Browse Library
Sign In Start Free Trial
Close icon Search icon
Account
Browse Library Sign In Start Free Trial

Add to playlist

Create a Playlist

Modal Close icon
You need to login to use this feature.
  • Book Overview & Buying Mastering Kali Linux for Advanced Penetration Testing
  • Table Of Contents Toc
Mastering Kali Linux for Advanced Penetration Testing

Mastering Kali Linux for Advanced Penetration Testing

By : Robert Beggs
4 (8)
Buy this Book
close
close
Mastering Kali Linux for Advanced Penetration Testing

Mastering Kali Linux for Advanced Penetration Testing

4 (8)
By: Robert Beggs
Buy this Book

Overview of this book

This book provides an overview of the kill chain approach to penetration testing, and then focuses on using Kali Linux to provide examples of how this methodology is applied in the real world. After describing the underlying concepts, step-by-step examples are provided that use selected tools to demonstrate the techniques.If you are an IT professional or a security consultant who wants to maximize the success of your network testing using some of the advanced features of Kali Linux, then this book is for you. This book will teach you how to become an expert in the pre-engagement, management, and documentation of penetration testing by building on your understanding of Kali Linux and wireless concepts.
Table of Contents (5 chapters)
close
close
close
Preface
chevron up
Icon
Preface
Icon
The "Kill Chain" approach to penetration testing
Icon
What this book covers
Icon
What you need for this book
Icon
Who this book is for
Icon
Conventions
Icon
Reader feedback
Icon
Customer support
Lock Free Chapter
1
Disclaimer
Icon
Disclaimer
2
1. The Attacker's Kill Chain
Icon
1. The Attacker's Kill Chain
Icon
1. Starting with Kali Linux
Icon
2. Identifying the Target – Passive Reconnaissance
Icon
3. Active Reconnaissance and Vulnerability Scanning
Icon
4. Exploit
Icon
5. Post Exploit – Action on the Objective
Icon
6. Post Exploit – Persistence
3
2. The Delivery Phase
Icon
2. The Delivery Phase
Icon
7. Physical Attacks and Social Engineering
Icon
8. Exploiting Wireless Communications
Icon
9. Reconnaissance and Exploitation of Web-based Applications
Icon
10. Exploiting Remote Access Communications
Icon
11. Client-side Exploitation
Icon
A. Installing Kali Linux
4
Index
Icon
Index

Preface

This book is dedicated to the use of Kali Linux in performing penetration tests against networks. A penetration test simulates an attack against a network or a system by a malicious outsider or insider. Unlike a vulnerability assessment, penetration testing is designed to include the exploitation phase. Therefore, it proves that the exploit is present, and that it is accompanied by the very real risk of being compromised if not acted upon.

Note

Throughout this book, we will refer to "penetration testers," "attackers," and "hackers" interchangeably as they use the same techniques and tools to assess the security of networks and data systems. The only difference between them is their end objective—a secure data network, or a data breach.

Most testers and attackers follow an informal, open source, or proprietary-defined testing methodology that guides the testing process. There are certain advantages of following a methodology:

  • A methodology identifies parts of the testing process that can be automated (for example, a tester may always use a ping sweep to identify potential targets; therefore, this can be scripted), allowing the tester to focus on creative techniques to find and exploit vulnerabilities
  • The results are repeatable, allowing them to be compared over time or to cross-validate one tester's results against another, or to determine how the security of the target has improved (or not!) over time
  • A defined methodology is predictable in terms of time and personnel requirements, allowing costs to be controlled and minimized
  • A methodology that has been preapproved by the client, protects the tester against liability in the event there is any damage to the network or data

Formal methodologies include the following well-known examples:

  • Kevin Orrey's penetration testing framework: This methodology walks the tester through the sequenced steps of a penetration test, providing hyperlinks to tools and relevant commands. More information can be found at www.vulnerabilityassessment.co.uk.
  • Information Systems Security Assessment Framework (ISSAF): This comprehensive guide aims to be the single source for testing a network. More information on this can be found at www.oissg.org.
  • NIST SP 800-115, technical guide to information security testing and assessment: Written in 2008, the four-step methodology is somewhat outdated. However, it does provide a good overview of the basic steps in penetration testing. You can get more information at http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf.
  • Open Source Security Testing Methodology Manual (OSSTMM): This is one of the older methodologies, and the latest version attempts to quantify identified risks. More details can be found at www.osstmm.org.
  • Open Web Application Security Project (OWASP): This is focused on the 10 most common vulnerabilities in web-based applications. More information on this can be found at www.owasp.org.
  • Penetration Testing Execution Standard (PTES): Actively maintained, this methodology is complete and accurately reflects on the activities of a malicious person. You can get more information at www.pentest-standard.org.
  • Offensive (Web) Testing Framework (OWTF): Introduced in 2012, this is a very promising direction in combining the OWASP approach with the more complete and rigorous PTES methodology. More details can be found at https://github.com/7a/owtf.

Unfortunately, the use of a structured methodology can introduce weaknesses into the testing process:

  • Methodologies rarely consider why a penetration test is being undertaken, or which data is critical to the business and needs to be protected. In the absence of this vital first step, penetration tests lose focus.
  • Many penetration testers are reluctant to follow a defined methodology, fearing that it will hinder their creativity in exploiting a network.
  • Penetration testing fails to reflect the actual activities of a malicious attacker. Frequently, the client wants to see if you can gain administrative access on a particular system ("Can you root the box?"). However, the attacker may be focused on copying critical data in a manner that does not require root access, or cause a denial of service.

To address the limitations inherent in formal testing methodologies, they must be integrated in a framework that views the network from the perspective of an attacker, the "kill chain."

CONTINUE READING
83
Tech Concepts
36
Programming languages
73
Tech Tools
Icon Unlimited access to the largest independent learning library in tech of over 8,000 expert-authored tech books and videos.
Icon Innovative learning tools, including AI book assistants, code context explainers, and text-to-speech.
Icon 50+ new titles added per month and exclusive early access to books as they are being written.
Mastering Kali Linux for Advanced Penetration Testing
Next Section
notes
bookmark Notes and Bookmarks search Search in title playlist Add to playlist font-size Font size

Change the font size

margin-width Margin width

Change margin width

day-mode Day/Sepia/Night Modes

Change background colour

Close icon Search
Country selected
Close icon Your notes and bookmarks

Confirmation

Modal Close icon
claim successful
Order Page Read Now

Buy this book with your credits?

Modal Close icon
Are you sure you want to buy this book with one of your credits?
Close
YES, BUY

Submit Your Feedback

Modal Close icon
Modal Close icon
Modal Close icon