Showing posts with label Penetrations. Show all posts

Mastering the Penetration Testing Distribution

by Raphaël Hertzog, Jim O’Gorman, and Mati Aharoni


e-books shop
e-books shop
Purchase Now !
Just with Paypal



Book Details
 Price
 2.00 USD
 Pages
 341 p
 File Size
 10,095 KB
 File Type
 PDF format
 ISBN
 978-0-9976156-0-9 (paperback)
 Copyright   
 2017 Raphaël Hertzog,
 Jim O’Gorman, and Mati Aharoni   

Acknowledgments of Raphaël Hertzog
I would like to thank Mati Aharoni: in 2012, he got in touch with me because I was one out of
dozens of Debian consultants and he wanted to build a successor to BackTrack that would be based
on Debian. That is how I started to work on Kali Linux, and ever since I have enjoyed my journey
in the Kali world.
Over the years, Kali Linux got closer to Debian GNU/Linux, notably with the switch to Kali Rolling,
based on Debian Testing. Now most of my work, be it on Kali or on Debian, provides benefits to the
entire Debian ecosystem. And this is exactly what keeps me so motivated to continue, day after
day, month after month, year after year.
Working on this book is also a great opportunity that Mati offered me. It is not the same kind
of work but it is equally rewarding to be able to help people and share with them my expertise
of the Debian/Kali operating system. Building on my experience with the Debian Administrator’s
Handbook, I hope that my explanations will help you to get started in the fast-moving world of
computer security.
I would also like to thank all the Offensive Security persons who were involved in the book: Jim
O’Gorman (co-author of some chapters), Devon Kearns (reviewer), Ron Henry (technical editor),
Joe Steinbach and Tony Cruse (project managers). And thank you to Johnny Long who joined to
write the preface but ended up reviewing the whole book.

Acknowledgments of Jim O’Gorman
I would like to thank everyone involved in this project for their contributions, of which mine were
only a small part. This book, much like Kali Linux itself was a collaborative project of many hands
making light work. Special thanks to Raphaël, Devon, Mati, Johnny, and Ron for taking on the
lion’s share of the effort. Without them, this book would not have come together.

Acknowledgments of Mati Aharoni
It has been a few years since Kali Linux was first released, and since day one, I have always dreamt
of publishing an official book which covers the Kali operating system as a whole. It is therefore
a great privilege for me to finally see such a book making it out to the public. I would like to
sincerely thank everyone involved in the creation of this project—including Jim, Devon, Johnny,
and Ron. A very special thanks goes to Raphaël for doing most of the heavy lifting in this book,
and bringing in his extensive expertise to our group.

Foreword
The sixteen high-end laptops ordered for your pentesting team just arrived, and you have been
tasked to set them up—for tomorrow’s offsite engagement. You install Kali and boot up one of the
laptops only to find that it is barely usable. Despite Kali’s cutting-edge kernel, the network cards
and mouse aren’t working, and the hefty NVIDIA graphics card and GPU are staring at you blankly,
because they lack properly installed drivers. You sigh.
In Kali Live mode, you quickly type lspci into a console, then squint. You scroll through the
hardware listing: “PCI bridge, USB controller, SATA controller. Aha! Ethernet and Network controllers.”
A quick Google search for their respective model numbers, cross referenced with the
Kali kernel version, reveals that these cutting-edge drivers haven’t reached the mainline kernel yet.
But all is not lost. A plan is slowly formulating in your head, and you thank the heavens for the
Kali Linux Revealed book that you picked up a couple of weeks ago. You could use the Kali Live-
Build system to create a custom Kali ISO, which would have the needed drivers baked into the
installation media. In addition, you could include the NVIDIA graphics drivers as well as the CUDA
libraries needed to get that beast of a GPU to talk nicely to hashcat, and have it purr while cracking
password hashes at blistering speeds. Heck, you could even throw in a custom wallpaper with a
Microsoft Logo on it, to taunt your team at work.
Since the hardware profiles for your installations are identical, you add a preseeded boot option to
the ISO, so that your team can boot off a USB stick and have Kali installed with no user interaction—
the installation takes care of itself, full disk encryption and all.
Perfect! You can now generate an updated version of Kali on demand, specifically designed and
optimized for your hardware. You saved the day. Mission complete!
With the deluge of hardware hitting the market, this scenario is becoming more common for
those of us who venture away from mainstream operating systems, in search of something leaner,
meaner, or more suitable to our work and style.
This is especially applicable to those attracted to the security field, whether it be an alluring hobby,
fascination, or line of work. As newcomers, they often find themselves stumped by the environment
or the operating system. For many newcomers Kali is their first introduction to Linux.
We recognized this shift in our user base a couple of years back, and figured that we could help
our community by creating a structured, introductory book that would guide users into the world
of security, while giving them all the Linux sophistication they would need to get started. And so,
the Kali book was born—now available free over the Internet for the benefit of anyone interested
in entering the field of security through Kali Linux.
As the book started taking shape, however, we quickly realized that there was untapped potential.
This would be a great opportunity to go further than an introductory Kali Linux book and explore
some of the more interesting and little-known features. Hence, the name of the book: 
Kali Linux Revealed.
By the end, we were chuffed with the result. The book answered all our requirements and I’m
proud to say it exceeded our expectations. We came to the realization that we had inadvertently
enlarged the book’s potential user base. It was no longer intended only for newcomers to the
security field, but also included great information for experienced penetration testers who needed
to improve and polish their control of Kali Linux—allowing them to unlock the full potential of
our distribution. Whether they were fielding a single machine or thousands across an enterprise,
making minor configuration changes or completely customizing down to the kernel level, building
their own repositories, touching the surface or delving deep into the amazing Debian package
management system, Kali Linux Revealed provides the roadmap.
With your map in hand, on behalf of myself and the entire Kali Linux team, I wish you an exciting,
fun, fruitful, and “revealing” journey!
Muts, February 2017


Table of Contents
1. About Kali Linux 1
1.1 A Bit of History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.2 Relationship with Debian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.1 The Flow of Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.2.2 Managing the Difference with Debian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.3 Purpose and Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.4 Main Kali Linux Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
1.4.1 A Live System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4.2 Forensics Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4.3 A Custom Linux Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
1.4.4 Completely Customizable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.4.5 A Trustable Operating System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.4.6 Usable on a Wide Range of ARM Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.5 Kali Linux Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
1.5.1 Single Root User by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.5.2 Network Services Disabled by Default . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.5.3 A Curated Collection of Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
1.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2. Getting Started with Kali Linux 13
2.1 Downloading a Kali ISO Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1.1 Where to Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1.2 What to Download . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.1.3 Verifying Integrity and Authenticity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Relying on the TLS-Protected Website . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Relying on PGP’s Web of Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
2.1.4 Copying the Image on a DVD-ROM or USB Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Creating a Bootable Kali USB Drive on Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Creating a Bootable Kali USB Drive on Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Creating a Bootable Kali USB Drive on OS X/macOS . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
2.2 Booting a Kali ISO Image in Live Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2.1 On a Real Computer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.2.2 In a Virtual Machine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Preliminary Remarks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
VirtualBox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
VMware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
3. Linux Fundamentals 47
3.1 What Is Linux and What Is It Doing? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.1.1 Driving Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.1.2 Unifying File Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
3.1.3 Managing Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.1.4 Rights Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.2 The Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.2.1 How To Get a Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.2.2 Command Line Basics: Browsing the Directory Tree and Managing Files . . . . . . . . . . . . . . . . . . 52
3.3 The File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.3.1 The Filesystem Hierarchy Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.3.2 The User’s Home Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.4 Useful Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.4.1 Displaying and Modifying Text Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.4.2 Searching for Files and within Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.4.3 Managing Processes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.4.4 Managing Rights . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.4.5 Getting System Information and Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.4.6 Discovering the Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
4. Installing Kali Linux 65
4.1 Minimal Installation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.2 Step by Step Installation on a Hard Drive . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
4.2.1 Plain Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Booting and Starting the Installer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Selecting the Language . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Selecting the Country . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Selecting the Keyboard Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Detecting Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Loading Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Detecting Network Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Configuring the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Root Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Configuring the Clock . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Detecting Disks and Other Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Partitioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Copying the Live Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Configuring the Package Manager (apt) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Installing the GRUB Boot Loader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Finishing the Installation and Rebooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
4.2.2 Installation on a Fully Encrypted File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Introduction to LVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Introduction to LUKS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Setting Up Encrypted Partitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
End of the Guided Partitioning with Encrypted LVM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
4.3 Unattended Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
4.3.1 Preseeding Answers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
With Boot Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
With a Preseed File in the Initrd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
With a Preseed File in the Boot Media . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
With a Preseed File Loaded from the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
4.3.2 Creating a Preseed File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
4.4 ARM Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
4.5 Troubleshooting Installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
4.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
5. Configuring Kali Linux 103
5.1 Configuring the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.1.1 On the Desktop with NetworkManager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
5.1.2 On the Command Line with Ifupdown . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
5.1.3 On the Command Line with systemd-networkd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106
5.2 Managing Unix Users and Unix Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.2.1 Creating User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
5.2.2 Modifying an Existing Account or Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
5.2.3 Disabling an Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.2.4 Managing Unix Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.3 Configuring Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
5.3.1 Configuring a Specific Program . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
5.3.2 Configuring SSH for Remote Logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 110
5.3.3 Configuring PostgreSQL Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Connection Type and Client Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
Creating Users and Databases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
Managing PostgreSQL Clusters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
5.3.4 Configuring Apache . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
Configuring Virtual Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
Common Directives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
5.4 Managing Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
5.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
6. Helping Yourself and Getting Help 123
6.1 Documentation Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
6.1.1 Manual Pages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
6.1.2 Info Documents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
6.1.3 Package-Specific Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
6.1.4 Websites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
6.1.5 Kali Documentation at docs.kali.org . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
6.2 Kali Linux Communities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.2.1 Web Forums on forums.kali.org . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.2.2 #kali-linux IRC Channel on Freenode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
6.3 Filing a Good Bug Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
6.3.1 Generic Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
How to Communicate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
What to Put in the Bug Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Miscellaneous Tips . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
6.3.2 Where to File a Bug Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132
6.3.3 How to File a Bug Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Filing a Bug Report in Kali . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133
Filing a Bug Report in Debian . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
Filing a Bug Report in another Free Software Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
6.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
7. Securing and Monitoring Kali Linux 149
7.1 Defining a Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
7.2 Possible Security Measures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
7.2.1 On a Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
7.2.2 On a Laptop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152
7.3 Securing Network Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
7.4 Firewall or Packet Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
7.4.1 Netfilter Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154
7.4.2 Syntax of iptables and ip6tables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
7.4.3 Creating Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159
7.4.4 Installing the Rules at Each Boot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
7.5 Monitoring and Logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
7.5.1 Monitoring Logs with logcheck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 161
7.5.2 Monitoring Activity in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
7.5.3 Detecting Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Auditing Packages with dpkg --verify . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Monitoring Files: AIDE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
7.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
8. Debian Package Management 169
8.1 Introduction to APT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
8.1.1 Relationship between APT and dpkg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
8.1.2 Understanding the sources.list File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172
8.1.3 Kali Repositories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
The Kali-Rolling Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173
The Kali-Dev Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
The Kali-Bleeding-Edge Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
The Kali Linux Mirrors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
8.2 Basic Package Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175
8.2.1 Initializing APT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
8.2.2 Installing Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Installing Packages with dpkg . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
Installing Packages with APT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
8.2.3 Upgrading Kali Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
8.2.4 Removing and Purging Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
8.2.5 Inspecting Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Querying dpkg’s Database and Inspecting .deb Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
Querying the Database of Available Packages with apt-cache and apt . . . . . . . . . . . . . . . . . . . . 185
8.2.6 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Handling Problems after an Upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
The dpkg Log File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
Reinstalling Packages with apt --reinstall and aptitude reinstall . . . . . . . . . . . . . . . . . . . 189
Leveraging --force-* to Repair Broken Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
8.2.7 Frontends: aptitude and synaptic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Aptitude . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Synaptic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
8.3 Advanced APT Configuration and Usage . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
8.3.1 Configuring APT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195
8.3.2 Managing Package Priorities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
8.3.3 Working with Several Distributions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198
8.3.4 Tracking Automatically Installed Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199
8.3.5 Leveraging Multi-Arch Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Enabling Multi-Arch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 200
Multi-Arch Related Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
8.3.6 Validating Package Authenticity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
8.4 Package Reference: Digging Deeper into the Debian Package System . . . . . . . . . . . . . . . . 204
8.4.1 The control File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206
Dependencies: the Depends Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Pre-Depends, a More Demanding Depends . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207
Recommends, Suggests, and Enhances Fields . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Conflicts: the Conflicts Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
Incompatibilities: the Breaks Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Provided Items: the Provides Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209
Replacing Files: The Replaces Field . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210
8.4.2 Configuration Scripts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Installation and Upgrade Script Sequence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213
Package Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
8.4.3 Checksums, Conffiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
8.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216
9. Advanced Usage 221
9.1 Modifying Kali Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222
9.1.1 Getting the Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
9.1.2 Installing Build Dependencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
9.1.3 Making Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226
Applying a Patch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
Tweaking Build Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
Packaging a New Upstream Version . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
9.1.4 Starting the Build . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231
9.2 Recompiling the Linux Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
9.2.1 Introduction and Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233
9.2.2 Getting the Sources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
9.2.3 Configuring the Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
9.2.4 Compiling and Building the Package . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
9.3 Building Custom Kali Live ISO Images . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
9.3.1 Installing Pre-Requisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
9.3.2 Building Live Images with Different Desktop Environments . . . . . . . . . . . . . . . . . . . . . . . . . 238
9.3.3 Changing the Set of Installed Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
9.3.4 Using Hooks to Tweak the Contents of the Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239
9.3.5 Adding Files in the ISO Image or in the Live Filesystem . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
9.4 Adding Persistence to the Live ISO with a USB Key . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
9.4.1 The Persistence Feature: Explanations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240
9.4.2 Setting Up Unencrypted Persistence on a USB Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
9.4.3 Setting Up Encrypted Persistence on a USB Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 243
9.4.4 Using Multiple Persistence Stores . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244
9.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
9.5.1 Summary Tips for Modifying Kali Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246
9.5.2 Summary Tips for Recompiling the Linux Kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
9.5.3 Summary Tips for Building Custom Kali Live ISO Images . . . . . . . . . . . . . . . . . . . . . . . . . . 248
10. Kali Linux in the Enterprise 251
10.1 Installing Kali Linux Over the Network (PXE Boot) . . . . . . . . . . . . . . . . . . . . . . . . . . 252
10.2 Leveraging Configuration Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
10.2.1 Setting Up SaltStack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
10.2.2 Executing Commands on Minions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
10.2.3 Salt States and Other Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
10.3 Extending and Customizing Kali Linux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
10.3.1 Forking Kali Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
10.3.2 Creating Configuration Packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
10.3.3 Creating a Package Repository for APT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
10.4 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
11. Introduction to Security Assessments 279
11.1 Kali Linux in an Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
11.2 Types of Assessments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
11.2.1 Vulnerability Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
Likelihood of Occurrence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Impact . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
Overall Risk . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
In Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
11.2.2 Compliance Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
11.2.3 Traditional Penetration Test . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
11.2.4 Application Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291
11.3 Formalization of the Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
11.4 Types of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
11.4.1 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
11.4.2 Memory Corruption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295
11.4.3 Web Vulnerabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
11.4.4 Password Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
11.4.5 Client-Side Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
11.5 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
12. Conclusion: The Road Ahead 301
12.1 Keeping Up with Changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
12.2 Showing Off Your Newly Gained Knowledge . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
12.3 Going Further . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302
12.3.1 Towards System Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
12.3.2 Towards Penetration Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
Index 304


Bookscreen
e-books shop

Introduction
.Kali Linux is the world’s most powerful and popular penetration testing platform, used by security
professionals in a wide range of specializations, including penetration testing, forensics, reverse
engineering, and vulnerability assessment. It is the culmination of years of refinement and the
result of a continuous evolution of the platform, from WHoppiX to WHAX, to BackTrack, and now
to a complete penetration testing framework leveraging many features of Debian GNU/Linux and
the vibrant open source community worldwide.
Kali Linux has not been built to be a simple collection of tools, but rather a flexible framework
that professional penetration testers, security enthusiasts, students, and amateurs can customize
to fit their specific needs.

Why This Book?
Kali Linux is not merely a collection of various information security tools that are installed on a
standard Debian base and preconfigured to get you up and running right away. To get the most
out of Kali, it is important to have a thorough understanding of its powerful Debian GNU/Linux
underpinnings (which support all those great tools) and learning how you can put them to use in
your environment.
Although Kali is decidedly multi-purpose, it is primarily designed to aid in penetration testing.
The objective of this book is not only to help you feel at home when you use Kali Linux, but also to
help improve your understanding and streamline your experience so that when you are engaged
in a penetration test and time is of the essence, you won’t need to worry about losing precious
minutes to install new software or enable a new network service. In this book, we will introduce
you first to Linux, then we will dive deeper as we introduce you to the nuances specific to Kali
Linux so you know exactly what is going on under the hood.
This is invaluable knowledge to have, particularly when you are trying to work under tight time
constraints. It is not uncommon to require this depth of knowledge when you are getting set up,
troubleshooting a problem, struggling to bend a tool to your will, parsing output from a tool, or
leveraging Kali in a larger-scale environment.

Is This Book for You?
If you are eager to dive into the intellectually rich and incredibly fascinating field of information
security, and have rightfully selected Kali Linux as a primary platform, then this book will help
you in that journey. This book is written to help first-time Linux users, as well as current Kali
users seeking to deepen their knowledge about the underpinnings of Kali, as well as those who
have used Kali for years but who are looking to formalize their learning, expand their use of Kali,
and fill in gaps in their knowledge.
In addition, this book can serve as a roadmap, technical reference, and study guide for those pursuing
the Kali Linux Certified Professional certification.

Exam PT0-001

Mike Chapple & David Seidl

Penetration Testing
Planning and Scoping Penetration Tests
Information Gathering
Vulnerability Scanning
Analyzing Vulnerability Scans 
Exploit and Pivot
Exploiting Network Vulnerabilities
Exploiting Physical and Social Vulnerabilities
Exploiting Application Vulnerabilities
Exploiting Host Vulnerabilities
Scripting for Penetration Testing
Reporting and Communication

e-books shop
e-books shop
Purchase Now !
Just with Paypal



Book Details
 Price
 3.00 USD
 Pages
 521 p
 File Size
 34,054 KB
 File Type
 PDF format
 ISBN
 978-1-119-50422-1
 978-1-119-50425-2 (ebk.)
 978-1-119-50424-5 (ebk.)
 Copyright   
 2019 by John Wiley & Sons, Inc  

About the Author
Mike Chapple, PhD, Security+, CISSP, CISA, PenTest+,
CySA+, is an associate teaching professor of IT, analytics, and
operations at the University of Notre Dame. He is also the
academic director of the University’s master’s program in
business analytics.
Mike is a cybersecurity professional with over 20 years of
experience in the field. Prior to his current role, Mike served
as senior director for IT service delivery at Notre Dame, where
he oversaw the University’s cybersecurity program, cloud computing
efforts, and other areas. Mike also previously served as
chief information officer of Brand Institute and an information security researcher with the
National Security Agency and the U.S. Air Force.
Mike is a frequent contributor to several magazines and websites and is the author or
coauthor of more than 25 books, including CISSP Official (ISC)2 Study Guide, CISSP
Official (ISC)2 Practice Tests, CompTIA CySA+ Study Guide: Exam CS0-001, and
CompTIA CySA+ Practice Tests: Exam CS0-001, all from Wiley, and Cyberwarfare:
Information Operations in a Connected World (Jones and Bartlett, 2014).
Mike offers free study groups for the PenTest+, CySA+, Security+, CISSP, and SSCP certifications
at his website, certmike.com.

David Seidl, CISSP, PenTest+, CySA+, GCIH, GPEN, is
the senior director for campus technology services at the
University of Notre Dame. As the senior director for CTS,
David is responsible for Amazon AWS cloud operations, virtualization,
enterprise storage, platform and operating system
support, database and ERP administration and services, identity
and access management, application services, enterprise
content management, digital signage, labs, lecterns, and academic
printing and a variety of other services and systems.
During his over 22 years in information technology, David
has served in a variety of leadership, technical, and information security roles, including
leading Notre Dame’s information security team as director of information security. He has
written books on security certification and cyberwarfare, including coauthoring CompTIA
CySA+ Study Guide: Exam CS0-001, CompTIA CySA+ Practice Tests: Exam CS0-001,
and CISSP (ISC)2 Official Practice Tests from Wiley and Cyberwarfare: Information
Operations in a Connected World (Jones and Bartlett, 2014).
David holds a bachelor’s degree in communication technology and a master’s degree in
information security from Eastern Michigan University.

Acknowledgments
Books like this involve work from many people, and as authors, we truly appreciate the
hard work and dedication that the team at Wiley shows. We would especially like to thank
Senior Acquisitions Editor Kenyon Brown. We have worked with Ken on multiple projects
and consistently enjoy our work with him.
We also greatly appreciated the editing and production team for the book, including
Jim Compton, our developmental editor, whose prompt and consistent oversight got this
book out the door, and Christine O’Connor, our production editor, who guided us through
layouts, formatting, and final cleanup to produce a great book. We’d also like to thank our
technical editor, Jeff Parker, who provided us with thought-provoking questions and technical
insight throughout the process. We would also like to thank the many behind-thescenes
contributors, including the graphics, production, and technical teams who make the
book and companion materials into a finished product.
Our agent, Carole Jelen of Waterside Productions, continues to provide us with wonderful
opportunities, advice, and assistance throughout our writing careers.
Finally, we would like to thank our families, friends, and significant others who support
us through the late evenings, busy weekends, and long hours that a book like this requires
to write, edit, and get to press.

Table of Contents
Introduction xxv
Assessment Test lvi
Chapter 1 Penetration Testing 1
What Is Penetration Testing? 2
Cybersecurity Goals 2
Adopting the Hacker Mind-Set 4
Reasons for Penetration Testing 5
Benefits of Penetration Testing 5
Regulatory Requirements for Penetration Testing 6
Who Performs Penetration Tests? 8
Internal Penetration Testing Teams 8
External Penetration Testing Teams 9
Selecting Penetration Testing Teams 9
The CompTIA Penetration Testing Process 10
Planning and Scoping 11
Information Gathering and Vulnerability Identification 11
Attacking and Exploiting 12
Reporting and Communicating Results 13
The Cyber Kill Chain 13
Reconnaissance 15
Weaponization 15
Delivery 16
Exploitation 16
Installation 16
Command and Control 16
Actions on Objectives 17
Tools of the Trade 17
Reconnaissance 19
Vulnerability Scanners 20
Social Engineering 21
Credential-Testing Tools 21
Debuggers 21
Software Assurance 22
Network Testing 22
Remote Access 23
Exploitation 23
Summary 23
Exam Essentials 24
Lab Exercises 25
Activity 1.1: Adopting the Hacker Mind-Set 25
Activity 1.2: Using the Cyber Kill Chain 25
Review Questions 26
Chapter 2 Planning and Scoping Penetration Tests 31
Scoping and Planning Engagements 35
Assessment Types 36
White Box, Black Box, or Gray Box? 36
The Rules of Engagement 38
Scoping Considerations: A Deeper Dive 40
Support Resources for Penetration Tests 42
Key Legal Concepts for Penetration Tests 45
Contracts 45
Data Ownership and Retention 46
Authorization 46
Environmental Differences 46
Understanding Compliance-Based Assessments 48
Summary 50
Exam Essentials 51
Lab Exercises 52
Review Questions 53
Chapter 3 Information Gathering 57
Footprinting and Enumeration 60
OSINT 61
Location and Organizational Data 64
Infrastructure and Networks 67
Security Search Engines 72
Active Reconnaissance and Enumeration 74
Hosts 75
Services 75
Networks, Topologies, and Network Traffic 81
Packet Crafting and Inspection 83
Enumeration 84
Information Gathering and Code 88
Information Gathering and Defenses 89
Defenses Against Active Reconnaissance 90
Preventing Passive Information Gathering 90
Summary 90
Exam Essentials 91
Lab Exercises 92
Activity 3.1: Manual OSINT Gathering 92
Activity 3.2: Exploring Shodan 93
Activity 3.3: Running a Nessus Scan 93
Review Questions 94
Chapter 4 Vulnerability Scanning 99
Identifying Vulnerability Management Requirements 102
Regulatory Environment 102
Corporate Policy 106
Support for Penetration Testing 106
Identifying Scan Targets 106
Determining Scan Frequency 107
Configuring and Executing Vulnerability Scans 109
Scoping Vulnerability Scans 110
Configuring Vulnerability Scans 111
Scanner Maintenance 117
Software Security Testing 119
Analyzing and Testing Code 120
Web Application Vulnerability Scanning 121
Developing a Remediation Workflow 125
Prioritizing Remediation 126
Testing and Implementing Fixes 127
Overcoming Barriers to Vulnerability Scanning 127
Summary 129
Exam Essentials 129
Lab Exercises 130
Activity 4.1: Installing a Vulnerability Scanner 130
Activity 4.2: Running a Vulnerability Scan 130
Activity 4.3: Developing a Penetration Test
Vulnerability Scanning Plan 131
Review Questions 132
Chapter 5 Analyzing Vulnerability Scans 137
Reviewing and Interpreting Scan Reports 138
Understanding CVSS 142
Validating Scan Results 147
False Positives 147
Documented Exceptions 147
Understanding Informational Results 148
Reconciling Scan Results with Other Data Sources 149
Trend Analysis 149
Common Vulnerabilities 150
Server and Endpoint Vulnerabilities 151
Network Vulnerabilities 161
Virtualization Vulnerabilities 167
Internet of Things (IoT) 169
Web Application Vulnerabilities 170
Summary 172
Exam Essentials 173
Lab Exercises 174
Activity 5.1: Interpreting a Vulnerability Scan 174
Activity 5.2: Analyzing a CVSS Vector 174
Activity 5.3: Developing a Penetration Testing Plan 175
Review Questions 176
Chapter 6 Exploit and Pivot 181
Exploits and Attacks 184
Choosing Targets 184
Identifying the Right Exploit 185
Exploit Resources 188
Developing Exploits 189
Exploitation Toolkits 191
Metasploit 192
PowerSploit 198
Exploit Specifics 199
RPC/DCOM 199
PsExec 199
PS Remoting/WinRM 199
WMI 200
Scheduled Tasks and cron Jobs 200
SMB 201
RDP 202
Apple Remote Desktop 203
VNC 203
X-Server Forwarding 203
Telnet 203
SSH 204
Leveraging Exploits 204
Common Post-Exploit Attacks 204
Privilege Escalation 207
Social Engineering 208
Persistence and Evasion 209
Scheduled Jobs and Scheduled Tasks 209
Inetd Modification 210
Daemons and Services 210
Back Doors and Trojans 210
New Users 211
Pivoting 211
Covering Your Tracks 212
Summary 213
Exam Essentials 214
Lab Exercises 215
Activity 6.1: Exploit 215
Activity 6.2: Discovery 215
Activity 6.3: Pivot 216
Review Questions 217
Chapter 7 Exploiting Network Vulnerabilities 223
Conducting Network Exploits 226
VLAN Hopping 226
Network Proxies 228
DNS Cache Poisoning 228
Man-in-the-Middle 229
NAC Bypass 233
DoS Attacks and Stress Testing 234
Exploiting Windows Services 236
NetBIOS Name Resolution Exploits 236
SMB Exploits 240
Exploiting Common Services 240
SNMP Exploits 241
SMTP Exploits 242
FTP Exploits 243
Samba Exploits 244
Wireless Exploits 245
Evil Twins and Wireless MITM 245
Other Wireless Protocols and Systems 247
RFID Cloning 248
Jamming 249
Repeating 249
Summary 250
Exam Essentials 251
Lab Exercises 251
Activity 7.1: Capturing Hashes 251
Activity 7.2: Brute-Forcing Services 252
Activity 7.3: Wireless Testing 253
Review Questions 254
Chapter 8 Exploiting Physical and Social Vulnerabilities 259
Physical Facility Penetration Testing 262
Entering Facilities 262
Information Gathering 266
Social Engineering 266
In-Person Social Engineering 267
Phishing Attacks 269
Website-Based Attacks 270
Using Social Engineering Tools 270
Summary 273
Exam Essentials 274
Lab Exercises 275
Activity 8.1: Designing a Physical Penetration Test 275
Activity 8.2: Brute-Forcing Services 276
Activity 8.3: Using BeEF 276
Review Questions 278
Chapter 9 Exploiting Application Vulnerabilities 283
Exploiting Injection Vulnerabilities 287
Input Validation 287
Web Application Firewalls 288
SQL Injection Attacks 289
Code Injection Attacks 292
Command Injection Attacks 293
Exploiting Authentication Vulnerabilities 293
Password Authentication 294
Session Attacks 295
Kerberos Exploits 298
Exploiting Authorization Vulnerabilities 299
Insecure Direct Object References 299
Directory Traversal 300
File Inclusion 301
Exploiting Web Application Vulnerabilities 302
Cross-Site Scripting (XSS) 302
Cross-Site Request Forgery (CSRF/XSRF) 305
Clickjacking 305
Unsecure Coding Practices 306
Source Code Comments 306
Error Handling 306
Hard-Coded Credentials 307
Race Conditions 308
Unprotected APIs 308
Unsigned Code 308
Application Testing Tools 308
Static Application Security Testing (SAST) 309
Dynamic Application Security Testing (DAST) 310
Mobile Tools 313
Summary 313
Exam Essentials 313
Lab Exercises 314
Activity 9.1: Application Security Testing Techniques 314
Activity 9.2: Using the ZAP Proxy 314
Activity 9.3: Creating a Cross-Site Scripting Vulnerability 315
Review Questions 316
Chapter 10 Exploiting Host Vulnerabilities 321
Attacking Hosts 325
Linux 325
Windows 331
Cross-Platform Exploits 338
Remote Access 340
SSH 340
Netcat and Ncat 341
Proxies and Proxychains 341
Metasploit and Remote Access 342
Attacking Virtual Machines and Containers 342
Virtual Machine Attacks 343
Container Attacks 344
Physical Device Security 345
Cold-Boot Attacks 345
Serial Consoles 345
JTAG Debug Pins and Ports 346
Attacking Mobile Devices 347
Credential Attacks 348
Credential Acquisition 348
Offline Password Cracking 349
Credential Testing and Brute-Forcing Tools 350
Wordlists and Dictionaries 351
Summary 352
Exam Essentials 353
Lab Exercises 354
Activity 10.1: Dumping and Cracking the Windows SAM
and Other Credentials 354
Activity 10.2: Cracking Passwords Using Hashcat 355
Activity 10.3: Setting Up a Reverse Shell
and a Bind Shell 356
Review Questions 358
Chapter 11 Scripting for Penetration Testing 363
Scripting and Penetration Testing 364
Bash 365
PowerShell 366
Ruby 367
Python 368
Variables, Arrays, and Substitutions 368
Bash 370
PowerShell 371
Ruby 371
Python 372
Comparison Operations 372
String Operations 373
Bash 375
PowerShell 376
Ruby 377
Python 378
Flow Control 378
Conditional Execution 379
For Loops 384
While Loops 389
Input and Output (I/O) 394
Redirecting Standard Input and Output 394
Error Handling 395
Bash 395
PowerShell 396
Ruby 396
Python 396
Summary 397
Exam Essentials 397
Lab Exercises 398
Activity 11.1: Reverse DNS Lookups 398
Activity 11.2: Nmap Scan 398
Review Questions 399
Chapter 12 Reporting and Communication 405
The Importance of Communication 408
Defining a Communication Path 408
Communication Triggers 408
Goal Reprioritization 409
Recommending Mitigation Strategies 409
Finding: Shared Local Administrator Credentials 411
Finding: Weak Password Complexity 411
Finding: Plain Text Passwords 413
Finding: No Multifactor Authentication 413
Finding: SQL Injection 414
Finding: Unnecessary Open Services 415
Writing a Penetration Testing Report 415
Structuring the Written Report 415
Secure Handling and Disposition of Reports 417
Wrapping Up the Engagement 418
Post-Engagement Cleanup 418
Client Acceptance 419
Lessons Learned 419
Follow-Up Actions/Retesting 419
Attestation of Findings 419
Summary 420
Exam Essentials 420
Lab Exercises 421
Activity 12.1: Remediation Strategies 421
Activity 12.2: Report Writing 421
Review Questions 422
Appendix Answers to Review Questions 425
Chapter 1: Penetration Testing 426
Chapter 2: Planning and Scoping Penetration Tests 427
Chapter 3: Information Gathering 429
Chapter 4: Vulnerability Scanning 431
Chapter 5: Analyzing Vulnerability Scans 433
Chapter 6: Exploit and Pivot 434
Chapter 7: Exploiting Network Vulnerabilities 436
Chapter 8: Exploiting Physical and Social Vulnerabilities 438
Chapter 9: Exploiting Application Vulnerabilities 440
Chapter 10: Exploiting Host Vulnerabilities 442
Chapter 11: Script for Penetration Testing 444
Chapter 12: Reporting and Communication 445
Index 447


Bookscreen
e-books shop

Introduction
The CompTIA PenTest+ Study Guide: Exam PT0-001 provides accessible explanations
and real-world knowledge about the exam objectives that make up the PenTest+ certification.
This book will help you to assess your knowledge before taking the exam, as well as
provide a stepping stone to further learning in areas where you may want to expand your
skill set or expertise.
Before you tackle the PenTest+ exam, you should already be a security practitioner.
CompTIA suggests that test-takers should have intermediate-level skills based on their
cybersecurity pathway. You should also be familiar with at least some of the tools and techniques
described in this book. You don’t need to know every tool, but understanding how
to use existing experience to approach a new scenario, tool, or technology that you may not
know is critical to passing the PenTest+ exam.

CompTIA
CompTIA is a nonprofit trade organization that offers certification in a variety of IT areas,
ranging from the skills that a PC support technician needs, which are covered in the A+
exam, to advanced certifications like the CompTIA Advanced Security Practitioner, or
CASP, certification. CompTIA divides its exams into three categories based on the skill
level required for the exam and what topics it covers, as shown in the following table:
 Beginner/Novice   Intermediate   Advanced 
 IT Fundamentals
 A+
 Network+
 Security+
 CySA+
 PenTest+
 CASP
CompTIA recommends that practitioners follow a cybersecurity career path that begins
with the IT fundamentals and A+ exam and proceeds to include the Network+ and Security+
credentials to complete the foundation. From there, cybersecurity professionals may choose
the PenTest+ and/or Cybersecurity Analyst+ (CySA+) certifications before attempting the
CompTIA Advanced Security Practitioner (CASP) certification as a capstone credential.
The CySA+ and PenTest+ exams are more advanced exams, intended for professionals
with hands-on experience who also possess the knowledge covered by the prior exams.
CompTIA certifications are ISO and ANSI accredited, and they are used throughout
multiple industries as a measure of technical skill and knowledge. In addition, CompTIA
certifications, including the Security+ and the CASP, have been approved by the U.S. government
as Information Assurance baseline certifications and are included in the State
Department’s Skills Incentive Program.

The PenTest+ Exam
The PenTest+ exam is designed to be a vendor-neutral certification for penetration testers. It
is designed to assess current penetration testing, vulnerability assessment, and vulnerability
management skills with a focus on network resiliency testing. Successful test-takers will
prove their ability plan and scope assessments, handle legal and compliance requirements,
and perform vulnerability scanning and penetration testing activities using a variety of
tools and techniques, and then analyze the results of those activities.
It covers five major domains:
1. Planning and Scoping
2. Information Gathering and Vulnerability Identification
3. Attacks and Exploits
4. Penetration Testing Tools
5. Reporting and Communication
These five areas include a range of subtopics, from scoping penetration tests to performing
host enumeration and exploits, while focusing heavily on scenario-based learning.
The PenTest+ exam fits between the entry-level Security+ exam and the CompTIA
Advanced Security Practitioner (CASP) certification, providing a mid-career certification
for those who are seeking the next step in their certification and career path while specializing
in penetration testing or vulnerability management.
The PenTest+ exam is conducted in a format that CompTIA calls “performance-based
assessment.” This means that the exam uses hands-on simulations using actual security
tools and scenarios to perform tasks that match those found in the daily work of a security
practitioner. There may be multiple types of exam questions, such as multiple-choice, fillin-
the-blank, multiple-response, drag-and-drop, and image-based problems.
CompTIA recommends that test-takers have three or four years of information security–
related experience before taking this exam and that they have taken the Security+ exam or
have equivalent experience, including technical, hands-on expertise. The exam costs $346
in the United States, with roughly equivalent prices in other locations around the globe.
More details about the PenTest+ exam and how to take it can be found at

Study and Exam Preparation Tips
A test preparation book like this cannot teach you every possible security software package,
scenario, and specific technology that may appear on the exam. Instead, you should
focus on whether you are familiar with the type or category of technology, tool, process, or
scenario presented as you read the book. If you identify a gap, you may want to find additional
tools to help you learn more about those topics
Additional resources for hands-on exercises include the following:
■■ Exploit-Exercises.com provides virtual machines, documentation, and challenges covering
a wide range of security issues at https://exploit-exercises.com/.
■■ Hacking-Lab provides capture-the-flag (CTF) exercises in a variety of fields at
■■ The OWASP Hacking Lab provides excellent web application–focused exercises at
■■ PentesterLab provides a subscription-based access to penetration testing exercises at
■■ The InfoSec Institute provides online capture-the-flag activities with bounties for written
explanations of successful hacks at http://ctf.infosecinstitute.com/.
Since the exam uses scenario-based learning, expect the questions to involve analysis
and thought rather than relying on simple memorization. As you might expect, it is impossible
to replicate that experience in a book, so the questions here are intended to help you
be confident that you know the topic well enough to think through hands-on exercises.

Taking the Exam
Once you are fully prepared to take the exam, you can visit the CompTIA website to purchase
your exam voucher:
CompTIA partners with Pearson VUE’s testing centers, so your next step will be to
locate a testing center near you. In the United States, you can do this based on your address
or your zip code, while non-U.S. test-takers may find it easier to enter their city and country.
You can search for a test center near you at
Now that you know where you’d like to take the exam, simply set up a Pearson VUE
testing account and schedule an exam:
On the day of the test, take two forms of identification, and make sure to show up with
plenty of time before the exam starts. Remember that you will not be able to take your notes,
electronic devices (including smartphones and watches), or other materials in with you.

After the PenTest+ Exam
Once you have taken the exam, you will be notified of your score immediately, so you’ll
know if you passed the test right away. You should keep track of your score report with
your exam registration records and the email address you used to register for the exam. If
you’ve passed, you’ll receive a handsome certificate, similar to the one shown here:
Loading...
DMCA.com Protection Status