Kali Linux (Kali) is the successor to the BackTrack penetration testing platform which is generally regarded as the de facto standard package of tools used to facilitate penetration testing to secure data and voice networks. This chapter provides an introduction to Kali, and focuses on customizing Kali to support some advanced aspects of penetration testing. By the end of this chapter, you will have learned:

Reconnaissance is the first step of the kill chain when conducting a penetration test or an attack against a network or server target. An attacker will typically dedicate up to seventy-five percent of the overall work effort for a penetration test to reconnaissance, as it is this phase that allows the target to be defined, mapped, and explored for the vulnerabilities that will eventually lead to exploitation.

There are two types of reconnaissance: passive reconnaissance, and active reconnaissance.

Generally, passive reconnaissance is concerned with analyzing information that is openly available, usually from the target itself or public sources online. On accessing this information, the tester or attacker does not interact with the target in an unusual manner—requests and activities will not be logged, or will not be traced directly to the tester. Therefore, passive reconnaissance is conducted first to minimize...

The objective of the reconnaissance phase is to gather as much information about the target as possible in order to facilitate the exploitation phase of the kill chain.

We have seen how passive reconnaissance, which is almost undetectable, can yield a significant amount of information about the target organization and its users.

Active reconnaissance builds on the results of open-source intelligence and passive reconnaissance, and focuses on using probes to identify the path to the target and the exposed attack surface of the target. In general, complex systems have a greater attack surface, and each surface may be exploited and then leveraged to support additional attacks.

Although active reconnaissance produces more information, and more useful information, interactions with the target system may be logged, triggering alarms by protective devices, such as firewalls and intrusion detection systems. As the usefulness of...

The goal of passive and active reconnaissance is to identify the exploitable security flaws that are most likely to support the tester's or attacker's objective (denial of service, theft, or modification of data). The exploit phase of the kill chain focuses on creating the access to achieve the objective—either stopping the access to a target by creating a denial of service or the more common approach of establishing persistent access to the target from the attacker.

The penetration tester must be concerned with the following aspects of the exploit phase:

In the modern world of hacking and system attacks, attackers are not as concerned with exploitation as they are with what can be done with that access. This is the part of the kill chain where the attacker achieves the full value of the attack.

Once a system has been compromised, the attacker generally performs the following activities:

The final stage of the attacker's kill chain is the "command, control, and communicate" phase, where the attacker relies on a persistent connection with the compromised system to ensure that they can continue to maintain their control.

To be effective, the attacker must be able to maintain interactive persistence—they must have a two-way communication channel with the exploited system (interactive) that remains on the compromised system for a long period of time without being discovered (persistence). This type of connectivity is a requirement because of the following reasons: