TUTORIAL - Information gathering
Information gathering is the first and most important phase in penetration testing.
In this phase, the attacker gains information about aspects such as the target network, open ports, live hosts and services running on each port.
This creates an organizational profile of the target, along with the systems and networks in use.
Zenmap, the Kali information gathering and network analysis tool. The intense scan mode in Zenmap provides target information such as services running on each port, the version, the target operating system, network hop distance, work-groups and user accounts.
Other Kali information gathering tools of interest are CMS identification and IDS-IPS identification for web application analysis. CMS identification gives information
about the underlying CMS, which can be used to do a vulnerability research on the CMS and gather all the available exploits to test the target system. The joomscan tool (for the Joomla CMS) is covered later in this tutorial.
Another interesting and powerful tool is Maltego, generally used for SMTP analysis.
The Palette in Maltego shows the DNS name, domain, location, URL, email, and other details about the website. Maltego uses various transformations on these entities to give the pen tester necessary details about the target. Views such as mining view, edge weighted view, etc, provide a graphical representation of the data obtained about aparticular target.
The second phase in pen testing is vulnerability assessment. After gaining some initial information and an organizational profile of the target through conclusive foot-printing, we will assess the weak spots or vulnerabilities in the system. There are a number of
vulnerability databases available on-line for ready use, but we will focus on what Kali has to offer in this tutorial.
Web application scanners are used to assess website vulnerabilities. Joomscan is meant for Joomla-based websites and reports vulnerabilities pre-stored in the repository.
Joomscan can be run with the following command:
joomscan –u <string> -x proxy:port
Here <string> is the target Joomla website. Joomscan has options for version detection, server check, firewall activity, etc.
OpenVAS (Open Vulnerability Assessment System) on Kali:
OpenVAS is a powerful tool for performing vulnerability assessments on a target. Before doing the assessment, it is advisable to set up a certificate using the OpenVAS MkCert
option. After that, we will add a new user from the menu in this Kali tutorial.
The user can be customized by applying rules, or assigned an empty set by pressing Ctrl+D. Once a new user has been added with login and other credentials, we can go ahead with the assessment part of this tutorial.
OpenVAS works on the client/server model in the assessment process. You should regularly update the arsenal to perform efficient tests.
OpenVAS vs Nessus Scanner.
Nessus Scanner is another vulnerability assessment tool for carrying out automated assessments. Let’s take a look at the difference between the two in the next step of this
tutorial. Nessus has two versions, free and paid, while OpenVAS is completely free. Recent observations have shown that the plug-in feed from these two scanners is considerably different, and depending on only one tool is not recommended, as automated scanners can throw up lots of false positives.
Clubbing manual scanners with other tools, alongside automated scanners, is recommended for doing a comprehensive assessment of the target. Kali also offers other tools under this category including CISCO tools, which are meant for CISCO-
based networking hardware. Fuzzers are also available, categorized as network fuzzers and VOIP fuzzers.
It’s evident from the above tutorial that Kali has a lot in offer in terms of information gathering and vulnerability assessment. In this tutorial, I have made an effort to show the one or two tools which I felt would be most useful to readers. It’s
best to try out all tools so that you have first-hand experience of Kali, and the power it brings to a pen tester’s arsenal. In subsequent tutorials, we shall see how Kali facilitates exploitation of a target.