Kali Linux 2.0 : The new release has arrived

Kali Linux ,is a well known Penetration testing distro and also contains a plethora for digital forensics, is widely used by ethical hacker community across the globe and is maintained and developed by the organization known as “Offensive Security”. It comes with over 650 tools pre-installed that help  perform tasks like network analysis, ethical hacking, load & crash testing etc. It is powered by Linux kernel 4.0 and has enhanced support for different graphics cards and desktop environments.The most recent version of Kali has just been released few days back and here I bring you the installation step by step screen shot being installed in Virtual Box.

 Choose Install above

The desktop boots to the following screen...thats it... You are ready to go....

Career in CYBER SECURITY : Where to start ?

1.  I get a lot of queries on my blog posts related to cyber security courses and any time I am in some forum or discussion from all range age  groups regarding serious career scope in India in the field of Cyber Security.Is it worth taking a plunge in a field which currently only has more of a keen interest value rather then offering  lucrative pay packet job?The younger age group which generally has young engineering graduates look little restless of taking the risk but the field is pretty exciting for those who are passionately interested in it.

2.  The field is immense and huge to start with.For a fresher it would be pretty cumbersome to find where to start from.The moment any typical search is made for a cyber security course on google,the results are too huge and confusing to get started on.For a novice guy who doesn’t  have any background in this field but keen to start a career in this field, I would submit few first steps to start before ways and career road automatically starts guiding ahead.

3.   Firstly,make it very clear in your mind that this field is very dynamic...you have to be continuously on your toes to be updated around what’s happening in this field.Millions of cyber incidents are happening,thousands of zero days are being discovered,thousands of case studies are being released about various cyber incidents and as you start understanding you need to prioritize of what all to grasp in detail .....follow up good tweets of cyber security experts.The courses you do in this field will not be like the typical graduation certification that you do once and will make you a B.Tech for the rest of your life without ever some one asking about the syllaabi.Most of the course and certification have a shelf life of 2-3 years after which you need to renew them to continue your professional standing in the market.

4.   The best thing about this field is that you can build your career and get your basics clear by putting in you hard-work along with the world of open-source that’s your window to knowledge bank.Be it the white papers or applications or Operating systems etc most of the entire gambit of tools is free....yes...for last about 8-9 years of my association with the field I have not bought or purchased any software or OS or toolkit to practice basic hacks and penetration tests.

5.   For a start in respect of courses....I would submit that most of the courses valued globally like CEH,CISSP etc by EC-COUNCIL are pretty costly and just doing them does not guarantee anything with respect to job.You have to be aware of lots besides these courses.For a start for a typical Indian novice fresher I would recommend to start with CCCSP,CCCS etc...links given below :

http://cdac.in/index.aspx?id=cyber_security for courses offered by CDAC on cyber security and forensics.

http://esikshak.in/eSikshak/help/English/eSikshak/cccs.htm for CCCS by CDAC

http://esikshak.in/eSikshak/help/English/eSikshak/CCCSP.html for CCCSP by CDAC

more listed at http://anupriti.blogspot.in/2012/12/cyber-security-courses-in-india.html ....though slightly old post...but everything holds good today...

6. Besides these courses which only give a very basic over view of the field,you should start getting conversant with LINUX flavors available viz UBUNTU, Fedora, OpenSuse, Linux MInt etc to mention a few....besides a horde of excellent security distros are available with all possible youtube videos and manuals on the net for helping from scratch.Get conversant and start playing with maximum tools available in these.Few of the distros that I would recommend are listed  below :

- ARCHASSAULT at https://archassault.org/

- Kali Linux at

- BackBox at

- BackTrack R3 at

- Knoppix STD

- Pentoo

- DEFT

- Parrot

- Caine

- Samurai Web Testing framework

- Matriux Krypton

- Bugtraq

- Node zero

- Cyb org

- Helix

- Network SEcurity Toolkit

- Wireshark(not an OS)

- GRML

- Chaos

- Katana

-  Damn Vulnerable Linux

- Auditor

and I must tell you these are only few to test before you start getting basic idea of what’s happening around.

7.   You have to be passionate enough to carry yourself successfully in this field.The moment you are out of touch for whatever reasons you have a lot to catch.Every thing is available on the net..be it the study material...be it any software to start.....you actually do not straight away enrol for a course..prepare yourself with the basics as available vide these distros...basic linux and then do some course to start building your documented profile.If you have reached reading here and you have queries you can get back to me here ....post a comment.

Being PGDIS : Post Graduate Diploma in Information Security@IGNOU

1.   In my endeavour to gain skill sets in Cyber Security,I have been stuffing my profile in past few years with professional Qualifications in the IT security field...though I personally feel simply loading with qualifications is not an authority to you being an expert but what matters more in this field is hands on practical training and knowledge...but still some gut feeling from inside makes me always enroll for some good course in addition to continuous hands on attempts with pracs.So in past as I qualified CCCSP@CDAC,CEH@EC-Council, and few qualifications from ASCL,Alison,Rackspace etc I got myself enrolled for a longer version course(One year)...PGDIS@IGNOU...and passed out last week with 81.13 percentage marks.Here I bring you out basic features of this course...

- Stands for Post Graduate Diploma in Information Security

- This programme emphasizes specifically on the User’s Security Awareness and needs as follows:

    - Securing one’s own desktop.
    - Securing one’s own data.
    - Securing one’s connectivity.
    - Secure browsing. (E-mail, Internet application)
    - Secure Internet transaction.
    - W3C Compliance.
    - Employee perspective of ISO 27000
    - Securing Web servers/ services.
    - Cyber Forensics.
    - Securing in the mobile world
    - Govt. rules in IT Security

- Subjects covered in this course vide two semesters are as seen below :

Click to Enlarge

- Course fee is Rs 9000/- per semester

AMAZING PROMPT STAFF

3.  I would like to bring out another good thing about this course...the staff involved is surprisingly amazing and prompt.I always had this view about IGNOU being a sarkari university with slow staff,slow procedures,slow communications and so on...but the kind of dedicated staff that is available for this course deserves accolades and loads of appreciation...the study center staff with Mr Santosh,Mr Niranjan @ Delhi Center , Dr Anup Girdhar as the conducting instructor and guide for course/project and Ms Urshla Kant,coordinating staff from the Faculty of SOVET......all working together to bring out this relatively good course that involves...contact programmes,theory and practicals....I found it much contentful then CEH,CISSP etc.Wish them al d best....

4.   More details at http://www.ignou.ac.in/upload/Announcement/Programme_Guide_and_Prospectus_PGDIS_ACISE.pdf and http://www.ignou.ac.in/ignou/aboutignou/school/sovet/faculty/detail/Ms_Urshla_Kant-599

BACKTRACK 5 R3 : ReverseRaider

1.   This post will brief on a tool known as Reverse Raider available in the information gathering menu drop down in Backtrack 5

About the Tool 

2.   ReverseRaider is a domain scanner that uses various techniques, such as wordlist scanning to find target's subdomains or reverse resolution for a range of ip.It's fully multi-threaded and supports permutation on wordlist, IPv6 and various DNS options (e.g. no-recursion).

3. Developed by  Acri Emanuele at crossbower@gmail.com

Usage: reverseraider -d domain | -r range [options]
 

Options:

  -r    range of ipv4 or ipv6 addresses, for reverse scanning
        examples: 208.67.1.1-254 or 2001:0DB8::1428:57ab-6344
  -f    file containing lists of ip addresses, for reverse scanning
  -d    domain, for wordlist scanning (example google.com)
  -w    wordlist file (see wordlists directory...)
 

Extra options:
  

  -t    requests timeout in seconds
  -P    enable numeric permutation on wordlist (default off)
  -D    nameserver to use (default: resolv.conf)
  -T    use TCP queries instead of UDP queries
  -R    don't set the recursion bit on queries

4.   Most of the  DNS enumeration scripts available in backtrack focus on typical DNS but reverseraider does what it sounds like it might do which is enumerate reverse DNS names. Enumerating reverse DNS on an IP or set of IP’s can sometimes reveal information you did not previously have. It is possible to be targeting a web server that has a bunch of virtual hosts and you prefer to track down primary web site on the web server which is where reverseraider may provide the results necessary as it is more likely that the most important site on the virtual web server has reverse DNS configured on the host itself. 

5.   I found out this very useful and exhaustive post at http://www.question-defense.com/2012/04/01/backtrack-5-information-gathering-network-analysis-dns-analysis-reverseraider

This post gives an excellent description with details of three methods of using reverseraider.

BACKTRACK 5 R3 : LBD [ Load Balancing Detector ]

1.   Before we start working on this tool,we need to first get clear of what exactly is Load Balancing?

2.    Load balancing is a method to distribute workload over multiple computers , network links, central processing units, disk drives, or other resources, to achieve optimal resource utilization, maximize throughput, minimize response time, and avoid overload. So before any one performs a penetration test, some recon work needs to be done on the target domain to make sure it does not have the ability to misdirect any probes and attacks.

About the Tool : LBD

3.   LBD (Load Balancing Detector) is a small script that tells if a given domain uses DNS and/or HTTP Load-Balancing (via Server: and Date: header and diffs between server answers). The main purpose of the tool is to check if the given domain uses load balancing.In other words when a server uses load balancing to distribute its work load over multiple systems, it should not get clogged up with excessive requests that prevents disruptions. This will mostly be applicable to renowned websites to reduce their system workload and to prevent malicious DOS attacks.

Usage : ./lbd [Domain]

4.    I could not find any switch option that can be used with the command ....so the usage is simple....I have tried this on two sites : certifiedhacker.com and dvwa.co.uk.Screen shots of the results obtained are seen below :

BACKTRACK 5 R3 : FIERCE

1.  What's in a name ? But here when the name of the tool is FIERCE...it has the potential to grab eyeballs....about FIERCE first....Fierce is a perl script written by RSnake and helps at the first steps of a pentesting ie the reconnaissance. The focus of any pentester  is to gather as much info as possible about the target before starting the attack.Exactly like earlier tools discussed in the Information Gathering drop down of Backtrack 5 R3,FIERCE is used for DNS Enumeration and is a great tool for discovering non-contiguous IP address for a certain company. It is difficult to discover and gather information about a company network which is non-contiguous using traditional tools. Though we can use a normal scanner against an IP range, but if the IP ranges are nowhere near one another there may be chance of missing chunks of networks. For this type of situation FIERCE is used.The following is the working process of FIERCE.

First it asks DNS for the DNS servers of the target. If DNS server of target is misconfigured then fierce attempts to dump the SOA records for the domain. If it fails then it attempts to "guess" names that are common amongst different companies using bruteforce.

2.   The info gained from this tool FIERCE can be used by subsequent tools to be used like nmap, unicornscan, nessus, nikto, etc, since all of those require that you already know what IP space you are looking for.  This does not perform exploitation and does not scan the whole internet indiscriminately.  It is meant specifically to locate likely targets both inside and outside a corporate network.  Because it uses DNS primarily you will often find mis-configured networks that leak internal address space. That's especially useful in targeted malware.

SYNTAX :  perl fierce.pl [-dns example.com] [OPTIONS]  

3.  The switches that can be used with this command are shown in the screen shot below :

(Click on the Image to enlarge)

4.    So I tried running the tool on certifiedhacker.com & dvwa.co.uk and the output is shown below vide a screen shot :

certifiedhacker.com

(Click on the Image to enlarge)

dvwa.co.uk

(Click on the Image to enlarge)

 

(Click on the Image to enlarge)

This info will be good enough to march ahead from a pen tester point of view!!!!!!

BACKTRACK 5 R3 : dnswalk

1.   In this post I am going to show how the dnswalk works.Before you use this tool...there is a small twist to the tale...almost all users who use this command will invariably get the message " You will have to enable the component called 'universe'"....and for this..so to resolve refer my immediate earlier post here.First lets see what are the features of this tool...what actually it does and what is the syntax ?

Main Features :

 

2.    Dnswalk is a DNS debugger. It performs zone transfers of specified domains, and checks the database in numerous ways for internal consistency, as well as accuracy. Dnswalk should NOT be used without a firm knowledge of the DNS RFC's. The warnings and errors must be interpreted within the context they are being used. Something may be flagged as a warning, but in reality it is a really bad error. Conversely dnswalk will flag things as warnings and possibly even errors, but they may actually be perfectly "legal" or normal in your specific situation. Dnswalk is not an AI engine. It just provides useful information which you need to interpret.

3.   Another important thing about the tool is w.r.t the syntax.The domain name specified on the command line MUST end with a '.' ie a dot.If u simply type in man dnswalk at the terminal,you will most of the info than I have bought here...The syntax and the switch functions are briefly bought out here :

SYNTAX : dnswalk [ -adilrfFm ] domain.

-r = Recursively descend sub-domains of the specified domain. Use with care.
-a = Turn on warning of duplicate A records. (see below)
-d = Print debugging and ‘status’ information to stderr. (Use only if redirecting stdout) See DIAGNOSTICS section.
-m = Perform checks only if the zone has been modified since the previous run.
-F = perform “forced” checking. When checking an A record, compare the PTR name for each IP address with the forward name and report mismatches.
-i = Suppress check for invalid characters in a domain name. (see below)
-l = Perform “lame delegation” checking. For every NS record, check to see that the listed host is indeed returning authoritative answers for this domain.

Below I have bought out few screen shots on how the command may be used and what it brings out.I have used two domains for practise here.One is certifiedhacker.com and iitk.ac.in.The former does not bring out much but the latter brings out more info that I find amazing......so the first command tries to find zone transfer records of the target domain.

Command : dnswalk -r iitk.ac.in.

(Click on the Image to Enlarge)

(Click on the Image to Enlarge)

This command with other switches can be used in the same manner as shown above with the following switch combinations :

dnswalk -i iitk.ac.in.

Turns on warning of duplicate A records

dnswalk -a iitk.ac.in.

Performs debugging on the site

dnswalk -d iitk.ac.in.

Checks whether the domains are been modified are not

dnswalk -m iitk.ac.in.

If you wish to perform all the above things through single command line argument you can type the following.The same is shown in the screen shot subsequently

dnswalk -riadmfl iitk.ac.in.

(Click on the Image to Enlarge)

(Click on the Image to Enlarge)

....and for a website that shows no result like certifiedhacker.com.....the screen shows the answer

(Click on the Image to Enlarge)

BACKTRACK 5 R3 : dnstracer

1.  Dnstracer is another in the line of information gathering tool in Backtrack 5 R3 that determines where a given Domain Name Server (DNS) gets its information from, and follows the chain of DNS servers back to the servers which know the data. It basically works by sending the specified name-server a non-recursive request for the name. If the name server does returns an authoritative answer for the name, the next server is queried. If it returns an non-authoritative answer for the name, the name servers in the authority records will be queried. The program stops if all name-servers are queried.

(Click on the image to enlarge)

The switches available with the command line are :

(Click on the image to enlarge)

As can be made out from the screen shhot above,the option switches have variety to offer and thus a whole lot of basic info on the specific DNS can be churned out.The syntax of the command is :

dnstracer [options] [host]

-c:    disable local caching, default enabled
-C:   enable negative caching, default disabled
-o:    enable overview of received answers, default disabled
-q     : query-type to use for the DNS requests, default A
-r     : amount of retries for DNS requests, default 3
-s      : use this server for the initial request
-t      : Limit time to wait per try
-v     : verbose
-S      : use this source address.
-4     : don't query IPv6 servers

In the screen shots below I have taken example of the dvwa.co.uk for running the command on.....the command run is

dnstracer certifiedhacker.com

dnstracer -q soa -o certifiedhacker.com

(Click on the image to enlarge)

(Click on the image to enlarge)

Running the command with and without switches effects the final output of info as seen in the info....

BACKTRACK 5 R3 : dnsrecon

1.   Dnsrecon is another nice easy to use tool for pen testers for enumeration. The kinds of things dnsrecon can do are as follows:

    - Reverse Lookup against IP range
    - Perform general DNS query for NS,SOA and MX records
    - Cache snooping against Name Servers
    - Google Scanning for Sub Domains and Host

 2.   The command line usage and the few imp switch execution details are briefed here down :

   -h       --help                 Show this help message and exit
   -d       --domain            Domain to Target for enumeration.
   -c       --cidr                  CIDR for reverse look-up brute force (range/bitmask).
   -r       --range               IP Range for reverse look-up brute force
   -n      --name_server    Domain server to use, if none is given the SOA of the
                                      target will be used
   -D     --dictionary         Dictionary file of sub-domain and hostnames to use for
                                       brute force.
    -t     --type                  Specify the type of enumeration to perform:

Available through :
                           
Backtrack -> Information Gathering -> Network Analysis -> DNS Analysis -> dnsrecon

In this blog post,I  will be covering 3 enumeration techniques. These being:

    SRV records Enumeration
    Top Level Enumeration
    Standard Enumeration

(Click on image to Enlarge)

(Click on image to Enlarge)

 

 

To perform an SRV records enumeration against a domain the following input command will be run:

Code:

./dnsrecon.py -t srv -d

As an example if we wanted to do this to certifiedhacker.com, our command would be as follows:

Code:
./dnsrecon.py -t srv -d google.com

(Click on image to Enlarge)

Top Level Enumeration

For performing a top level enumeration the following command will be used :

Code:
./dnsrecon.py -t tld -d

If the same command is run for google.com,the following command will be used

Code:
./dnsrecon.py -t tld -d google.com
 

(Click on image to Enlarge)

(Click on image to Enlarge)

and similarly,to perform an STD (standard) enumeration,the following command is used :

Code:

./dnsrecon.py -t std -d


Using Google as an example again, our command would be:

Code:

./dnsrecon.py -t std -d google.com

The result as seen below in a standard enumeration :

(Click on image to Enlarge)

(Click on image to Enlarge)