On the Review and Setup of Security Audit Using Kali Linux

ABSTRACT


INTRODUCTION
Nowadays, computer is considered essential to everyone from young to old, students to the corporates. The number of computer is growing rapidly every year. This rapid growth of number of computer each year leads to the security concern. The computer security is vital because the adversaries are always looking for opportunity and vulnerability to challenge the security. According to [1], security is not just the notion of being free from danger, as it is commonly conceived, but is associated with the presence of an adversary. The presence of adversary who is always seeking to obtain sensitive and private personal information, threat the system, and use it against its legitimate use makes the computer security paramount. The Operating System (OS) is a program comprises with million lines of coding that acts as an intermediary between a user of a computer and the computer hardware. There are lot of OS running on the computer, but only three of them are widely used, including Windows OS, Mac OS and Linux OS. Based on Figure 1(a), it can be seen that Windows OS is dominating the computer OS at 83.93%, Mac OS came at second with 10.29% and Linux OS at third with 3.76%. This means that Windows OS is exposed to lot of vulnerability because of it widely used. In [2], the author stated that the operating systems with vast number of users like Microsoft Windows or Linux is exposed to the malicious code attacks which comes from manin-the-middle-attack (MITM).
For mobile operating systems, Android and iOS are dominating the operating systems in smartphone. Figure 1(b) shows that with 69.68% Android is currently leading the race leaving iOS at second with 19.35%. In the case of smartphone, Android is an open-source platform where there's no royalty's fee to develop for the platform. The source-code is there on the internet, and everybody can use it freely without violating any copyright acts. As mentioned in [3], the whole source code of Android Operating Systems is free to use which lying under the General Public License version 2 (GPLv2) where any improvisation on the source-code by any third-party developers must be remained under the open-source licensing agreement terms. Likewise, the Android framework which is distributed under Apache Software License (ASL/Apache2) permits the open and closed-code that have been derived from the original source code [3].
Because of this open-source code practices by Android and it widely used, it exposes to numerous malicious threats. In Cisco 2014 Annual Security report, they reported that the significantly rapidly growth of number of Android's users makes it becomes favourable target of malware attacks [4].
Computer security can be perceived at two different perspectives: computer that is connected to the network and the one who does not. The primarily concern about the security is the computer which is connected to the network since most of the computers in this era are connected to the network. Secure computing is achieving the goals of security in information environment from threats; the goals are confidentiality, integrity, availability and resilience [1]. Confidentiality is about retaining either personal data or organizational data exclusive. Integrity is preserving the system or the data from being altered or changed illegally by non-authorized users [5]. Availability means being able to use the system as anticipated. And resilience is what allows a system to endure security threats instead of critically failing.
Kali Linux is the most popular software package for penetration testing and security audit, in which many books have been written in this topic [6][7][8][9][10]. The objective of this paper is to provide a comprehensive review on the security penetration and security audit using Kali Linux. Section 2 describes the penetration testing, while Section 3 explains about the role of security analysis. Section 4 describes security audit, while Section 5 describes the setup of Kali Linux. The last section concludes this paper.

PENETRATION TESTING
Penetration testing is a legitimate exercise of exploiting a system with real life attacker scenario including illegal access and the practice of malicious activities. The process of penetration testing starts from identify the system's vulnerabilities, stage an exploitation, vulnerabilities' discovery and reporting, and dissolving the vulnerabilities that can cause harm to the system. According to [11], the process of penetration testing could illustrate the level of severity could be done on the system during the real life attack thus help the organization to prevent it before it is too late. There are numerous attacks that can cause damage to one organization's system. According to Open Web Application Security Project (OWASP) there are top 10 vulnerabilities that been leaving severe impact to web application and four of them including SQL injection, Cross Site Scripting (XSS), Local File Inclusion (LFI), and Remote File Inclusion (RFI) as mentioned by [11].

SQL Injections (SQLi)
Structured Query Language (SQL) is normally used as intermediate between web applications and database. SQL responsible in taking care of request and retrieve of data from client side to database and back and forth. According to [12], SQL plays a significant role in the Relation Database Management System (RDBMS) due to its simplicity and straightforwardness. SQL injection occurs when an attacker injects the SQL queries with new parameters into the input values to enter and gain access to the database unauthorized. The attack occurs when keywords or operators obtain from the user by the application server executed to the compromised updated SQL query.

Cross Site Scripting (XSS)
XSS is a technique where the JavaScript, VBScript, ActiveX, Flash or HTML is planted along with the malicious XSS link. When the infected link is executed or loaded, the attacker will obtain root privilege and all the sensitive data and information will be left exposed to the attacker. In [13], the authors stated that there are distinct numbers of way approached by the attackers like hijacking the session, taking advantage of user's privileges by stealing data, posting ads in hidden IFRAME and pop-up to encode the malicious code to maintain the originality of the infected code therefore it cannot be detected by the users. XSS could be initiated through sending email, stealing user's cookies, sending an unauthorized request, and XSS attack in comment field.

Local File Inclusion (LFI) and Remote File Inclusion (RFI)
Local File Inclusion (LFI) is an attack where the attacker executes commands in some files located in the web server after exploiting the web applications. The word "Local" referred to the location of the file executed, which is inside the web server. The exploitation occurs due to misuse of prebuilt programming functions/methods other than invalid parameter chose by the user [14]. A dynamic file inclusion mechanism is approached to counter this vulnerability.
Remote File Inclusion (RFI) occurs when any type of user input is remotely accepted without going through any proper validation and sanitization by the server. RFI and LFI are not much different where RFI includes dictionary writeable, i.e. the path of certain file included as input received by the webpage is not comprehensively inspected [14]. This RFI attack is severely dangerous as personal and sensitive data could be steal and manipulated and, could paralyze the web server operation.

Distributed-Denial-of-Service (DDoS)
Distributed Denial of Service (DDoS) attacks are fatal. In this type of attack, legitimate users would not get access to a specific network resource because the network and services have been flooding with false service request. According to [15,16], the DDoS attacks can be launched either by disturbing a legitimate user's connectivity or disturbing legitimates user's services.

Man-in-the-Middle (MITM)
MITM attack is type of attack where it violates two of security goals discussed earlier; confidentiality and integrity. In this attack, the attacker eavesdrops the data flows in communication link between endpoints. As mentioned in [17], in common MITM attack, three parties are involved; two victims that are communicating with each other and an attacker, in which the attacker exploits the communication channel between two victims and has the ability to manoeuvre the information exchanged. In [18], the authors stated that the MITM attack is including intercepting emails, logins, chat messages, cutting a victim's internet connection; and many others.

Zero-Day Vulnerabilities
Zero-Day vulnerabilities refers to the security risk which could be exploited by hacker but has yet known by the software vendor [19]. Once the vendor learns of the vulnerability, the vendor will usually create patches to mitigate it. One of the most notorious example of zero day attack is Stuxnet [20] which uses 4 Windows operating systems zero-day exploits. Stuxnet commanded the PLCs to speed up and slow down the spinning centrifuges, destroying some of them, while sending false data to plant operators to make it appear the centrifuges were behaving normally. Based on this Stuxnet attack, it is very significant to keep the integrity at all cost.

SECURITY ANALYST
Security analyst does comprehensive analysis based on the data gathered in the event of attack or attempt of attack or annual report to identify the vulnerabilities and holes in the systems. A comprehensive analysis means that, every piece of information and information gathered must be inspected, evaluated, investigated, and studied profoundly. Not only that, a security analyst must be able to do research on past cyber-attack events and being able to relate it to current cyber-attack. However, these methods are no longer enough to stop the attacks and considered obsolete. According to [21], a new age of war between attackers/hackers and security analyst has emerged where both parties employ new complicated schemes to disorient each other. Hence, new strategies are approached to prepare comprehensive forecast of imminent threat on important utilities; known as Predictive Cyber Situational Awareness (SA). These approaches involved deep knowledge on system weakness and how it could be used to abuse the system. Security analyst is considered demanding job nowadays. The needs of having secure system both for individual and organizational uses make the security analyst is considered one of important job in these fastevolving technologies. Security analyst or cyber defense analyst role dominating the operational aspects of preserving the security of the organizational. The capabilities of security analyst in examining the current and incoming threats to the organization making the advantages' list of security analyst keep going on and on. Having said that, there are seven questions that security analyst needs to answer regarding the security level of an organization in respect to Cyber Situational Awareness framework as described in [21] and shown in Table 1. Behaviour What are the expected behaviour of the attackers? What are their strategies in attacking the system? 5 Forensic What is the objective of the attack? How did the attack deployed on the system? 6 Prediction Can the future attack be predicted based on the current situation? 7 Information What sort of information sources can be relied on? How is the quality of the information?

SECURITY AUDIT
In auditing process, the system security objectives and its implementation are screened and then verified. In [2], the author established that the security audits are responsible in evaluating the vulnerabilities found in the systems and find alternatives to reduce the area of vulnerabilities' exposure. The audit process involved log files analysis where the log files are useful for recording the events and timelines of the running processes. The processes of screening big and long log files are very time-consuming. Thus, with aid of tool like general audit software (GAS) is significant in helping such time-consuming tasks involving retrieval and analysis of significantly big and large data [22]. There are numerous number of popular tools used in auditing security and one of them is Lynis which can be downloaded at https://cisofy.com/lynis/. Lynis is an Open Source Unix-based system tools aims in scanning security aspect rather than scanning for vulnerabilities. Figure 2 illustrates the interface of the Lynis auditing tools.

KALI LINUX SETUP
This section describes the brief history of Kali Linux, installing and setup Kali Linux on the virtual machine, and installing a vulnerable server.

History of Kali Linux
Kali Linux is a Debian-derived Linux distribution and it is a freeware and can be downloaded for free at http://www.kali.org as illustrated in Figure 3. Previously, Kali Linux was knows as BackTrack which merged three different Linux distribution, including IWHAX, WHOPPIX, and Auditor [6]. Kali Linux version 1.0 was released on March 2013. As of March 2018, the latest version is 2018.1 and is compatible for i386, amd64, armel and armhf machine architecture, even on Raspberry Pi [23]. Kali Linux has now more than 600 penetration testing tools, free, Filesystem Hierarchy Standard (FHS) compliant, and wide-ranging wireless device support [24]. Kali Linux is the most popular penetration testing platform as stated in [19].  The installation of Kali Linux requires a minimum 20GB of disk space and 1GB RAM. Kali Linux can be installed using two ways: USB bootable drive or DVD drive. In this paper, we will boot Kali Linux on virtual machine and attack the main machine (Windows 10). As of February 2018, Kali Linux can be installed and used on Windows 10 directly as part of Windows Subsystem for Linux (WSL) as shown in Figure 4.

Installing Kali Linux on Virtual Machine
In our research, Kali Linux will be installed on the VMware virtual machine. VMware is a software which allowed a virtual machine (which uses some CPUs, RAM and storage from the main machine) to be operated like normal computer. That means there are two operating system running simultaneously on a machine. Therefore, in this research two operating system (Windows 10 host and Kali Linux virtual machine) will run at the same time. Figure  Kali Linux consists of hundreds of pre-built tools. The tools are divided into sections to its functionality and utilities. Each section carries out different task but with same objective; to do penetration testing. The followings are the sections the tools divided into [6]:  Information gathering: Important tools to collect information about the target  Vulnerability analysis: Tools for scanning weakness in the system  Wireless attack: Tools carry out attack on wireless protocol  Web application: Used to attack Web Site, Web Server and Web Application.  Sniffing and spoofing: Tools used to monitor and capture the network traffic and manipulating it  Exploitation tools: Tools used to identify the vulnerabilities in a system  Forensic tools: Focused on monitoring and analyzing system's network traffic and program.  Stress testing: Tools used to measure how much a system can handle a heavy load of network traffic and information (DDoS attack).  Password attacks: Deal with brute force of a system; identifying, finding and cracking password of a system  Maintaining access: Used to keep the access on the system that has been exploited i.e. backdoor.  Reverse engineering: Identify how a system is produced so it might be duplicated or changed  Hardware hacking: Focused on gaining access over small electronic devices like android and Arduino.  Reporting tools: Used for post penetration testing; gather information and provide proper documentation to report on the organization However, there are still lot of Open-Source tools that are available online and can be downloaded and installed on the Kali Linux system. Most of them are accessible in GitHub site. Command git clone execute in the Kali Linux terminal is used to download the tools from the GitHub.

Installing a Vulnerable Server
To experiment with penetration testing following the ethical hacking guideline, we must do all the penetration testing on our own environment. That been said, we must not do penetration testing on private webserver or private firewall machine. Hence, we need to setup a simple webserver for the purpose of penetration testing. A software called XAMPP server is installed on the main machine (Windows 10) which is simple and useful. XAMPP stands for Xcross platform, Aapache server, M -Maria DB, P -PHP, and P -PERL, as shown in Figure 6 By completing the installation of XAMPP server, we can now proceed to creating our own website to be attacked for. However, there is a tool called Damn Vulnerable Web Application (DVWA) that save us from spending time on creating real website and webserver. XAMPP is compulsory in order for DVWA to work. DVWA is an open source tools which can be easily downloaded from http://www.dvwa.co.uk/. DVWA provides the environment for penetration testing for the most popular web attack like SQL injection, XSS and Brute Force. The most interesting part of the DVWA is that the security level of the website and webserver can be modified based on the intended experiment. It can be set to four level of security: low, medium, high and impossible as illustrated in Figure 7(b). In this research, we set the security level to low, in which it is completely vulnerable and has not security measures at all.

CONCLUSIONS AND FUTURE WORKS
This paper has presented a review of penetration testing, security analysis, and security audit. On the penetration testing, we reviewed the most popular techniques including SQLi, XSS, LFI, RFI, DDoS, MITM, and zero-day vulnerabilities. On the other hand, Kali Linux is the most popular penetration testing and security audit platform with advanced tools to detect any vulnerabilities uncovered in the target machine. Brief history of Kali Linux has been presented, along with the setup and installation. For testing purpose, we have installed and configure vulnerable server. Further research including simulated attacks to vulnerable server on both web and firewall system.