| 1 | We will use Kali Linux and its tools to introduce some Vulnerability and Penetration Tests. All participants are required to download the Kali live iso from [https://cdimage.kali.org/kali-2021.2/kali-linux-2021.2-live-amd64.iso here] and import it to your virtual box (Use at least 4GB of RAM). |
| 2 | |
| 3 | Change the bridged interface to your connected physical interface. |
| 4 | |
| 5 | After that switch on the vm and log in to GUI |
| 6 | |
| 7 | Default user name passwords are root and toor. |
| 8 | |
| 9 | Once logged in open your terminal and issue an '''sudo apt-get update''' command |
| 10 | |
| 11 | == Using Open-VAS as Vulnerability Scanner == |
| 12 | |
| 13 | The Open Vulnerability Assessment System (OpenVAS) is a framework of several services and tools. The core of this SSL-secured service-oriented architecture is the OpenVAS Scanner. The scanner very efficiently executes the actual Network Vulnerability Tests (NVTs) which are served via the OpenVAS NVT Feed or via a commercial feed service. (more: www.openvas.org) |
| 14 | |
| 15 | OpenVAS has tens of thousands of signatures and when installing if you do not give your system enough resources, particularly RAM, you will find yourself in a world of misery. For our purpose, Kali VM only has 2GB RAM and it will be more than enough to scan small websites. But if you need to scan websites like the main web of a University, then you might consider increasing RAM and CPU. |
| 16 | |
| 17 | === Installation === |
| 18 | |
| 19 | - To install OpenVAS on kali, |
| 20 | {{{ |
| 21 | apt-get install openvas |
| 22 | }}} |
| 23 | |
| 24 | - Once the installation is finished, type '''openvas-setup''' on the terminal to do the initial setup. At the end of the setup, it will give you a long password for the default user ‘admin’. '''Please note it somewhere'''. |
| 25 | |
| 26 | - When the OpenVAS setup process is finished the OpenVAS manager, scanner and services are listening on ports 9390, 9391, 9392, and on port 80. You can use the following netstat command to check if these services are listening: |
| 27 | {{{ |
| 28 | netstat –antp |
| 29 | }}} |
| 30 | |
| 31 | - Netstat –antp command Explained |
| 32 | {{{ |
| 33 | -a all |
| 34 | -n show ip instead of hostnames |
| 35 | -t show only tcp connections |
| 36 | -p show process id/name |
| 37 | }}} |
| 38 | |
| 39 | - If the OpenVAS services are not running then use the following command to start these services: |
| 40 | {{{ |
| 41 | openvas-start |
| 42 | }}} |
| 43 | |
| 44 | - Open '''https://127.0.0.1:9392''' using your default browser. |
| 45 | |
| 46 | - Log in to '''Greenbone Security Assistant''' using the username admin and the password from the previous step. |
| 47 | |
| 48 | The default dashboard will show you a collection of scans, hosts, etc. |
| 49 | |
| 50 | === Scanning === |
| 51 | |
| 52 | Let’s start a scan. |
| 53 | |
| 54 | - Go to '''Scans -- > Tasks''' |
| 55 | |
| 56 | - Click on the Purple wizard icon |
| 57 | |
| 58 | [[Image(https://ws.learn.ac.lk/raw-attachment/wiki/netsec2018pentest/image.png)]] |
| 59 | |
| 60 | - Enter your target host ( In this case IP of your test vm) and start scanning. |
| 61 | |
| 62 | Please be patient as it may take some time to do the scanning. Therefore please do not try this on your actual live systems at this moment as it will create high traffic/slowness and you may slow all others in the lab as well. |
| 63 | |
| 64 | - Once the scan is completed, go to '''Scans -- > Results''' and see what has been detected. |
| 65 | |
| 66 | OPENVAS is a whole set of tools in detecting vulnerabilities, reporting, and scheduling tasks. Due to our limited environment, you may refer youtube and google for further usages. |
| 67 | |
| 68 | - Use openvas-stop to terminate OpenVAS service. |
| 69 | |
| 70 | === Port Scanner – Zenmap === |
| 71 | |
| 72 | Zenmap is a nmap based port scanner. It has a basic GUI and will help testers to find open blocked or filtered ports of a target easily. In addition to showing Nmap's normal output, Zenmap can arrange its display to show all ports on a host or all hosts running a particular service. It summarizes details about a single host or a complete scan in a convenient display. Zenmap can even draw a topology map of discovered networks. The results of several scans may be combined together and viewed at once. |
| 73 | |
| 74 | - Open Zenmap from Applications -- > Information Gathering zenmap. |
| 75 | |
| 76 | - You can specify your Target and select a required profile and Scan. |
| 77 | |
| 78 | - The '''Intense scan''' in the profile list is just one of several scan profiles that come with Zenmap. Choose a profile by selecting it from the '''Profile''' combo box. Profiles exist for several common scans. After selecting a profile the Nmap command-line associated with it is displayed on the screen. Of course, it is possible to edit these profiles or create new ones. |
| 79 | |
| 80 | - Once a scan is finished you can check the results on, |
| 81 | {{{ |
| 82 | Nmap Output – which is the default view of all results |
| 83 | Ports/ Hosts – All port statuses will be presented in a user-friendly way |
| 84 | Topology – This will show your target/s and the traceroutes |
| 85 | Host Details – All details on the target device |
| 86 | Scans – this will list down the previous scans |
| 87 | }}} |
| 88 | |
| 89 | In a controlled system if you find any unknown ports that are open, then it might be a potential risk or a vulnerability that the target is having. |
| 90 | |
| 91 | === Distributed Denial of Service Pentest === |
| 92 | |
| 93 | Form Wikipedia |
| 94 | |
| 95 | A denial-of-service attack (DoS attack) is a cyber-attack where the attacker looks to make a machine or network resource unavailable to its deliberated users by temporarily or indefinitely services of disturbing a host connected to the Internet. Denial of service is usually accomplished by flooding the targeted machine or resource with excessive requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. |
| 96 | |
| 97 | In a distributed denial-of-service attack (DDoS attack), the incoming traffic flooding the victim originates from many different sources. A DoS or DDoS attack is analogous to a group of people crowding the entry door or gate to a shop or business, and not letting legitimate parties enter into the shop or business, disrupting normal operations. |
| 98 | |
| 99 | Before proceeding make sure you do these tests in your own environment. DO NOT try this for your neighbor’s VM’s, otherwise, it will damage the whole lab network. |
| 100 | |
| 101 | - As all our VM’s run HTTP servers use the following to do the testing. |
| 102 | {{{ |
| 103 | hping3 -F --flood -p 80 <your vm address> |
| 104 | }}} |
| 105 | |
| 106 | - while the hping3 is running try to access your web server through a browser. |
| 107 | |
| 108 | To detect these kinds of attacks you should utilize an IDS or a packet analyzer like wireshark. (We will have a wireshark session on the latter part of the workshop) |
| 109 | |
| 110 | There are several ways of creating high traffic to servers and check their capability in surviving. Depending on your results, you can change application-specific parameters to support your service. |
| 111 | |
| 112 | '''Few example attacks,''' |
| 113 | |
| 114 | - UDP flood |
| 115 | {{{ |
| 116 | hping3 --udp --flood -p 80 <your vm address> |
| 117 | }}} |
| 118 | |
| 119 | - SYN-FIN flood |
| 120 | {{{ |
| 121 | hping3 --SF --flood -p 80 <your vm address> |
| 122 | }}} |
| 123 | |
| 124 | - PUSH-ACK flood |
| 125 | {{{ |
| 126 | hping3 --PA --flood -p 80 <your vm address> |
| 127 | }}} |
| 128 | |
| 129 | - Reset flood |
| 130 | {{{ |
| 131 | hping3 --R --flood -p 80 <your vm address> |
| 132 | }}} |
| 133 | |
| 134 | - FIN flood |
| 135 | {{{ |
| 136 | hping3 --F --flood -p 80 <your vm address> |
| 137 | }}} |
| 138 | |
| 139 | What are SYS, ACK, FIN, PUSH ? check them at https://en.wikipedia.org/wiki/Transmission_Control_Protocol |