"Fear not the Penguin" - interview with Wolf Halton and Bo Weaver about their book Kali Linux 2: Windows Penetration Testing

Hello everyone!

It has been a long time since our last interview. That's why we prepared for you something special.  Wolf Halton and Bo Weaver are the authors of the new book Kali Linux 2: Windows Penetration Testing. Together they told us about the process of writing book, what you can learn from it and why Linux is so important. 

Dive in!

[Hakin9 Magazine]: Hello Bo and Wolf, we’re very happy you could talk with us! Could you please introduce yourselves to our readers?  

[Wolf Halton]: Hi, I am Wolf Halton. The first time I tried to penetrate a Windows system was in 1993, and I have been using Linux since about 2002. I have been pen-testing for about 15 years, and never stop learning new ways to attack networks. I have taught college students how to approach pen-testing, as well as other security topics, and am now working on getting a PhD in Information Assurance. This is the second book on which I have collaborated. The first book was designed as a textbook, but this one is more of a technical manual for the trade.  

[Bo Weaver]: Hi, I'm Bo Weaver. In 1971 when I was in the US Navy going to school, I worked on a little DARPA project called ARPA NET. At the time, I never thought what I was working on would grow into what we have today. Even then I never liked the idea that a machine could out think me so even back then I used to figure out ways to “out smart” the machine. Back then, systems ran UNIX so I became a command line cowboy. I also worked for a while as a private investigator and in executive protection. I've always liked gathering data, analyzing a situation, forming a plan and executing that plan. When the commercial Internet came about, I worked with a lot of BBS services in the Atlanta area setting up Internet gateways for these services and securing these services.  From there I've held about every job there is in IT, from Customer Support to designing and securing major data centers. I've been using Linux since the 90's and run Linux on all my personal machines. Hacking is my passion.

[H9]: You have recently co-authored a book on Windows Penetration Testing with Kali Linux 2. Can you tell us more about the project?

[WH]: When Hemal Desai at Packt Publishing sent me an email requesting I consider writing a book about Kali Linux that they wanted developed, I was on the brink of turning them down. I was busy, and I couldn't see how I could put in the time. I wanted to write the book, so I asked my friend Bo Weaver if he had time to help me. He was also quite busy, but said he would work on the project with me. We broke the book into 10 individual projects, and took them as they fit what we were working on and the available time. The idea was to produce a book that didn't leave anything out in the examples of working exploits. Some books have incomplete or poorly explained exploits. We wanted to have a book that answered the questions of the novice and intermediate pen-testers, but also might be interesting to other advanced pen-testers.  

[BW]:  In the past, I had worked with Wolf on several of his writing projects with the technical aspects of the project. When this project came up, he asked if I would co-author the book with him and be more involved with the actual writing. I liked the idea of the book and I have seen the need for this book in the industry. There's been a lot of times Windows Sysadmins have asked me “How do you run a pen test?” wanting to run their own tests to test their networks. This is never a short answer but this book does cover all those answers on how a pen test works and how a real bad guy can breach your network. The exploits in this book have been used in real world major breaches you have read in the news.

[H9]: Who should read your book?

[WH]: Windows administrators who are looking at getting into penetration testing are our most natural audience. We expect them to be well-rounded Windows admins, who will not need a lot of coaching in that area. We have noticed that not all Windows experts know a lot about Linux, so we built in lots of tips and warnings to help our readers learn some shortcuts and features of Kali Linux, and most Linuxes.

[BW]:  Windows Sysadmins and anyone that deals directly with the security certification process for a network like PCI/DSS or HIPPA. The testing process in the book follows all the industry standards and processes for testing secure networks. We didn't invent anything here, this is just how it works. I also see it has a chance to introduce Windows Sysadmins to a better and more secure operating system. Fear not the Penguin.

[H9]: You talk a lot about aiming this book at Windows administrators rather than people primarily interested in cybersecurity. Was there something you wrote without thinking about it, only to be told later on “no admin is going to know what you mean, you have to explain”?

[WH]: I never had an intent to leave out people whose primary interest is security. I am, myself, a person whose primary interest is network security. In my opinion, most system and network administrators also have a primary interest in keeping their networks and systems safe and secure, as well as maintaining availability and data integrity. I want to give the administrators more ammunition to help them do their jobs. Most of us did not get to a security-focused career in a straight line, and most of us got where we are by self-study. The biggest drawback to self-study is there is not always a strong systematic framework to it. In formal study, with outlines, textbooks and good mentoring, there will be fewer little pieces of the education that are left out.  

Cybersecurity is an interesting subject and there are a lot of ways to get part of the story, though this book cannot be much more than an introduction to a few of the tools available in and out of Kali Linux. Our intention was to make it an exhaustive and detailed introduction, upon which an interested reader could build a more systematic study and practice of the discipline. We also wanted the exercises to be fun.  One of the drawbacks of getting a college degree in cybersecurity or anything else is that the fun may be leached out of the subject. The depth of the explanations in the book arise from my experience with working with computer security engineers. There is so much to know that sometimes we get a handle on a topic without a full understanding of the basics. I don’t know about you, but I am always happier if somebody explains where the information came from, so I can go back into the literature privately, rather than hoping that the presenter has the time to explain everything in depth.  

The worst feeling in the world is having to say you will return deliverables when you are not sure of the basics, and I have been on 3:00 AM emergency mitigation or repair gigs where there was no way to go find an expert or even adequate documentation when something is going unexpectedly wrong with the solution in the book. This book has the most likely errors you might face, and the cause, cure, and workarounds for them.

[BW]: Not really. Wolf and I both have worked as Systems Administrators in the past and we worked really hard to explain things as two Sysadmins talking to each other. We both have worked with mixed networks (Windows, Linux and UNIX) and try also to explain the working of Linux compared to the workings of Windows. A short example would be comparing Linux daemons to Windows services. They’re really basically the same things but using different terms or the “dir” command to “ls” in Linux. It might be that someone who hasn't worked as a Sysadmin might have a harder time understanding the book.

[H9]: What was the biggest challenge when writing the book?

[WH]: Finding the time to work on the book was the first challenge, followed by setting up the labs so that we could choose the best examples of exploits for each chapter. We had to be sure that we had real value for the reader in every one of the scenarios, so they were useful in developing a method or approach.

[BW]:  Yes, finding the time. I work full time doing this 40 hours a week. Three to four nights a week I am actually “doing” everything in the book. The other nights I am writing reports on these tests. It will make your brain a bit toasty sometimes. Doing this all the time things become automatic and having to slow down and think about the actual step by step and explaining the “whys” about the steps was a challenge.

[H9]: Once the book was written, was there anything in the reviewing or editing process that  surprised you?

[WH]: The editing and review process was painless at Packt. Since it was ongoing, as we finished chapters, there were never that many things to fix at once. My biggest problems were related to changing the files as they went from Apache Open Office, to Libre Office to Microsoft Office (various versions). Embedded images occasionally multiplied to the point that there were 17,000 copies of a given image, all completely overlapped. We have to embed the images, so we have an idea how many pages we are getting to. The problem with having 17,000 images in a document was that they slowed the loading of the document. This was easier to fix in open document format source-code, but it was tremendously time-consuming. All on me to do it, as that was not in anybody else's job description. The process makes me want to finally learn TeX, and never write another word in any word-processing format at all.   

[BW]: I was surprised at the level of cross checking material and the level of detail in the reviewing process. I think it went really well and the people at Packt doing the backend work on the book did a great job and a great level of experience in making the book happen. It was a lot more painless than expected. 

[H9]: Is there any part of the book, a chapter or a section maybe, which you are particularly proud of?

[WH]: I am rather proud of the section “Weaseling in with Weevely” in Chapter 7. It started out as an afterthought, but became a useful example of how to stack exploits on an already vulnerable system. Weevely is designed to attack PHP on a web server. Popular web frameworks such as WordPress and Drupal are built in PHP code, but as long as the server is running PHP, the site you breach doesn't have to be built with PHP.  

[BW]: Chapter 8 “Maintaining Remote Access”. The pivoting around the world and into a backend private network is real. I rented VMs in various parts of the world and pivoted through them just like an attacker would do with breached systems through two firewalls and into a private network with no Internet access. This shows how knowing the attacking IP address doesn't tell you where your attacker is. Hearing that an attack is coming from China tells you nothing. In this chapter, I attack myself from China but I am sitting in North Georgia running the attack.

[H9]: Why is the first chapter titled “SHARPENING THE SAW”? Who’s idea was that?

[WH]: “Sharpening the saw” comes from an old country saying. The difference between a beginning wood-cutter and a master wood-cutter is that the master spends more time sharpening the saw before they begin the job (and periodically through the life of the job). A dull saw makes it harder to cut wood. A beginner wants to get directly to cutting, and so wastes a lot of energy pushing the dull saw through the wood. Even though it would look like the beginner is getting more work done at first, they will be entirely worn out by lunch. The master who prepares the tools to get optimal performance from them every time will get more work done, with less effort and better results. So sharpening the saw here means preparing your installation of Kali 2 so that it is properly configured for the job at hand.

[BW]:  My grandpa was a Machinist and taught me “A craftsman is only as good as his tools and he takes care of his tools because without his tools he's just a talking head.” Planning and preparing or “Sharpening the Saw” is the most important part of any project. Without it, a fun and simple project can turn into a nightmare.

[H9]: Do you think that there is still place for textbooks in the world of online tutorials?

[WH]: Is there a place for traditionally published technical books of any kind, one might ask. Professionally written and produced books are more likely to be reviewed for accuracy, and vetted by an editor for readability. I think a tutorial by a talented person may be as good as a section in a good book on the same subject, but there are hundreds (or thousands) of online tutorials that are poorly written and often have errors that can harm the user or the machines they are testing. Quality control is one of the main jobs publishers perform.  

[BW]: Very much so. A book doesn't have a battery to run down nor an OS that needs to be rebooted. You can write in the margins and attach sticky notes to the pages. Books work by solar power and even candle light. All kidding aside there is so much trash on the Internet today but by getting material from a known good source, such as a traditional publisher, you know the information is correct. Why did I decide to write for Packt? I have about 20 books of theirs I have bought over the years and still use these books today. Packt produces a quality product. When I see a book from Packt, No Starch Press, or Sams, to mention a few, I know I'm going to get good information for my money that is well written and well thought out.

[H9]: Do you see any challenges for penetration testers in the near future, or is it a smooth ride for the next few years?

[WH]: The more the rules of engagement for pen-testing are codified, and the more the discipline attracts people whose primary interest is the paycheck than the puzzle-solving aspects of the discipline, the more we will need a specified licensure to help the customers understand who are “genuine penetration testing experts” and who are test-taking experts. I can easily see a time, very soon, when there will have to be such legal licensure for pen-testers to protect the discipline and the buying public.

[BW]: Being considered a “Weapon of Mass Destruction” by governments. A lot of pen testing tools that were once freely available now fall under the Munitions Act. Lately I have had to produce ID in order to obtain tools and take some classes that in the past there would not have been a background check.

[H9]: On the other hand, some tools that were once hidden rather well are now on the loose - I’m of course alluding to the recent NSA leak. What are your thoughts on that?

[WH]: In 2001, there were all sorts of consultants trying to interest the military and intelligence communities in the idea of cyber-warfare. They either had solutions or wanted to be involved in making tools to wage cyber-warfare. There was a lot of buzz about the threat of cyber-war, which at the time, the military was not all that interested in pursuing. Now there have been cyber-warfare operations in all parts of the world, and it is a standard feature of international diplomacy. Russia ran constant denial of service (DoS) attacks on Georgia's civilian opposition groups during the military operation in South Ossetia in 2008. The Russian government is also considered to be the organizing factor in cyber-skirmishes for propaganda advantage in Ukraine, disrupting telephone and Internet access for government and news sites. The U.S. and Israel created the Stuxnet family of malware that was intended to attack the specific Siemens control system that ran the Iranian nuclear program's centrifuges, designed to do damage to set their program back. All of this well-funded government attack code has to be stored someplace, and it is not surprising that other threat actors have been looking for the code.

[BW]: I got a good laugh out of that. You can't go around hacking the world or sooner or later someone will hack you back. It also clearly shows that any backdoor to a system will sooner or later be found and exploited. The problems with SSL and Man in the Middle attacks is also another good example of government backdoors weakening public security. The NSA may have some smart people working for them but one thing I have learned is no matter how smart you are, there is always someone smarter than you.

[H9]: If you had to single out a threat that we’ll be hearing about most often for the next few months, what would it be?

[WH]: I think that the most likely threat in the next few months will be phishing and drive-by downloads leading to Advanced Persistent Threats (APT). Plainly, there is a lot of this happening, and infected is the new normal.

[BW]: Choosing a single one is hard, but I would have to say surveillance. You can't have surveillance and security at the same time. I'm not just talking about government surveillance but also surveillance by companies like Facebook, Google and Microsoft. The information that is gathered on an individual without their knowledge or consent is scary. What a person with the right tools and skills can do with that information is even scarier. What these companies do with this data is even scarier than that. I have seen lives ruined by information gathered from the Internet. I don't think it will be long before I or someone like me figures out how to exploit Windows 10 telemetry data then all your data will be mine. As a pen tester, when I hear the word “surveillance” I think “attack vector”.

[H9]: Do you have any advice you would like to share with our readers?

[WH]: Patch quickly – Most successful exploits are run against known vulnerabilities – some of these vulnerabilities are decades old! It is great to be all up on the newest Zero-Day exploit, but if you are not removing known vulnerabilities from your network, you will be taken apart sooner or later, if you aren't already Pwned.  

Include security configurations in your patching process. When SSL was cracked, it became tremendously easy to read out usernames and passwords from sessions on supposedly secure hosts. Use your log files to gauge the impact of the changes required. If you are managing operations, you need to know if the change will break anything, and exactly what will break.

Plan to Sunset your obsolete software and hardware. Built it into the project cost and the lifecycle plans. Network devices, such as routers, firewalls and switches have longer usable lifespans than servers, but there are useful exploits against almost all of them. The farther past current the devices become, the more expensive they are to keep supporting properly. If you choose to short-cut and use the obsolete devices without security patches and support, you will fail your compliance assessments.  

Turn off crusty old NetBIOS. Microsoft suggested that network engineers turn off NetBIOS and stop authenticating with NTLM or even the LM hashes that followed around the year 2000. NTLM is still very prevalent on many enterprise networks, and is susceptible to hash-stealing and Pass the Hash (PTH) attacks.  If we have your Domain Administrators' passwords, we do not need to break in. We can just use the key.

[BW]: “Patch Your Sh_t.” Most of the time when I have burned a network to the ground it was because of lacking of system updates or that Windows 2003 Server you still have on the network. Properly segment and firewall your internal networks. I have seen in so many cases, like, five subnets on an internal network yet all ports are open between these networks. They might as well all be on the same network.

Book Description: 

Kali Linux 2: Windows Penetration Testing

Microsoft Windows is one of the two most common OS and managing its security has spawned the discipline of IT security. Kali Linux is the premier platform for testing and maintaining Windows security. Kali is built on the Debian distribution of Linux and shares the legendary stability of that OS. This lets you focus on using the network penetration, password cracking, forensics tools and not the OS.

This book has the most advanced tools and techniques to reproduce the methods used by sophisticated hackers to make you an expert in Kali Linux penetration testing. First, you are introduced to Kali's top ten tools and other useful reporting tools. Then, you will find your way around your target network and determine known vulnerabilities to be able to exploit a system remotely. Next, you will prove that the vulnerabilities you have found are real and exploitable. You will learn to use tools in seven categories of exploitation tools. Further, you perform web access exploits using tools like websploit and more. Security is only as strong as the weakest link in the chain. Passwords are often that weak link. Thus, you learn about password attacks that can be used in concert with other approaches to break into and own a network. Moreover, you come to terms with network sniffing, which helps you understand which users are using services you can exploit, and IP spoofing, which can be used to poison a system's DNS cache. Once you gain access to a machine or network, maintaining access is important.

Thus, you not only learn penetrating in the machine you also learn Windows privilege’s escalations. With easy to follow step-by-step instructions and support images, you will be able to quickly pen test your system and network.

Book website: http://bit.ly/H92016N

About the Authors:

Wolf Halton is a widely recognized authority on computer and internet security, an Amazon best selling author on computer security, and the CEO of Atlanta Cloud Technology. He specializes in business continuity, security engineering, open source consulting, marketing automation, virtualization and datacenter restructuring, and Linux evangelism. Wolf started hacking Windows in 1993 and loaded Linux for the first time in 2002. Wolf attributes whatever successes he has had to his darling bride, Helen, without whose tireless encouragement he would have never come so far so fast.

To contact Wolf, e-mail him at [email protected] 

Bo Weaver is an old-school ponytailed geek who misses the old days of black screens and green text, when mice were only found under the subflooring and monitors only had eight colors. His first involvement with networks was in 1972, while working on an R&D project called ARPANET in the US Navy. Here, he also learned the power of Unix and how to "outsmart" the operating system. In the early days of BBS systems, he helped set up, secure, and maintain these systems in the South. He later worked with many in the industry to set up Internet providers and secured these environments. Bo has been working with and using Linux daily since the 1990s, and he is a promoter of open source (yes, Bo runs on Linux). He has also worked in physical security fields as a private investigator and in executive protection. Bo is now the senior penetration tester for Compliancepoint, an Atlanta- based security consulting company, where he works remotely from under a tree in the North Georgia mountains. Bo is Cherokee and works with Native American youth to help keep their traditions alive and strong. He is also the father of a geek son, Ross, a hacker in his own right, and the grandfather of two grandchildren, Rachel and Austin, who at their young age can Nmap a network.

To contact Bo, e-mail him at [email protected]