5. Exploit the Victim Goals of Exploiting the Server Goals: Gaining Access Escalating privileges Executing applications Hiding files Clearing tracks Gaining Access The goal here is to collect enough information to gain access to the target. Password Cracking: There are few basic methods of password cracking: Bruteforce: trying all possible combinations until the password is cracked. Dictionary attack: This is a compiled list of meaningful words, compared against the password field till a match is found. Rule based attack: If some details about the target are known, we can create rules based on the information we know. Rainbow table: Instead of comparing the passwords directly, taking the hash value of the password, comparing them with a list of pre-computed hash values until a match is found. Rainbow table method gives an advantage to the attacker since no account lockout is enabled for wrong hashes against the password. To prevent rainbow table attack, salting can be used. Salting is a process of adding random numbers to the password so the attacker will not be able to crack the hash without that salt added. Types of Password Attacks Passive online attacks A passive attack is an attack on a system that does not result in a change to the system in any way. The attack is to purely monitor or record data. Wire Sniffing Man in the middle Replay attack Active online attack An active online attack is the easiest way to gain unauthorized administrator-level access to the system Password guessing Trojan/spyware/keyloggers Hash injection Phishing Offline attacks Offline attacks occur when the intruder checks the validity of the passwords. Offline attacks are often time to consume. Pre-computed hashes Distributed Network Rainbow Non-electronic attacks Non-electronic attacks are also known as non-technical attacks. This kind of attack doesn't require any technical knowledge about the methods of intruding into another system. Social engineering Shoulder surfing Dumpster Diving How to defend against password cracking: Don't share your password with anyone Do not use the same passwords during password change Enable security auditing to help monitor and track password attack Do not use cleartext protocols and protocols with weak encryption Set the password change policy to 30 days Monitor the server’s logs for brute force attacks on the user’s accounts Avoid storing passwords in an unsecured location Never use passwords such as date of birth, spouse, or child’s or pet’s name Enable SYSKEY with the strong password to encrypt and protect the SAM database Lockout an account subjected to too many incorrect password guesses. Privilege Escalation An attacker can gain access to the network using a non-admin user account, and the next step would be to gain administrative privilege. Escalation of Privileges: There are two types of Privilege Escalation: Horizontal Privilege Escalation occurs when a malicious user attempts to access resources and functions that belong to peer users, who have similar access permissions. Vertical Privilege Escalation occurs when a malicious user attempts to access resources and functions that belong to a user with higher privileges, such as application or site administrators. Executing Applications Intruder executes malicious applications after gaining administrative privileges so they can run malicious programs remotely, to capture all sensitive data, crack passwords, capture screenshots or to install a backdoor. Tool: RemoteExec, PDQ Deploy, DameWare NT Utilities Keylogger keystroke loggers are programs or hardware devices that monitor each keystroke a user types on a keyboard, logs onto a file, or transmits them to a remote location. keyloggers are placed between the keyboard hardware and the OS A key logger can Record each keystroke capture screenshots at regular intervals of time showing user activity such as when he or she types a character or click a mouse button Track the activities of users by logging window titles, names of launched applications and other information monitor online activity of users by recording addresses of the websites that they are have visited and with the keywords entered by them record all the login names, bank and credit card numbers and passwords including hidden passwords or data that are in asterisk or blank spaces record online chat conversion Types of Keylogger Hardware Keylogger Software Keylogger Spyware Spyware is stealthy computer monitoring software that allows you to secretly record all activities of a computer user. Hiding Files Rootkits Rootkits are programs that hackers use in order to evade detection while trying to gain unauthorized access to a computer. Rootkits when installing on a computer, are invisible to the user and also take steps to avoid being detected by security software. A rootkit is a set of binaries, scripts and configuration files that allows someone to covertly maintain access to a computer so that he can issue commands and scavenge data without alerting the system's owner. Depending on where they are installed there are various types of rootkits: Kernel Level Rootkits Hardware/Firmware Rootkits Hypervisor (Virtualized) Level Rootkits Boot loader Level (Bootkit) Rootkits NTFS DATA Stream Alternative Data Stream support was added to NTFS (Windows NT, Windows 2000 and Windows XP) to help support Macintosh Hierarchical File System (HFS) which uses resource forks to store icons and other information for a file. Using Alternative Data Streams a user can easily hide files that can go undetected unless close inspection. Steganography The art of hiding a data inside another data/medium is called steganography. For eg: hiding data within an image file The secret message is called overt file and the covering file is called covert file. Types of Steganography Image Steganography Document Steganography Folder Steganography Video Steganography Audio Steganography White Space Steganography Covering Tracks Once an attacker finishes his work, he wants to erase all tracks leading the investigators tracing back to him. This can be done using Disable auditing. Clearing logs. Modifying logs, registry files. Removing all files, folders created. Sniffing and its Types What is Sniffing? Sniffing is a process of monitoring and capturing all data packets passing through given network. Sniffers are used by network/system administrator to monitor and troubleshoot network traffic. Attackers use sniffers to capture data packets containing sensitive information such as password, account information etc. Sniffers can be hardware or software installed in the system. By placing a packet sniffer on a network in promiscuous mode, a malicious intruder can capture and analyze all of the network traffic. There are two types: Active Sniffing: Sniffing in the switch is active sniffing. A switch is a point to point network device. The switch regulates the flow of data between its ports by actively monitoring the MAC address on each port, which helps it pass data only to its intended target. In order to capture the traffic between target sniffers has to actively inject traffic into the LAN to enable sniffing of the traffic. This can be done in various ways. Passive Sniffing: This is the process of sniffing through the hub. Any traffic that is passing through the non-switched or unbridged network segment can be seen by all machines on that segment. Sniffers operate at the data link layer of the network. Any data sent across the LAN is actually sent to each and every machine connected to the LAN. This is called passive since sniffers placed by the attackers passively wait for the data to be sent and capture them. ARP and CAM Table ARP Table Address Resolution Protocol (ARP) is a protocol for mapping an Internet Protocol address (IP address) to a physical machine address that is recognized in the local network. A table is used to maintain a correlation between each MAC address and its corresponding IP address. ARP provides the protocol rules for making this correlation and providing address conversion in both directions. CAM Table Content Addressable Memory (CAM) table is a system memory construct used by Ethernet switch logic which stores information such as MAC addresses available on physical ports with their associated VLAN Parameters. The CAM table, or content addressable memory table, is present in all switches for layer 2 switching. This allows switches to facilitate communications between connected stations at high speed and in full-duplex regardless of how many devices are connected to the switch. Switches learn MAC addresses from the source address of Ethernet frames on the ports, such as Address Resolution Protocol (ARP) response packets. Protocols vulnerable to sniffing Telnet and Rlogin: Keystrokes including usernames and passwords. HTTP: Data sent in clear text. SMTP: Passwords and data sent in clear text. NNTP: Passwords and data sent in clear text. POP: Passwords and data sent in clear text. FTP: Passwords and data sent in clear text. IMAP: Passwords and data sent in clear text. Active Sniffing Attacks Mac-Attacks: MAC-flooding is an attack where the CAM table is flooded with fake MAC-IP pairs, so CAM table overflows causing traffic to flood all ports on switch (i.e) changing switch to behave like a hub ARP Spoofing: In this case, an attacker can spoof the MAC address of a trusted host and forge ARP request/replies to overload the Switch. Then the switch is set in “forward mode” an attacker can now sniff the packets on the traffic. ARP Poisoning: Attacker chooses targets and floods their ARP cache with forged entries thus replacing the MAC address of targets with MAC address of attacker. ARP poisoning is used in Man in the middle attack. DHCP Poisoning Introduction Dynamic Host Configuration Protocol (DHCP) is used to assIP's DHCP-enabled clients. The server holds valid TCP/IP configuration parameters, valid IP addresses and time period of the lease offer. When a client needs an IP, it sends a request to the DHCP server. The DHCP server asks the client to send the required parameters and once it receives the parameters, DHCP server sends the acknowledgement which contains the IP address of the client. The DHCP client requests an IP address by broadcasting a DHCP Discover message to the local subnet. The client is offered an address when a DHCP server responds with a DHCP Offer message containing an IP address and configuration information for lease to the client. The client indicates acceptance of the offer by selecting the offered address and broadcasting a DHCP Request message in response. The client is assigned the address and the DHCP server broadcasts a DHCP Ack message in response, finalizing the terms of the lease. When the client receives the acknowledgement, it configures its TCP/IP properties by using the DHCP option information in the reply and completes its initialization of TCP/IP. DHCP Starvation attack: It’s a denial of service attack, an attacker sends forged DHCP requests to the server and leases all the available IP’s thus the legitimate clients will not get an IP assigned; or the Attacker may send bogus request/replies luring the client to connect to attacker’s machine instead of valid DHCP server. DNS poisoning attack: Here the attacker sends fake DNS packets to the server, thus causing fake entries in the DNS table for the target website. So when a client sends a request to the website, DNS server resolves the domain to IP using injected DNS records and redirects the user to a Fake or malicious website intended by the attacker. Countermeasures: Enable Port security. DHCP snooping binding must be enforced. Use HTTPS instead of HTTP. Use SFTP instead of FTP. Use SSH instead of telnet. Avoid using clear text protocols. Always encrypt the wireless traffic using WPA2. Check whether NIC’s running in promiscuous mode. Implement DNSSEC. Use Firewall. Some tools: Cain and Able Yersinia for DHCP starvation Wireshark Session Hijacking and its Types Introduction Session hijacking is defined as taking over an active TCP/IP communication session without the user’s permission. When implemented successfully, attackers assume the identity of the compromised user, enjoying the same access to resources as the compromised user. Identity theft, Information theft, stealing sensitive data are some of the common impacts of session hijacking. Types of session hijacking attacks: There are two types of session hijacking depending on how they are done. If the attacker directly gets involved with the target, it is called active hijacking, and if an attacker just passively monitors the traffic, it is passive hijacking. Active: The attacker will silence one of the machines, usually the client computer, and take over the clients’ position in the communication exchange between the workstation and the server. The active attack also allows the attacker to issue commands on the network making it possible to create new user accounts on the network, which can later be used to gain access to the network without having to perform the session hijack attack. Passive: In Passive session hijacking attack, the attacker monitors the traffic between the workstation and server. The primary motivation for the passive attack is to monitor network traffic and potentially discover valuable data or passwords. Session Hijacking Process The first step in the session hijack attack is locating a target user. Attackers look for two things prior to their attack- first, they look for networks that have a high level of utilization; high volume networks help attackers to remain anonymous and they also provide a healthy supply of users to choose from, which also helps the attack. Secondly, users who use insecure network protocols such as Telnet, rlogin (remote login), and FTP (file transfer protocol) are easy targets due to their inherently insecure design. Packet sniffing software can be used to sniff network traffic for the purpose of locating vulnerable protocols like FTP, Telnet, and rlogin. Port scanning software can also be used to identify servers that have FTP, Telnet, or rlogin ports open. 1. Sniffing into Active Session: The attacker then finds an active session between the target and another machine and places himself between them. Using a sniffer like Wireshark, he captures the traffic and tries to gather information about the session. 2. Monitor: He then monitors the traffic for vulnerable protocols like HTTP, telnet, rlogin, etc., and tries to find any valid authentication packets passing through. 3. Session Id Retrieval: The attacker tries to predict the session id using available information. Now that a target has been chosen, the next step in the session hijacking process is sequence number prediction. Sequence number prediction is a critical step because failing to predict the correct sequence number will result in the server sending reset packets and terminating the connection attempt. If the attacker guesses the sequence numbers wrong repeatedly, the likelihood of detecting the attack increases. 4. Stealing: In application-level hijacking, active attacks are pursued to steal the session Id. Man in the middle attack, cross-site scripting, sniffing are used to steal the session id. Brute Forcing: This is a time-consuming process. While sequencing number guessing can be done manually by skilled attackers, software tools are available to automate the process. 5. Take One of the Parties Offline: Once a session is chosen and sequence numbers predicted, one of the targets has to be silenced. This is generally done with a denial of service attack. The attacker must ensure that the client computer remains offline for the duration of the attack, or the client computer will begin transmitting data on the network causing the workstation and the server to repeatedly attempt to synchronize their connections; resulting in a condition known as an ACK storm. 6. Take over the Session and Maintain the Connection: The final phase of the session hijack attack entails taking over the communication session between the workstation and server. The attacker will spoof their client IP address, to avoid detection, and include a sequence number that was predicted earlier. If the server accepts this information, the attacker has successfully attacked the communication session. Session Hijacking Levels Session Hijacking can be done at two levels: Network Level Application Level Network Level hijacking includes TCP and UDP sessions. Application Level hijacking occurs with HTTP Sessions. Application Level Hijacking: Here the valid session token is stolen or predicted to take over the session. Various attacks involved here are- Man in the middle attack: By using automated tools/spoofing methods the attacker splits the connection between the targets into two. One connection between the client and attacker and another one between attacker and server. Since the attacker becomes the man in the middle, all the traffic goes through him, hence he can capture the session Id. Cross-site scripting: Client-side vulnerabilities like XSS attacks allow an attacker to craft a malicious script to get the session Id from the application. Using Proxy: By setting up a proxy and causing the traffic to flow through the proxy, one can capture the session Id details. Man-in the–Browser: By installing a Trojan in the victim’s browser will notify the attacker the session Id. Session Replay: Capturing the authentication packets by sniffing the traffic; replaying those packets after a time interval may cause the attacker to successfully login to the session of the authorized user. Network or TCP Session Hijacking TCP guarantees delivery of data, and also guarantees that packets will be delivered in the same order in which they were sent. In order to guarantee that packets are delivered in the right order, TCP uses acknowledgement (ACK) packets and sequence numbers to create a "full duplex reliable stream connection between two endpoints", with the endpoints referring to the communicating hosts. The connection between the client and the server begins with a 3-way handshake. After the handshake, it is just a matter of sending packets and incrementing the sequence number to verify that the packets are getting sent and received. The goal of the TCP session hijacker is to create a state where the client and server are unable to exchange data; enabling him/her to forge acceptable packets for both ends, which mimic the real packets. Thus, the attacker is able to gain control of the session. IP Spoofing: IP spoofing is a technique which is used to gain unauthorized access to computers where the intruder sends a message to a computer with an Ip address indicating that the message is coming from a trusted host. Man in the middle Attack: Attacker tries to get the session Id by doing ARP spoofing and man in the middle attack. Blind Hijacking: In cases where source routing is disabled, the session hijacker can also use blind hijacking where he injects his malicious data into intercepted communications in the TCP session. It is called blind because he cannot see the response; though the hijacker can send the data or commands, he is basically guessing the responses of the client and server. UDP session Hijacking: UDP is a connectionless protocol. UDP/IP provides very few error recovery services offering. There is no direct way to send and receive datagrams over an IP network. Therefore, the delivery integrity, non-duplication and orders are not guaranteed. UDP doesn't use sequence numbers like TCP, it is mainly used for broadcasting messages across the network or for doing DNS queries. Counter Measures: Using secure protocols instead of clear text protocols like HTTP, FTP.Telnet, Rlogin, etc. Encrypting session id will increase the complexity of the session id prediction. Sending session id over SSL. Use long random numbers for session id. Implement timeout for the session when the session is logged out, or session id expires. Having different session id for each page. Use switches rather than hubs. Ensure server side and client side protection software. Use IDS for detecting ARP spoofing/Poisoning. Do not click on suspicious links. Check the web application for all errors. Using IPSec is a valid defence mechanism. Web Application and its types of Attacks Introduction Web application provides an interface between the web server and the client to communicate. Web pages are generated at the server, and browsers present them at the client side. The data is passed between client and server in the form of HTML pages through HTTP protocol. There are client-side vulnerabilities and server-side vulnerabilities which lead to a web application attack. Attacks: Parameter Tampering: This involves modifying parameters exchanged between client and server, which may lead to XSS attack and SQL injection attack. Usually, HTML data goes as a name-value pair; if the attacker is able to modify the values of the parameter during transfer, it may lead to many other attacks. Unvalidated inputs: Web applications accept user inputs, queries are constructed based on dynamic user input. If these inputs are not properly sanitised they will open a way for the attacker to launch attacks like XSS, SQL injection attack, Directory traversal attack, etc., identity theft, data theft are dangerous outcomes of this attack. Directory traversal Attack: This is a type of vulnerability where an attacker is able to access beyond the web root directory, into the restricted directories on the web server. Then an attacker will be able to access system files, run OS commands, access configuration information, etc. Injection Flaws SQL Injection: User login screens, URLs, search boxes are the point of interest to an attacker since they are dynamic inputs, based on which web application requests are constructed. If an attacker is successful in making the browser construct a malicious query and get it executed by the back-end database, it is called SQL injection. An attacker may modify, delete or even do a DOS attack on the database. Command Injection: If a user is able to inject operating system commands on any user input field, it may lead to attacker injecting malicious commands to get sensitive information from the web server. LDAP injection: Lightweight Directory Access Protocol is an active directory on IP, where the information is arranged in a hierarchical manner based on user attributes. LDAP injection works the same as SQL injection where the attacker tries to enter arbitrary data to craft malicious queries to be executed by the LDAP server. Web Server and its Types of Attacks Introduction Websites are hosted on web servers. Web servers are themselves computers running an operating system; connected to the back-end database, running various applications. Any vulnerability in the applications, Database, Operating system or in the network will lead to an attack on the web server. Vulnerability stack of a web server is given below (source: White hat security) Web Server Attacks types: DOS attack: An attacker may cause a denial of service attack by sending numerous service request packets overwhelming the servicing capability of the web server, or he may try to exploit a programming error in the application causing a DOS attack. Website Defacement: SQL injection attacks are used to deface the website. When an attacker finds out that input fields are not sanitized properly, he can add SQL strings to maliciously craft a query which is executed by the web browser. He may store malicious/unrelated data in the database; when the website is requested, it will show irrelevant data on the website, thus displaying a defaced website. Directory Traversal: This is vulnerability where an attacker is able to access beyond the web root directory from the application. If he is able to access beyond web root directory, he might execute OS commands and get sensitive information or access restricted directories. Misconfiguration attacks: If unnecessary services are enabled or default configuration files are used, verbose/error information is not masked; an attacker can compromise the web server through various attacks like password cracking, Error-based SQL injection, Command Injection, etc. Phishing Attack: An attacker may redirect the victim to malicious websites by sending him/her a malicious link by email which looks authentic, but redirects him/her to malicious web page thereby stealing their data. There are a lot of other web application attacks which can lead to a web server attack- Parameter form tampering, Cookie tampering, unvalidated inputs, SQL injection, Buffer overflow attacks. Methodology: Information Gathering: Information related to the target server is collected from various sources like From websites WHOIS information Netcraft information Banner grabbing Port scanning with Nmap. Mirroring a website using Htttrack. Vulnerability Scanning: There are automated tools for scanning a web server and applications running on it. The results may show various threats and vulnerabilities on the target web server; these vulnerabilities may later be exploited using tools or manually. Acunetix, Nikto, Vega etc Password Attacks: Guessing/Default passwords Brute Forcing Dictionary Attacks Countermeasures: Update and patch web servers regularly. Do not use the default configuration. Store configuration files securely. Scan the applications running on the web server for all vulnerabilities. Use IDS and firewall with updated signatures. Block all unnecessary protocols and services. Use secure protocols. Disable default accounts, follow strict access control policy. Install Anti-virus, and update it regularly. All OS and software used should be latest and updated. Cross Site Scripting XSS enables attackers to inject client-side scripts into web pages by exploiting vulnerabilities in dynamically generated web pages. An attacker can execute malicious scripts (also commonly referred to as a malicious payload) into a legitimate website or web application and cause various damages including data theft, session hijacking, redirecting the web page to another website, etc. Reflected XSS: Here the attacker will send a script as an input, and the attacker's contents will be reflected back to the victim. He can craft malicious scripts to get session cookies, redirect to a malicious web page, inject data, execute system commands and much more. Stored XSS: Here the input entered by the attacker will be stored in the database; e.g. blog. Anyone visiting the page will have this script running, thus affecting everyone who visits that page. Denial of Service attack: An attacker with/without the help of bots can flood the target system and reduce, restrict or prevent the target system from providing service to the authorised clients. Web Services Attacks The vulnerabilities in the web service protocols like SOAP, WSDL, UDDI can be exploited to do various kinds of attacks like SQL injection, XML poisoning, etc. File Uploads: This attack happens wherein a user is able to upload all types of file extensions even though the upload is intended only for few extensions. This is due to improper validation against the type of files getting uploaded, an attacker will be able to upload malicious files. DNS Hijacking/Poisoning: If an attacker is able to get access to the DNS files, he can modify the contents of the DNS records so that he can redirect the victim to a malicious web page, though they are requesting for a legitimate web page. DNS Server does the domain to IP resolving; so when a DNS poisoning is executed to modify the IP corresponding to a domain to some other IP, the attacker can trick the victim into browsing the pages he intended them to instead of the original ones. Poisoning can be done at cache/DNS server, or an attack can modify the IP on the fly by intercepting the traffic too. Hacking Methodology Web footprinting: Gathering information related to the web application like- Whois information Netcraft information Firewall information Ports and services running Server and OS discovery Hidden contents Vulnerability scanners: Scanners like Nikto, Nessus, URLscan, Acunetix can be used to find out vulnerabilities in a web application. Identify Entry Points and Attack surface: The next step is to know the entry points like login screens, URLs, cookies, and output points like display screens, reports, etc. We need to find vulnerabilities to bypass the access controls and break into the application. All the above discussed attacks should be tested for the possibility. Countermeasures: Always validate the input fields. Limit the entry in the input fields. Check for arbitrary inputs like scripts, SQL injection codes, etc. Use a Web application firewall. Run database accounts with minimal access rights. Use input/output encoding. Use prepared statements and parameterised sql queries to avoid Sql injection. Configure the firewall with strict rules. Use secure protocols. Encrypt cookies. Use random numbers for cookies and proper session expiry. Firewall It is a wall of separation between the insecure internet and secure internal network. Firewall monitors incoming and outgoing connections, for various rules and patterns, and filters the connections passing through them. Types of firewall: Packet Filtering Firewall: This type of firewall monitors the TCP packet header at TCP level and looks for the source address, destination address, source port, destination port and the protocol used. Depending on these details they either allow or disallow the packets according to the rules written. Any Any Any 80 Allow – This rule tells the firewall to allow any packet coming from any source going to any source to the port 80 to be allowed. Circuit level Firewall: They operate at the session layer and filter at the connections. Even before the packets are transmitted they look for trusted connections and filter based on those trusted connections. Application Firewalls: Otherwise called as Proxy firewall; they act at the application layer, filtering the application level packets. At the proxy, different rules can be given to filter the data. The web servers which are usually accessed by the internet users are placed outside the internal network as proxy servers and all connections can be directed to the proxy; thus, protecting the internal network from outside connections. application firewall Stateful Firewall: This is the combination of all three firewalls. It operates at the Network Layer, filtering transport level packets, session level connections and application data as well. This has a state table which maintains the status of various connections and a rules table. It also keeps track of sequence numbers to protect against related attacks. stateful firewall Evading Firewall: Using Fragmented Packets. Using Firewalking to scan beyond the firewall for open ports. Using Source routing, avoiding the route of Firewall. HTTP-tunnelling and ICMP-tunnelling. IDS: Intrusion Detection System IDS’ are the security systems which monitor the traffic and alert or notify the administrator on traffic of concern. They do not prevent the attack but they just alert the administrator. Types: Network-Based IDS: IDS can be installed at the perimeter of the network- on LAN, on subnets, on the important server, etc. The organisation can be centralised where the agents are installed on all major entry points, and all these agents send their log/report to the centralised manager who takes the decision; or it can be in distributed mode, where each agent has some decision making capability and the centralised manager takes complex decisions. Host-based IDS: It is a tedious process to install IDS on all host machines. Ways of Detecting Attacks Signature-based: A database containing all patterns will be matched against incoming packets. When a match is found, the IDS alerts the administrator. Behaviour Based: The present scenario of traffic is compared to the baseline version, the administrator is notified of any peak differences. Protocol anomaly based: If there are any deviations in the way a protocol is functioning at the entry points, the administrators are notified. Evasion Techniques: Insertion Attacks: Sending more packets to IDS, and fewer packets to the internal network or target; thus, causing IDS to miss the pattern. Evasion Technique: Sending fewer packets to IDS and more packets to target, the IDS may accidentally drop few packets; thus, it may not be able to recognise the attack pattern but when the packets enter the target they become an attack. Encryption: Encrypted text cannot be recognised by IDS Encoding: By Using various encoding techniques like ASCII encoding, hexadecimal encoding, etc. Using Obfuscated codes Taking advantage of reassembly timeouts of IDS: Sending a large number of fragmented packets to IDS may cause a DOS kind of attack on IDS; thus, bypassing IDS. Honey bot: It’s a trap to research and understand the attacker’s behaviour on the network. Either the honey bot can be designed as high interaction one, allowing the attacker to completely compromise all services; thus, studying the pattern and attack methods, or designing a low interaction one, where only limited services are opened for attackers to compromise. The basic need is to study the attack pattern and update the signature database for new signatures and patterns. Alrighty, that is all the text books answers, plus some of my previous writings. Now lets get down to the real business and I will explain how this really works. First thing after you boot Kali or your preferred OS, you have to update and upgrade kali's repository. Everyday there is updates and new code added to kali and you want the fresh, newest updated Kali to take care of busniess with, dont get caught slipping and some tools not work correct because you failed to update. When your on Kali's home page right click anywhere in the center of the screen and select open terminal here. Type..... sudo su then hit enter then enter password and your Command Line Interface(CLI) should be red. Type the following sequence of commands line by line, you can put them together, but I have had some issues trying to string them together. sudo apt-get update //if you didnt sudo su and use the root command line. apt-get update //for everyone that is root apt-get upgrade apt-get autoremove apt clean If some packages refuse to install, you have to read right above the line when kali finishes upgrading, it will say 120 apps upgraded 100 installed 40 not installed or something along those lines. You will have to use: apt full-upgrade -y // -y tells kali to go ahead and install, dont ask me if i want to update apt -f install -y // is another version to try apt-get dist-upgrade //if some apps fail to install