In one of my recent post I explained and easy and safe way to set up your own Digital Forensics Lab and I mentioned a Linux based operating system by the name of Kali Linux. But what is it? and why would you use it in your virtual hacking lab?
Kali Linux is a Debian based operating system that uses the Gnome desktop environment, but unlike Ubuntu and Gnome Kali is packed full of usefully tools and applications for cyber security and digital forensics. Meaning that it is pretty much a one stop shop for just about any tools you could need, this makes things very convenient as you do not have to search around and download multiple applications they are already there in one place. It makes use of the Gnome menu system and groups all of the tools into named folders with the type of tool it is. This again means there is no hunting around when you have installed all of your tools.
There are a number off different use cases for a package such as Kali and the could be from a general curiosity to using it in industry as a professional. I personally use it along side my degree as is part of my course. But with it being free you can start using it when ever you want and with the many tutorial online it is really simple to get started and learn how to use it.
Because it uses the Gnome desktop it feels nice to use just like Ubuntu or Gnome, and it doesn’t feel like a tool your using. Granted a lot of people would be very unfamiliar with either of these Linux system but after a little bit it feels natural or like using any other graphical operating system. It also means that you could use it as a daily operating system if you were that way inclined. And don’t worry about requiring the latest computer hardware to run it because due to it being Linux based it doesn’t require all to much. Granted for certain task an application a little extra power wouldn’t go amiss but if you where to run it on 1 or 2 cores with 1 or 2 GB or ram it wouldn’t feel sluggish. And better yet you can run it live from a USB stick so you don’t even have to install it to benefit from it tools and features.
I tend to run it through a virtual machine, this is due to the safe lab that I mentioned before, and again it runs just like any other system within a VM. One benefit of doing this is that you can play around with the hardware the VM will supply it with. So if you have the hardware to spare you can build a beefy Kali System.
Tools Included in Kali
- AirCrack is a WEP and WPA (Router Password) cracking tool, meaning that if you where preforming a penetration test on a company you may be able to gain access to there network through the WiFi.
- Burp Suite
- This package allows you to test the security of web applications, it does this by canning the application the searches for possible vulnerability. This is a very helpful tool for developers who wish to make there product as secrecy as possible.
- Hydra is a brute force password cracking application that on the surface looks limited and outdated. But in reality is a powerful tool allowing you to attack one or many users with either a single password or from a list of passwords.
- John the Ripper
- John the Ripper is another password cracking application that is command line based, although you can use a graphical version in the form of Jonny the ripper. It has been know for its speed at being able to crack passwords.
- This is one that you are very unlikely to have used or heard of and it is Maltego, this application is an effective relationship tracker that can work on social media platforms, Computer networks and websites. Once it scans the target location it produces a map using graphics making it clear and easy to understand.
- Megasploit Framework
- This is another application that works well for developers or system admin, Megasplot Framework runs simulated attacks on your network trying to find vulnerabilities. This allows you to patch or alter the vulnerability and make your system as secure as possible. And because it is all simulated there is no negative effects on the network its self.
- Is another command line application that has a graphical front end application as well this time its in the form of Zenamp. The purpose of this tool is to preform network discover scan and also security auditing.
- Zed Attack Proxy
- The Zed Atatck Proxy or ZAP is another penetration testing tool targeting web applications, It supports the Open Web Application Security Project or OWASP and is pack to the brim with functionality and features.
- Sqlmap is again a penetration testing tool but this time it is targeting SQL databases and looks for weakness in SQL injection, In some cases SQL injection can compromise an entire database. This could potentially leave the target in a whole heap of trouble.
- Wireshark is a network protocol analyser, it boast some features such as being able to scan hundreds of protocols and preform offline analysis.
Other Similar Operating Systems
All of the above are aimed to provide a similar services to Kali Linux, and although I have limited hands on experience with each of them. I do know from others that they are good at what they do and that they should be considered as an alternative to Kali. Some of them are more tailored towards anonymity online while other are again forensics packages.
Earlier this week it came to light that the NSA (National Security Agency) had created a GitHub account, and realises some programs on the platform. This bring up a number of questions, firstly are they really trying to be that transparent or is it a novel way to try and win back the trust of the public.
Thankfully the source code for all of the application is available so it is possible to see what is going on within them, as a major concern of mine would be the potential back doors or snooping application like this could do to e user if they where not able to actually see what was going on…
But this does still beg the question as to why they have realised it, now it is not uncommon for application and other such items to trickle down the pipe line to the more “consumer” market eventually but after the vault 7 leaks a few month ago it is possible to see that they have so many more application with much more malicious uses than the few that eye have realised for the public. So there is the potential they they have realsed stuff that is out dated to them or that they don’t feel will be to compromising to all if their activitys.
Recently you might have read that a computer virus by the name of WannaCry has been extorting money from people and organizations all over the world. But what is WannaCry and should you be worried?
WannaCry (or WannaCrypt, WanaCrypt0r 2.0, Wanna Decryptor) is a computer worm that has been effecting Windows computers over the past week. It is rumored to have been enabled and aided by some of the recent Vault 7 vulnerabilitys including EternalBlue that the NSA (National Security Agency) had been collecting and storing over the past few years. This has lead to one of the most widespread and effective ransomware’s that has been seen to date. Not just targeting your average user but also going after large corporations and organization such as the NHS (National Health Services)
But what does it all mean, this ransomware could have sat dormant for month (It very likely has) just trying to spread the infection to as many vulnerable machines as possible. Until it is then activated by either the creator or by s spesific time and date. Once the infection is triggered the malicious package then encrypts the users PC and demands the user to pay the “Ransom” in this case the amount was $300 or £231.59. This is a rather large amount of money and on the scale of the attack would have made it a very profitable venture if all of the effected users pay the money to gain access back to there device.
In the case of WannaCry effecting the NHS it could have potentially cost human lives as well, because it was effecting hospitals and GP surgery’s. Without having access to the patient information the medical practitioner might have been unable to proceed with a user treatment or potential be unable to access the patients personal information. But WannaCry made a few fatal error is the design and execution of the virus. Firstly the ransom payment was required in bitcoins (Bit coins are a digital currency with no central regulation making it hard to track) but because there what only 4 addresses to pay the bit coins too and because they where hard-coded into application it means that the possibility of tracking them is a whole lot easier. And then there is the built in “Kill Switch” that was again hard coded into the application. This meant that to deactivate the ransomware, a website address needed reached. Meaning that researchers were able to find the target URL and register it meaning they then had the ability to deactivate the program.
For such an effective and wide spread virus it looks as if corners where cut, for example if the URL that was required for the “Kill Switch” had been coded to be random it would have made the pressure of finding the target URL much greater as there would not have been a clear target. And the next blunder was in the form of having only used 4 Bitcoin payment addresses, because of this it will make the authority’s job of tracking the Bitcoins slightly easier as they will just have to monitor bitcoins public transaction ledger know as the blockchain. It has also been found by Cisco researchers that the “Check payment” button did not actually do anything other than display one of 4 possible out come, meaning that the decryption of the devices was most likely done manually. But there is also speculation that the creator may just have send out a random handful of decryption keys to make it appear as if the payment has gained the user access to there machine again. If that is the cases then this virus should not really be called ransomware at all, as there is a strong possibility that even after the ransom has been paid the user will not just be given access back to their files, making this more Theftware.
But there has been further speculation from other security researches that this attack might have been made to look as if it was ransomware. This could mean that the creators had alternate motives. This could have been for a number of things, but when you consider the sort of things that where effected and completely parallelized (Hospital equipment, Trains and ATM’s) could it be possible that the ransomware side of this attack was merely a cover up? And when you consider that researchers at Kaspersky Lab have been finding evidence linking WannaCry to North Korea. This was in the form of similar code that had been used in a previous attack this year. A number of other big names in cyber security have also backed up these claims as they too have noticed drastic similarity within the code that has been used in both attacks. And when you look at the raising tensions between the USA and North Korea and acknowledge the fact that “cyber space” is the new battle field this could have just been a test run for bigger things to come, but of course this is all merely speculation.
But what do you do if your computer if effected by Ransomware and are there any procotions that you can take to make it less damaging.
Precautions to take
- Always keep regular backups of any documentation and files that you need or do not wish to lose. You could back them up to an external devices such as a USB stick or an external HDD. The other option would be to back up your files and documents to one of the many cloud services such as GoogleDrive or Microsoft’s OneDrive.
- Make sure you download and install regular updates on your operating system, this should hopeful help to prevent the vulnerability being present on your computer.
- If you machine does get infected by ransomware the first thing you should do is disconnect your devices from the internet, this could possibility prevent the virus from encrypting all of your data.
- Install an anti-virus program, there are a number of different ones out there from paid options to free ones; Paid VS Free Anti-Virus Software