New Book: Advanced Security Testing with Kali Linux!

My new book and the last in the “Security Testing with Kali Linux” series is out!

This learn by doing book picks up right where my Basic Kali Linux book leaves off and covers the more intermediate and advanced uses of the Kali Linux pentesting distribution.

In Advanced Security Testing with Kali Linux you will learn topics like:

  • The MITRE ATT@CK Framework
  • Command & Control (C2) Frameworks
  • Indepth Network Scanning
  • Web App Pentesting
  • Advanced Techniques like “Living off the Land”
  • AV Bypass Tools
  • Using IoT Devices in Security
  • and much, much more!!

Learning attacker Tactics, Techniques and Procedures (TTPs) are imperative in defending modern networks. This hands on guide will help guide you through these with step by step tutorials using numerous pictures for clarity.

Want to step your security game up to the next level? Check out “Advanced Security Testing with Kali Linux” on Amazon.com.

Advertisement

Initial Access with Evil Calendar Files and GoPhish

Almost every time you sign up for an online event, you get one of those wonderful calendar reminders to set an appointment reminder. In this article we will take a look at using “evil” calendar .ics files in a pentesting or Red Team credential grabbing attack.

Crafting the E-Mail

The first thing we need to do is craft a Social Engineering e-mail to entice our corporate targets. Some may use cute puppy pics, or cat videos are always popular. As our pentesting target is a corporate environment, we will use what is near and dear to every worker – bonuses!

When I created this for a book chapter in my upcoming book, “Advanced Security Testing with Kali Linux”, I used GoPhish for the phishing management campaign. If you haven’t used it before, Gophish is a phishing framework that gives security professionals and pentesters the ability to perform live, real-time phishing attack simulations.

GoPhish is not necessary for our “evil calendar” test, but it is a perfect solution if you wanted to roll the test out to a large number of users. Honestly, you don’t need the calendar .ics file either, you could just used boobytrapped links or attachments in GoPhish for the same effect, but what is the fun in that?  

Installing GoPhish

Installing and using GoPhish is very easy. Though I just used it in a local lab, in a corporate test you would need to install GoPhish on a Cloud, VPS or other system with access to an e-mail server.

Download the latest release of GoPhish, extract it, and make the main gophish file executable. Once you run gophish, you need to open a browser to connect to the Web GUI.  

When you create a new phishing campaign, you first will create an e-mail template, target users & groups and a landing page, or the fake website that you will use to monitor who fell for the Phishing e-mail and who did not. Then setup your sending mail server in Sending Profiles. Lastly, start the e-mail campaign using the campaign menu.

E-Mail Template

Creating the e-mail template is where you will put your social engineering skills to the test. You want an e-mail that looks believable and have the greatest chance to have your target click on it. Some internal security testing teams may prefer to put a small hint in the e-mail that it is fake.

For the most part though, you want to make the e-mail as real looking as possible for a true test. Gophish allows you to import an e-mail to use as a template or you can use the HTML WYSIWYG editor included.

Good start, now we just need to add our evil calendar event. We can take a .ics calendar file and add a link to a non-existing server, as seen below:

As with any social engineering request, you would use wording that would entice the user to click on the link. I went with the totally innocuous “Evil Calendar Event”. Nobody would ever click on that. On second thought, trust me, yes, they would.

Now just add the Calendar File as an attachment to our E-mail in GoPhish. Again, you don’t need Gophish for this, it just makes it easier for sending large amounts of e-mails during a real test.  

When we kick off the GoPhish campaign, our targets get an e-mail that looks something like this:

Now the trap is set, we just need to have something to respond to the bogus “corporate_server\join_now” link when people click on it. Responder will work perfectly!

Starting Responder

Responder is an LLMNR, NBT-NS and MDNS poisoner, that will answer service requests for multiple services. What’s nice about it is you can set it to prompt users for a login prompt, when they try to surf to a non-existent network resource. This is exactly what we are using in our evil calendar file.

In real life, Responder would have to be running on an internal system, one already connected to the target network – say running on a drop box.

  • sudo responder -I eth0 -wb

This starts the responder service and it begins looking for service requests to poison. In our case, we want it to respond to any server request, where the server doesn’t exist, and prompt the user for “login credentials”.

Creds from Calendar Files

Now, back on the target desktop. When the calendar file is opened in Outlook, it looks like this:

When they click on the “Join Now” link, they will be given a Responder login prompt:

If they enter the credentials, we get them in plain text!

As seen below:

And that’s it! Our job here is done.

Conclusion

As mentioned, you do not need to use GoPhish for this, and you don’t really have to use a calendar event to do it. You could use any link, even one to the Browser Exploitation Framework (BeEF) if you wished.

And prompt them for their Facebook Creds, using the BeEF Social Engineering attack:

Though using the Calendar technique is a nice way to get creds if you know you will be onsite or have onsite access on a certain day.

For a lot more information on using Kali Linux as a security testing platform, check out my “Basic Security Testing with Kali Linux” book. For more advanced techniques, keep an eye out for my upcoming book, “Advanced Security Testing with Kali Linux”, available soon!

Installing Kali Linux on Raspberry Pi – Partial Book Chapter

This is a partial sample chapter from my latest “Security Testing with Raspberry Pi” book – The full chapter (chapter 4) is over 20 pages long and includes how to use several of the installed Kali Linux tools.

In this chapter we will cover installing Kali Linux on a Raspberry Pi 3b+. We will also see how to run several Kali tools on this platform. As I assume the reader has used Kali Linux before, the goal is to show how to get up and running quickly on a Raspberry Pi, not necessarily to show how to run each individual tool. Most of the tools work just like they would in a full PC install of Kali. Though some of the tools, like Hashcat, apparently don’t have ARM compatible binaries and are not included in the Kali Pi version.

Surf to the Offensive Security Website:

https://www.offensive-security.com/kali-linux-arm-images/

Navigate to the Kali ARM images and then select the Raspberry Pi branch. Download the version of Raspberry Pi for the Pi that you have. I used a Pi3b+ for this chapter, so I downloaded the Kali Linux Raspberry Pi 3 64-bit image. If you have a Pi 4, you must download the Pi 4 version of Kali.

Once the image is downloaded, all you need to do is write it you your SD Ram card.

Etcher works great:

Insert your memory card into the Pi, attach keyboard, mouse, network line, and video cable. Lastly, plug in the power cord. The Pi will boot up and give you a graphical login screen.

  • Login with User: root, Password: toor

At the “Welcome to the first start of the panel” message, click on “Use default config”. You will then be presented with the Kali Desktop. Take a second and familiarize yourself with it. You will notice it is slightly different looking than the regular Kali Desktop, as it is using a different desktop environment. Xfce is used as the default Pi interface as it is a lightweight and fast desktop. But it is the same Kali underneath that you know and love.

Click the “Applications” button to see the tools menu. They are pretty sparse at the moment; we will fix that soon. There are a couple house keeping things we need to do first.

Setting up SSH

The first thing we will want to do is regenerate the SSH security keys.

  • Open a Terminal
  • cd /etc/ssh/
  • mkdir default_keys
  • mv ssh_host_* default_keys/
  • dpkg-reconfigure openssh-server

In a couple seconds we should have new SSH security keys.

In the current version of Kali for the Pi, root login is permitted by default. This is fine for our lab, but this is something you would want to change in “/etc/ssh/sshd_config” if you were going to use this for regular purposes. You will also want to change the root password using the “passwd” command.

The SSH server is already started by default in the Kali Pi install, so all we need is the IP address of Kali. If you are an old time Linux user like me you will probably still use Ifconfig, the old “deprecated” commands are easier to use and look nicer in my opinion, (have to love change, lol) though you are supposed to use the “ip” command now.

  • Enter, “ip a” to see all the network addresses or “ip -4 a” to only see the ip 4 address.

Now you can just SSH or use Putty like we did in the previous chapter to connect remotely to the Kali system.

Metapackages

The Kali-Pi image comes pre-installed with some tools already installed. They were called the “top 10” in an earlier release of Kali and include Metasploit, nmap, Recon-NG, etc.  The rest of the Kali tools can be downloaded via Kali “Metapackages”. Metapackages are security tool packages grouped by function. If you have a 16 GB or greater SDRam card, and a lot of patience, you can install the full Kali Linux install. If you didn’t need all of these tools, you could install just the Wireless tools (kali-linux-wireless) or the Web Application Assessment tools (kali-linux-web), depending on your needs.

All the available Metapackages are listed on the Kali Metapackages website:

Installation is simple, in a terminal just enter, “apt install” along with the metapackage that you want. You basically have 2 options; you can install the full package or individual tool packages. The only drawback to option 2 is that some of the necessary “helper” tools may not be installed and you may need to install them manually.

Option 1

If you want the full Kali install:

  • apt install kali-linux-full

This includes all the tools from a normal Kali Linux install. This will take a very long time to install, so be patient.

Option 2

If you want to install a specific category of tools:

Depending on what you want to do with your Kali install, a good choice is the Wireless tools. The wireless package includes numerous tools including ones for Wi-Fi, Bluetooth & SDR. You can see what packages are included by using the following command:

  • apt-cache show kali-linux-wireless |grep Depends

If these are the tools that you want, then proceed with the install:

  • apt install kali-linux-wireless

Whichever option you pick, the new tools will show up in the Kali menu after the install:

Either install option seems to take hours, be patient, and reboot when it is finished.

The downloaded tools are the SAME tools that you would receive on the regular Kali install. These aren’t watered down versions or anything like that. I have run into a couple tools that didn’t work, or seemed to be missing, but it is a rare occurrence. If it works in the regular Kali install, chances are you can do the same thing, the same way, in the Raspberry Pi version. So, after that long install, let’s play!


If you liked this sample and want to learn a lot more about using the Raspberry Pi for Ethical Hacking, check out my new book, “Security Testing with Raspberry Pi“!

Basic Security Testing with Kali Linux Giveaway Contest

Want a chance to get a signed copy of my latest Kali Linux book? I am giving away a total of 10 signed copies of “Basic Security Testing with Kali Linux, 3rd Edition”!

Simply follow, like and share this article, or my official Twitter or Instagram announcement, for a chance to win a signed copy of my new book!

10 lucky winners will be randomly selected on October 31st.

The Contest is for those living in the United States only. I may do another one for international readers in the future.

Liking this article & sharing the Official Contest announcements on Twitter and Instagram will increase your chances of winning.  Winners will be notified on October 31st. If a winner cannot be notified or does not respond by the end of the first week of November, another winner will be picked.

Good luck!