Purchase Linux CDs / DVDs / Flash Drives at OSDisc.com

Welcome to Our Community

While Linux.org has been around for a while, we recently changed management and had to purge most of the content (including users). If you signed up before April 23rd, 2017 please sign up again. Thanks!

  1. More ways to get the info! - we shoot all of our new original content out as well as random messages on Twitter and our newsletter!. Twitter | Newsletter
    Dismiss Notice

Lab with Kali, CentOS, Windows, Security Onion

Discussion in 'Kali Linux' started by JIB, May 10, 2019.

  1. JIB

    JIB New Member

    Joined:
    May 10, 2019
    Messages:
    4
    Likes Received:
    0
    Hello,

    I am working with a penetration testing lab environment that uses Kali Linux 2018 VM (as an attacker), CentOS 7 (as a target), Windows Server 2016 (as a target), and Security Onion 2019 (as the Intrusion Detection system). All VMs are in VirtualBox and are on the same local network (I've attached a screenshot of the network to this message).

    I am looking to test out some footprinting commands like "whois", "nslookup", and "traceroute". For example, I am using Kali to issue a command like "nslookup www.google.com" and "traceroute www.google.com". My goal is to receive alerts in Security Onion tools (like Sguil, Squert, Kibana) to detect those footprinting commands from Kali. I am not sure why I am unable to do that. I believe it is because Security Onion cannot see the commands being issued because they are gathering information from websites.


    (Log in to hide this advertisement)


    In VirtualBox, I am using a NAT adapter for both Kali and Security Onion. I am able to successfully perform the attacks in Kali but cannot detect them in Security Onion (attacks like nslookup and traceroute, just to name a couple of them).

    I would appreciate any suggestions/help with this problem. I am stuck as to how to solve it.

    Thank you in advance!

    Jacob
     

    Attached Files:

  2. atanere

    atanere Moderator
    Gold Supporter

    Joined:
    Apr 6, 2017
    Messages:
    1,835
    Likes Received:
    1,938
    Hi @JIB, and welcome. Kali is way over my head so I won't be any help... sorry. I deleted your duplicate thread, however, as it is bad practice to try to carry on two conversations on the same topic. This forum is more appropriate to your problem. Good luck!

    Cheers
     
  3. CptCharis

    CptCharis Well-Known Member

    Joined:
    Feb 27, 2018
    Messages:
    342
    Likes Received:
    323
    Dear @JIB I am very much far from hacking but as far as I know, NAT virtual machine does not have its own IP address on the external network. A virtual machine gets an address on this private network from the virtual DHCP server. The virtual machine and the host system share a single network identity that is not visible on the external network, instead of Bridged networking connects a virtual machine to a network by using the network adapter on the host system.

    So from the above understand that using NAT connection is not making your virtual machine accessible from a network, it was better if you use a bridge connection.

    I don't know, I hope this to be helpful.
     
  4. Rob

    Rob Administrator
    Staff Member

    Joined:
    Oct 27, 2011
    Messages:
    444
    Likes Received:
    943
    I'm trying to wrap my head around how you have things set up..

    You have kali set up as the attacker..
    centos and windows as targets..
    Security onion as a 4th system on the network as a detection system..

    I've never used security onion before..

    So - where's kibana? Do you have an elk stack set up somewhere as well? Are logs from centos/windows getting fed into it? Security onion has some kind of monitors set up in centos/windows?

    A whois command from kali won't query any of the machines on your network.. it'll head out to the internet. Same with 'nslookup' unless one of your machines (centos?) is the dns server for the kali machine.

    Edit: Looking at security onion now.. i see it comes set up with an elk stack, etc.. looks pretty interesting. I'll set it up this weekend :)
     
    wizardfromoz likes this.
  5. JIB

    JIB New Member

    Joined:
    May 10, 2019
    Messages:
    4
    Likes Received:
    0
    Hi CptCharis, Thank you for this suggestion. I will look into it. Will using bridged networking in VirtualBox work if I am using a wireless internet connection on my host computer?

    Thank you again for your time.
     
  6. JIB

    JIB New Member

    Joined:
    May 10, 2019
    Messages:
    4
    Likes Received:
    0
    Hi Rob, Thank you. I ran whois and nslookup in Kali and those attacks work. The problem I'm having is detecting them in Security Onion. I installed ELK on CentOS 7 and for another lab (ARP poisoning), I passed the logs from CentOS 7 to Security Onion. I am unsure how I would use an IDS (i.e. Security Onion) to detect a footprinting attack against a website (like nslookup www.google.com for example).

    Thank you again for your time.
     
  7. JIB

    JIB New Member

    Joined:
    May 10, 2019
    Messages:
    4
    Likes Received:
    0
    Hello,

    I am having trouble performing a man-in-the-middle attack with Kali (as the attacker) and Windows Server 2016 (as the target). Both are VMs in VirtualBox and they are on the same local network (172.16.2.0/24). The instructions of the lab I am following specifies to open three separate terminal windows in Kali: The first window: driftnet -i eth0, the second window: webspy -i eth0 172.16.2.20, and the third window: urlsnarf -i eth0. While those three windows are running, I open an internet browser (like Internet Explorer) on the Windows Server 2016 VM, and browse a couple of websites. I am supposed to see output in the three Kali terminal windows, but am not seeing anything. When I have tried these steps, I am able to connect to the internet on the Windows VM and open a site like www.google.com.

    Does anyone have any suggestions of something I can try to fix the lab? My goal is to successfully complete the attack so I can work on detecting the Man-in-the-middle attack with an IDS.

    Thank you in advance in any help. I would greatly appreciate it.

    Jacob
     
  8. arochester

    arochester Moderator
    Staff Member Gold Supporter

    Joined:
    Apr 25, 2017
    Messages:
    549
    Likes Received:
    575
  9. Drizzit89

    Drizzit89 New Member

    Joined:
    Friday
    Messages:
    1
    Likes Received:
    0
    Firstly are you routing all the traffic within virtual box through your Security Onion? From what I have read Security has no way of detecting traffic from Kali to the internet because Kali is directly connecting to it through the virtual box NIC to the physical NIC to the internet. You could also add a virtual firewall to pass all the virtual network traffic through before it leaves the virtual environment.

    Secondly I would re-attempt your arp poisoning and make sure your Kali takes the place of your router in your virtual environment. The whole point of the poisoning is to make all the devices believe Kali is the network device and the feeding the actual network device the packets you want it to see and how you want it to see them. And then returning the packets you want back to the original requester and in a format you want it in.
     

Share This Page