Tuesday, March 11, 2014

To Be (In)Secure on Kali Linux?

Kali Linux is developed based on Debian 7 (Wheezy). Kali is designed for Penetration Testing and it is running in root privilege. However, almost all the Kali Linux users will also use it as a primary operating system.

When it is using as a Penetration Testing toolkit, the root privilege is in use. When it is using as a primary operating system, the non-root privilege is a good practice. Therefore, a sudoer will be a good choice. However, be keep in mind that sudoer will not guarantee your sudoer account will not be compromised if it equipped with a weak password and easy guess user name.

Penetration Testers or Information Security Researchers will use their browser most of the time as same as other general users. Kali Linux equipped with Iceweasel, which is based on Firefox, and it can use Firefox add-ons. In the BackTrack's old days, we will use "NoScript" Firefox add-on. However, almost all the web sites nowadays are using javascript. It is impossible to disable the javascript or the web broswing experience will be difference. Therefore, "NoScript" is not the solution. However, "NoScript" is blocking XSS attacks by default even the "NoScript" is set to globally allowed.

Kali Linux and tools developers cannot guarantee that their products are free from vulnerabilities. How about if we are being intruded when we are doing pentesting? So embarrassing, right?

If we enable firewall when we are doing pentesting, you will shooting on our toes. If we do not enable the firewall when we are using Kali Linux as primary operating system, we will worrying if anyone can attack our box or not.

Now, we know that what we are facing at the moment. Surfing internet with "NoScript" is not a good solution and we maybe facing vulnerabilites. I think that the best solution for Debian based Linux system is Apparmor.

"AppArmor is an effective and easy-to-use Linux application security system. AppArmor proactively protects the operating system and applications from external or internal threats, even zero-day attacks, by enforcing good behavior and preventing even unknown application flaws from being exploited. AppArmor security policies completely define what system resources individual applications can access, and with what privileges. A number of default policies are included with AppArmor, and using a combination of advanced static analysis and learning-based tools, AppArmor policies for even very complex applications can be deployed successfully in a matter of hours." -- Quoted from Apparmor WiKi.

It is very easy to enable Apparmor on Kali Linux. Just passing some kernel parameters when boot and install related packages.

We can enable (or enforce) all the Apparmor profiles (which includes log systems and some services) as well as we can create our own profiles for Iceweasel and any internet connectivity applications, such as HexChat and VirtualBox. If we have Iceweasel Apparmor profile in action, there is no javascript/java malware can successfully attack the browser. For details, We can refer to the documention of Apparmor at here.

Meanwhile, Kali Linux does not equipped with firewall or firewall is not enabled. There is almost no running service by default setting unless you enable it. Therefore, there is no opening port leaving at the Kali Linux box. In general speaking, firewall is not required in this situation.

In conclusion, if we applying Apparmor to Kali Linux, we will not shooting on our toes when doing pentesting. Meanwhile, Apparmor will also give us some protestion on using Kali Linux as Penetration Testing toolkit and as primary operating system. So, we have the balance.

In case you need to disable Javascript, I would recommend to use Firefox Add-ons - QuickJS. One click to disable and enable Javascript on the toolbar.

Reference

HOWTO : Kali Linux 1.0.6 for All Purpose
HOWTO : Perfect Dual Boot Kali Linux 1.0.6 on MacBook Air (Mid 2013) with rEFInd 0.7.7

That's all! See you.