Adjusting the source IP stack and tool identification settings

Before a penetration tester (or an attacker) begins testing, they must ensure that all unnecessary services on Kali are disabled or turned off.

For example, if the local DHCP daemon is enabled but is not required, it is possible for the DHCP to interact with the target system, which could be logged and send alarms to the target's administrators.

Some commercial and open source tools (for example, the Metasploit framework) tag their packets with an identifying sequence. Although this can be useful in the post-test analysis of a system's event logs (where events initiated by a particular testing tool can be directly compared to a system's event logs to determine how the network detected and responded to the attack), it can also trigger certain intrusion detection systems. Test your tools against a lab system to determine the packets that are tagged, and either change the tag, or use the tool with caution.

The easiest way to identify tagging is to apply the tool against a newly-created virtual image as the target, and review system logs for the tool's name. In addition, use Wireshark to capture traffic between the attacker's and target's virtual machines, and then search the packet capture (pcap) files for any keywords that can be attributed to the testing tool (the name of the tool, the vendor, the license number, and so on).

The useragent in the Metasploit framework can be changed by modifying the http_form_field option. From the msfconsole prompt, select the option to use auxiliary/fuzzers/http/http_form_field, and then set a new useragent, as shown in the following screenshot:

In this example, useragent was set as Google's indexing spider, Googlebot. This is a common automated application that visits and indexes websites, and rarely attracts attention from website owners.