Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Post a Comment

Installing and configuring Kali linux


Hi Folks,

This being the 1st post i thought let’s get started with installation and configuration of the latest release of Kali Linux. After all this is what we will use as our Ground Zero for the Fu.
For the sake of this post i will describe installation and customization on a VM. Official documentation of Kali Linux has extensive details for native install and others.
This build and customization will use most open source and few non-commercial version of security tools.

We will use the 64bit image for obvious reasons.

Here we go:

1] Download the official image from here: http://www.kali.org/downloads/

Download_Kali

2] Installation and configuration

Start your virtual solution e.g. vmplayer / workstation virtual box etc. (I chose vmware workstation) and select create new virtual machine.
vm
Use Typical
new_vm
provide path for the image file we downloaded.

new_vm1
Give a name for the machine

new_vm2
customize the hardware to suit the requirements. I am using 4GB RAM, 60 GB HDD, 2 processors with 2 cores

new_vm3
new_vm4
check all settings before proceeding

new_vm5
As you hit finish the VM will fire-up

Install
select install

installing
select country, language, date time etc and proceed
most importantly use a strong password for the root account

root_pass
Follow the prompts for partitioning

Partioning
Partioning2
Partioning3
Partioning4
progress
now wait and watch while installation is going on
Configure the mirror

20
Configure APT

22
GRUB boot loader

23
24
Finishing installation

25
26
at this stage remove media and hit continue.

27
This will complete the last steps and reboot the VM.

28
Beautiful – we now have the dragon asking us to login

29
Enter username

30
Enter password

31
And we have the base Kali Linux up and running

32
However there is a lot of work to be done before it is usable.
As you can see above the screen size is very small and to improve this and to make certain other useful features available we will install the vmware tools.
Select to install vmware tools from vmware workstation menu.
do the following:


echo cups enabled >> /usr/sbin/update-rc.d echo vmware-tools enabled >> /usr/sbin/update-rc.d apt-get install gcc make linux-headers-$(uname -r) ln -s /usr/src/linux-headers-$(uname -r)/include/generated/uapi/linux/version.h /usr/src/linux-headers-$(uname -r)/include/linux/
33

mkdir /mnt/vmware mount /dev/cdrom /mnt/vmware/ cp -rf /mnt/vmware/VMwareTools* /tmp/

cd /tmp/ tar zxpf VMwareTools-*.tar.gz
34
cd vmware-tools-distrib/ ./vmware-install.pl

35
Follow the on-screen prompts:

36
Once installation of tools is complete you may see a message shown below:

37
Although not mandatory i recommend reboot your VM once at this stage. You will notice the difference after reboot.
while rebooting in vmware workstation select view > auto size > auto fit guest

38
Awesome. Now we have screen sorted and added functionality like copy past drag drop etc between guest and host.
I would change the networking of the Kali Box to Bridged instead of the default NAT option.

3] Further configuration and fine tuning

UPDATE REPOSITORIES
#apt-get update && apt-get upgrade
follow the prompts.
this might take a while.
Now that we have updated the repositories, before proceeding further let’s see what we have got.
uname -a
cat /etc/issue

39
INSTALL ADOBE FLASH PLUGIN

#apt-get install flashplugin-nonfree
#update-flashplugin-nonfree –install
INSTALL FILEZILLA FTP CLIENT

#apt-get install filezilla filezilla-common

Well at this point the Kali Linux should be good enough for you to start with. Considering that many penetration testers use Nessus for vulnerability assessment i will go ahead and install / configure Nessus Home feed.
INSTALL NESSUS

Register with Tenable for a home feed code: http://www.tenable.com/products/nessus-home
Download Nessus
40
once download is complete, open a terminal and navigate to the download directory and issue the following command

dpkg -i Nessus-5.2.7-debian6_amd64.deb

41
Start the nessus service

service nessusd start

then open a browser and go to https://127.0.0.1:8834
42
add security exception in browser

43
click Get Started
setup a user and password

44
click Next
Enter the registration code
Done.

45
(There is an entry at Tenable blog: http://www.tenable.com/blog/installing-and-using-nessus-on-kali-linux)

Next nessus will download the plugins and this may take some time. Once done your machine gun is ready. Careful while using it.

That’s all for this post. Hope this was useful and you enjoyed reading it.
For any questions / comments kindly post in comments or drop me an emai.

Comments

Post a Comment

Popular posts from this blog

Change the default SSH keys in Kali Linux ......One important step post installation

All of know that we can authenticate to a box without password if you have the SSH keys. The Kali images have known ssh keys and must be changed.  Here is how you can do this:  Move the default Kali ssh keys to a new folder: cd /etc/ssh/ mkdir default_kali_keys mv ssh_host_* default_kali_keys/ This will move your default keys to the new folder... Regenerate the keys: dpkg-reconfigure openssh-server Creating SSH2 RSA key; this may take some time ... Creating SSH2 DSA key; this may take some time ... Creating SSH2 ECDSA key; this may take some time ... insserv: warning: current start runlevel(s) (empty) of script `ssh' overrides LSB defaults (2 3 4 5). insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overrides LSB defaults (empty). Verify ssh key hashes are different: md5sum ssh_host_* Compare new key hashes to the hashes below) cd default_kali_keys/ md5sum * b9419ea3a8fff086c258740e89ca86b8 ssh_host_dsa_key f9a5b57d7004e3740d07c5b037d15730 ssh_host_dsa_key.p...
Read more

Security Testing for entities hosted in cloud

For the applications that are getting migrated to cloud / planned to be hosted in the cloud will need additional security considerations. Failure to ensure proper security protection when using cloud services may potentially result in higher costs and loss to business. Organizations must consider security controls for different services viz. Infrastructures as a service(Iaas), Software as a service (SaaS) or Platform as a service. Which applications should be moved to cloud?     ·         Low to Medium Risk What are the key security risks while hosting in cloud?     ·         Isolation Failure – Multi tenancy is a key thing in cloud. Failure in controls that separate the storage, memory, identity and access control and routing between tenants is a huge risk.     ·         Authentication and Authorization     ·...
Read more

Keeping logs of your console commands during pentesting

Image
While it is very important to keep the screenshots and the results of your tools logged and recorded correctly, consistently and extensively, it is equally important to keep your console logs. This is very helpful when you are done with your penetration test and recall later during the results analysis / report writing that - what was the result of 'that' command I ran??? It is very commonly missed out by most pentesters - at least the beginners. While there are many ways in which you can do this: 1] copy paste the console logs and save it in your fav text editor 2] use a systematic approach I am sure method [1] is known to all :) Let's learn method [2] - Use script yes there is in inbuilt tool / script in linux that you can make use of: script usage: script filename.log This will start a process and it will keep logging the console output to this file. Once you are done just 'exit' Not to mention that care must be taken that you do not exit this process in between ...
Read more