiscover usage Netdiscover is capable of scanning all the hosts in the network. The significance of this tool is that it uses simple ICMP packets to identify the active hosts and their MAC address even if hosts firewalls are enabled. For example I want to scan /24 network. To scan the network enter netdiscover i eth0 r /24. The following screenshot shows the result Figure 9 - netdiscover scan result

10 The primary objective of network discovery is to explore any network and identify any potential exploit. This article discussed on network discovery using Kali Linux. Nmap and Netdiscover can be used to identify live hosts in a network. Nmap is proven to be a better tool for scanning and service detection than netdiscovery. -- Riazul H. Rozen is a network and security expert with more than 8 years of experience in the field of InfoSec. Digital forensic, penetration testing, cloud, risk management, compliance, security strategy etc. are some of his area of interest. He holds an MS in CSE and an MBA in Marketing. He has been working in banking sector (core network, system and security team) from the beginning of his career. He has hands on experience in deploying Data Center and DR Sites. He holds several vendor certifications on network, system and security. Other than being an InfoSec addict, his passion is writing on Security field. Published with the express permission of the author.