Cyber Security Auditing Software

Improve your
Firewall Auditing
As a penetration tester you have to be an expert in multiple
technologies. Typically you are auditing systems installed and
maintained by experienced people, often protective of their own
methods and technologies. On any particular assessment testers may
have to perform an analysis of Windows systems, UNIX systems, web
applications, databases, wireless networking and a variety of network
protocols and firewall devices. Any security issues identified within
those technologies will then have to be explained in a way that both
management and system maintainers can understand.
he network scanning phase of a
penetration assessment will quickly
identify a number of security
weaknesses and services running on the
scanned systems. This enables a tester to
quickly focus on potentially vulnerable
systems and services using a variety of tools
that are designed to probe and examine
them in more detail e.g. web service query
tools. However this is only part of the picture
and a more thorough analysis of most
systems will involve having administrative
access in order to examine in detail how
they have been configured. In the case of
firewalls, switches, routers and other
infrastructure devices this could mean
manually reviewing the configuration files
saved from a wide variety of devices.
Although various tools exist that can
examine some elements of a configuration,
the assessment would typically end up
being a largely manual process. Nipper
Studio is a tool that enables penetration
testers, and non-security professionals, to
quickly perform a detailed analysis of
network infrastructure devices. Nipper
Studio does this by examining the actual
configuration of the device, enabling a much
more comprehensive and precise audit than
a scanner could ever achieve.
www.titania.com

With Nipper Studio penetration testers can be experts in

every device that the software supports, giving them the
ability to identify device, version and configuration
specific issues without having to manually reference
multiple sources of information. With support for around
100 firewalls, routers, switches and other infrastructure
devices, you can speed up the audit process without
compromising the detail.

You can customize the audit policy for your customers

specific requirements (e.g. password policy), audit the
device to that policy and then create the report detailing
the issues identified. The reports can include device
specific mitigation actions and be customized with your
own companies styling. Each report can then be saved
in a variety of formats for management of the issues.
Why not see for yourself, evaluate for
free at titania.com

Ian has been working with leading global

organizations and government agencies to
help improve computer security for more
than a decade.
He has been accredited by CESG for his security and
team leading expertise for over 5 years. In 2009 Ian
Whiting founded Titania with the aim of producing
security auditing software products that can be used by
non-security specialists and provide the detailed
analysis that traditionally only an experienced
penetration tester could achieve. Today Titanias
products are used in over 40 countries by government
and
military
agencies,
financial
institutions,
telecommunications companies, national infrastructure
organizations and auditing companies, to help them
secure critical systems.
www.titania.com

KALI LINUX
THE ULTIMATE GUIDE
Copyright 2014 Hakin9 Media Sp. z o.o. SK

Table of Contents
What is Kali? 8
Comparison Of Kali Linux And Prevous Backtrack Versions 19
Top 5 Kali Linux Tools You Absolutely Must Use 34
Kali Linux 41
The Ultimate Installation Guide for Kali Linux 55
The Password Attacks 70
Pentesting Wireless with Kali Linux 81
Kali Linux on a Raspberry Pi 85
In Depth Review of the Kali Linux: A Hackers Bliss 88
Kali Linux The BackTrack Successor 95
Kali Linux WiFi Testing 105
Web Applications with Kali Linux 118
Penetration Testing with Linux 134
Bypassing new generation Firewalls with Meterpreter and SSH Tunnels 142
The Top 10 Kali Linux Security Tools 153
Interview with Demstenes Zegarra Rodrguez 176
Case Study: Analysis of Security and Penetration Tests for Wireless Networks with Kali Linux 179
Mapping Kali Usage to NIST800-115 182
Interview with Jeff Weekes 195
How to Install Kali Linux 199
How to Login as a User in Kali linux 215
How to Add or Create a New User in Kali Linux 216
How to Change Host Name in Kali Linux 218
How to Create an Instant Chat Session with ncat Between Kali and BackTrack 222
How to Remove Users in Kali Linux 224
How to Delete Users in Kali Linux 225
How to Extract a RAR File 226
How to Use Dnmap in Kali Linux 228
How to Find Files in Kali Linux 236
How to Use Detect_sniffer6 238
How to Use DNSenum in Kali Linux 241
How to Use Dnsdict6 and Get the IPv6/IPv4 Address of a Domain 245
How to Use Dnsmap in Kali Linux 248
How to Use DNSRecon in Kali Linux 253
How to Use DNSRevenum6 258
How to Use Dnstracer 260

KALI LINUX THE ULTIMATE GUIDE

How to use Dnswalk 265
How to Use Hping3 270
How to Use Fcrackzip in Kali Linux 272
How to Use Fierce 276
How to Use Fping 279
How to Use Arping in Kali Linux 282
How to Use Hash-identifier 284
How to Use Jigsaw 287
How to Use Joomscan 291
How to Use Nbtscan 294
How to Use Ncat 297
How to Use Dmitry in Kali Linux 302
How to Create Bootable Kali Linux USB 310
How to Gain Access to Windows XP/Linux by ncat 321
How to Install DVWA on Kali Linux 325
How to Install Flash Player in Kali Linux 332
How to Use Arachni_web in Kali Linux 334

KALI LINUX THE ULTIMATE GUIDE

Dear PenTest Readers,

e are happy to bring to you the Ultimate Kali Compendium. This issue is a collection of our
previous Kali Linux issues: Kali Linux, Kali Linux 2, and Kali Tutorial. Now, all the knowledge
from these three magazines we have decided to put into one.

You will encounter simple articles like an overview of Kali, installation guide, and its comparison to
previous BackTrack versions, as well as advanced ones, such as Wi-Fi testing or bypassing new generation
firewalls with Meterpreter and SSH tunnels.
Also, you will be able to read a few fascinating interviews with Dan Dieterle, Demstenes Zegarra
Rodriguez, and Jeff Weekes.
You will also get to know about almost every tool available in the OS, their advantages and disadvantages,
as well as how to use them and for what.
We sincerely hope that this compendium will acheive its goal, which is if you have a problem in Kali, you
can find the solution in one place - the Ultimate Kali Compendium. Enjoy the issue and improve your
pentesting knowledge.

The PenTest Team

Editor in Chief: Ewa Duranc

ewa.duranc@pentestmag.com
Managing Editor: Milena Bobrowska
milena.bobrowska@pentestmag.com
Editorial Advisory Board: Jeff Weaver, Rebecca Wynn,
Betatesters & Proofreaders: Rodrigo Comegno, David Jardin,
Varun Nair, Greg Rossel, John Webb, Laszlo Acs, Abhiraj, Gilles
Lami, Jos Luis Herrera, Ivan Gutierrez Agramont, Phil Patrick,
Dallas Moore, Marouan Bellioum John Webb, Alexander Groisman, Mbella Ekoume, Arnoud Tijssen, Abhishek Koserwal
Special Thanks to the Beta testers and Proofreaders who helped
us with this issue. Without their assistance there would not be a
PenTest magazine.
Senior Consultant/Publisher: Pawe Marciniak
CEO: Ewa Dudzic
ewa.dudzic@software.com.pl

[ GEEKED AT BIRTH ]

Production Director: Andrzej Kuca

andrzej.kuca@software.com.pl
Art Director: Ireneusz Pogroszewski
ireneusz.pogroszewski@software.com.pl
DTP: Ireneusz Pogroszewski
Publisher: Hakin9 Media SK
02-676 Warsaw, Poland
Postepu 17D
Phone: 1 917 338 3631
www.pentestmag.com
Whilst every effort has been made to ensure the high quality of
the magazine, the editors make no warranty, express or implied,
concerning the results of content usage.
All trade marks presented in the magazine were used only for
informative purposes.
All rights to trade marks presented in the magazine are reserved by the companies which own them.

DISCLAIMER!

The techniques described in our articles may only be used

in private, local networks. The editors hold no responsibility for misuse of the presented techniques or consequent
data loss.

You can talk the talk.

Can you walk the walk?

[ ITS IN YOUR DNA ]

LEARN:
Advancing Computer Science
Artificial Life Programming
Digital Media
Digital Video
Enterprise Software Development
Game Art and Animation
Game Design
Game Programming
Human-Computer Interaction
Network Engineering
Network Security
Open Source Technologies
Robotics and Embedded Systems
Serious Game and Simulation
Strategic Technology Development
Technology Forensics
Technology Product Design
Technology Studies
Virtual Modeling and Design
Web and Social Media Technologies

www.uat.edu > 877.UAT.GEEK

Please see www.uat.edu/fastfacts for the latest information about
degree program performance, placement and costs.

KALI LINUX THE ULTIMATE GUIDE

What is Kali?
by Albert Lpez (newlog)
Its a fact that these last years the Backtrack distribution has been the most used by security
professionals and enthusiasts. Its path started right in 2006 and for seven years it was
improved while gaining its place in the security community. Therefore, nowadays its hard to
find someone interested in computer security that has not listened about Backtrack.
In March 2013 the Offensive Security people went one step forward and published the definitive Backtrack
evolution. His name: Kali.
Coming from a team called Offensive Security, even if they deny it, what an appropriate name is Kali!
The Hindu goddess of time, change and destruction or perhaps because the Philippine martial art Pretty
offensive, isnt it? Leaving aside its name, we can assure that Kali is a powerful tool that any security
professional can use for free.

The Good and The Bad

Trying to list the possible drawbacks of Kali is a hard task, so we will start enumerating several of its advantages.
Talking about Kali advantages is talking about the changes between Backtrack and Kali. We will suppose
that the reader already knows what Backtrack is and which their capabilities are.
Briefly, for those who dont know anything about Backtrack, Backtrack is a Linux distribution, based on
Ubuntu, with plenty of security tools cleverly classified and ready to use.
Then, why Backtrack had to evolve into Kali? These are some of the changes in Kali and, therefore, some of
its advantages.

Kali is based on Debian

This implies many advantages. The first of all is that the repositories are synchronized with the Debian
repositories so you can easily obtain security patches and repository updates. Maintaining your pentesting
system updated is a key feature.
Another advantage is that every tool in Kali is compliant with the Debian packaging policy. This may seem
trivial but eventually will assure more robustness and clarity to the overall system structure and tools, also
giving you an easy way to obtain the tools source codes to review or modify them.

Architecture compatibility
A key feature in Kali is its improved ARM compatibility. Since Kali appeared, many impressive builds
have been created. What do you think about building Kali on a Raspberry Pi or on a Samsung Galaxy Note?
Pretty amazing, dont you think?

Advanced wireless support

One of the focuses of Kali developers has been to support a broad number of wireless devices being
them internal hardware or USB dongles. This effort goes in conjunction with the implementation of a
patched custom kernel including all the new patches focused in the injection of data through network
interfaces. A main requirement when a security professional has to perform a Wireless Assessment.

KALI LINUX THE ULTIMATE GUIDE

Fully customization
Kali is very flexible when it comes to visual interface or system customization. As for visual interface,
now the user has the capability to choose several desktops such as Gnome, KDE or XFCE, among
others. Regarding system customization, now you are able to easily create ISO images fully customized
thanks to the Debian live-build scripts.

Business aware
All the Kali customizations and the Debian stuff mentioned earlier give the capability to companies to deploy Kali
in multiple systems and to perform network Kali installs from local or remote repositories.

Easy upgrades among future versions

This is a key feature for every system administrator who has to maintain Kali systems or, actually, for
anyone using Kali. With Backtrack, for any new version of Backtrack one had to completely reinstall the
system. Now, with Kali, thanks to the move to Debian kali offers an easy way to upgrade your system when
new versions come out.

Great documentation
Another important thing to remark is that with Kali you have a lot of online documentation in order to guide
you in all your tasks.
As you can see, Kali is not only a new version of Backtrack but a full new infrastructure. And with this effort, a lot
of new and powerful features have come.
Regarding the disadvantages, its embarrassing to say that the writer has not found any relevant drawback
of using Kali with security assessment purposes. As to the system architecture, the migration to Debian
has brought a lot of powerful features. This combined with all the provided tools and the purpose of Kali
developers to maintain them and provide the last updates as soon as possible makes Kali the best choice for
anyone searching for a security distribution.

Included Tools
Kali puts more than 200 toolas at your disposal. If these tools were not well organized and classified, the
usability of that prenetrating testing framework wouldnt be quite good. But as with Backtrack, all the tools
are consistently classified by its category. We will know explain what each category is and what the most
representative tools are.

KALI LINUX THE ULTIMATE GUIDE

Figure 1. Classification of tools

The first category is Information Gathering. This category groups those tools focused in obtaining
information about the target. Inside this category there is a huge amount of tools, each one divided by
the kind of recognition that they do. For example, there is OS Fingerprinting, Network Scanners, SSL
Analysis, VoIP Analysis and many more.
From all these tools, we can highlight the old known tool Nmap that is a really powerful network scanner.
With Nmap, besides of being able to know which ports are open, filtered or closed, you are able to identify
which services are behind them and also perform operating system recognition. Furthermore, with the new
versions you have the possibility to program scripts that will be added through its Nmap Scripting Engine
(NSE) functionality. As of today, in the official Nmap site you can find more than 400 scripts that give Nmap
even more power than ever.
Another tool worth mentioning is theHarvester. This tool uses many search engines such as google, googleprofiles, bing, linkedin or shodan to find information about, for example, a company. You can find email
addresses, host names and much more information pertaining to that company.
The next category is Vulnerability Analysis. This one is focused in discovering vulnerabilities, so here you
have tools such as vulnerability scanners or fuzzers. In this category you can find sqlmap. This is a great
tool that really can help you finding and exploit SQL injection vulnerabilities. With this tool, you specify
the web application and the parameters you want to check and then it sends a huge battery of tests. This
tool is amazing and eases the repetitive task of testing all the payloads for a great number of database
engines. Another important tool is OpenVAS. OpenVAS is a complete framework focused in the discovery of
vulnerabilities. It was born as a fork of Nessus when this became non-free source.
In the Web Applications category you can find tools that identify web applications and their vulnerabilities.
To this end you have at your disposal tools such as Burp Suite. One of the main and basic features of Burp
is its capacity to intercept all the requests sent to web applications so you can modify and resend them. But
Burp is not only an intercepting tool, it is one of the best tools to perform web application analyses being
10

KALI LINUX THE ULTIMATE GUIDE

them automatic or manual. For example, with Burp you will be able to load many payloads from a file and
modify the parameters sent to the web application with that payload. This can allow you to perform brute
force attacks against authentication forms, load customized payload to find SQL injection or cross-site
scripting attack vectors. Its UI is pretty intuitive so any user will become familiar with all the features. You
also have tools such as XSSer that in a similar way to Sqlmap launches a bunch of payloads to find cross-site
scripting vulnerabilities.
Then you have the Password Attacks category. This category is quite self-explanatory. You can find tools
that crack passwords offline or launch attacks to online services. Remarkable tools are John the Ripper,
oclhashcat-plus, medusa and THC-Hydra. The first one is an old but well maintained password cracking
tool. One of the main features of the second tool is that you can use the power of GPUs to perform
attacks on passwords and, finally, with medusa and THC-Hydra you will be able to launch brute force
attacks against online services. THC-Hydra made a clear statement of intents (http://www.thc.org/thchydra/network_password_cracker_comparison.html) comparing its features against other tools such as
medusa. And in that comparison, THC-Hydra is clearly
the winner.
The next category is Wireless Attacks. In this section you can find tools to analyze and attack wireless
protocols such as IEEE 802.11, RFID/NFC or Bluetooth. The quintessential tool to perform analyses of the
IEEE 802.11 (WiFi) protocol is aircrack-ng. This tool is a complete framework that allows you to perform
many attacks against the different authentication and authorization mechanisms of WiFi networks.
In the Exploitation Tools category you can find different tools that are designed to attack different kinds of
systems or attack systems in different ways. One of the best tools that we have nowadays in order to exploit
the vulnerabilities present in a system is metasploit. Metasploit is a complete framework that has a huge
number of exploits ready to be launched against the objective. It is, more or less, a click and shoot tool that
gives you everything built so you dont have to worry about the technicalities of the vulnerability being
exploited. You also have another interesting tool, SET. The Social Engineering Tool is another framework
that will help you to take control of systems but using social engineering to achieve your goal. For example,
with this tool you will be able to easily build phishing web sites so you can deceive users and make them
install malicious software such as PDF files with malware in them that will be also provided by SET.
The Sniffing/Spoofing category is used to store those tools used to intercept network, web or VoIP traffic.
One of the best sniffers out there is Wireshark. With wireshark you will be able to intercept network
traffic and the same tool will, where possible, identify the protocol used and highlight the important
data. You will also be able to apply advanced filters to the data being intercepted once it is intercepted or
while its being intercepted. Another interesting tool is dsniff. This tool is a complete framework divided
in many applications that will let you intercept and identify interesting data such as passwords and
e-mails or sniff encrypted SSL data by exploiting weak configurations.
The following category is Maintaining Access. This category unifies all those tools that will help you
to maintain access to the target and get the critical information stored in it. For example you have many
operating system and web backdoors as well as different tools to encapsulate the outgoing traffic in
protocols that are not normally filtered. For example, you have another old known tool called netcat
(ncat). Netcat is a really flexible tool that allows you to perform client-server communication. Netcat is
a basic tool that depending on your imagination can become a tool you will use every day for the many
different things such as rapidly retrieving HTTP banners, transferring files from one machine to another
and many more things.

11

KALI LINUX THE ULTIMATE GUIDE

Figure 2. Netcat tool

The Reverse Engineering section unifies all those tools with which you can debug or disassemble binaries.
In order to debug binaries you have ollydbg or edb-debugger. The first tool is a quite powerful debugger
but it has to be executed through wine, given that its only available for Microsoft Windows systems. For
this reason you have edb-debugger that despite being quite new is still useful. Then you have a complete
framework for reverse engineering, radare2 (r2). This is the Swiss army knife of every reverse engineer
that works with a Unix system as a workstation. Radare2 is not an easy tool to use. It has a hard learning
curve, but once you get it, it becomes a really powerful tool. The framework radare2 is formed by many
small tools such as r2, rabin, rasm or rax. Each one allows you to perform many different things. For
example, with radare2 you will be able to inspect shellcodes, reverse engineer binaries from different
platforms such as pe, elf, match0 and dex or java classes, analyze disk images to perform forensic
analyses, find gadgets to build your ROP (Return Oriented Programming) payload, debug binaries, find
differences between binaries (bindiffing) or patch binaries. All this can be extended with its capability to
process plugins that you can program in Python, Go, Perl, Javascript, etc.
In the Stress Testing section you can find different tools to check the capacity of your network, web
application, WLAN or VoIP service to handle huge amounts of traffic. For example, with these tools
you will be able to simulate denial of service attacks.
With the tools found in the Hardware Hacking category you will be able to program sketches for Arduino
devices and you will also find different tools to develop for Android with the Android SDK and analyze
Android applications with tools such as APKTool and dex2jar.
In kali, the Forensic category is amazing. There you have plenty of tools focused in several forensic
fields. For example, you can find tools to carry out network forensics, PDF forensics, RAM forensics
and much more. One tool that is hitting hard these days is volatility. This tool is used to analyze data
stored in RAM. You can give volatility an image of the RAM in a given point and volatility will extract
for you a lot of interesting information. For example, you can extract all the running processes in the
moment, opened sockets and network connections, LM/NTLM hashes and LSA secrets and a lot of other
information. If you want to start playing with it, the volatility people provides (http://code.google.com/p/
volatility/wiki/PublicMemoryImages) you many prepared RAM images with interesting data you
can extract.
Finally, you have the last two categories, Reporting Tools and System Services. In the reporting tools
section, as its name suggests, you can find tools to help you when reporting all the vulnerabilities you
have found. For example, you have recordmydesktop, that its simply a tool to create videos from your
activities in your computer. Another important tool is truecrypt. Even its not directly related with the
documentation task, as a security professional you always have to be really careful with where you
store the results of your work. Truecrypt gives you the possibility to securely store your pentesting
results and save them encrypted so nobody but you can read them.
In the system services category you have different services you can launch to web you with your tasks. For
example, you can launch an Apache HTTP server or a MySQL server.
12

KALI LINUX THE ULTIMATE GUIDE

As you have seen, Kali has everything a pentester might need. And thanks to its flexibility, if the tool of your
need is not in your arsenal, you still can easily install it in your distribution.

Web application pentesting process

A penetration test its usually divided in two kinds of tasks. Those tasks that are automatic and those that are
manual. The manual tasks are the ones that add value to your reports as a pentester, and are guided by your
experience and intuition. These manual tasks are the ones that will make of your report something amazing
and beautiful or the conversely, something that seems factory created. If you dont go hard with these manual
tasks you will end up with a report that anyone could produce given that all your findings will be discovered
by automatic tools and, therefore, any one clicking a button will be able to get the same results.
Another important issue for a pentester is the time factor. When you are hired to perform a penetration
test, your time will be limited and, normally, the final outcome of the analysis will be directly related with
the time available to carry the analysis out. Thus, it is of great importance to be organized and have some
kind of methodology. In this chapter we will explain many steps for carrying out a penetration test for a
web application but we will suppose that you will work alone. If you were part of a team, the methodology
explained here would not be enough. We will not take into account the way you would be communicating
with the team in order to share your results so they could use them in their tasks.
In this chapter we wont cover in depth what kind of vulnerabilities you should search for. Instead we will
explain a methodical way that will allow you to easily find them once you know what to look for.
If you are carrying out a complete penetration test against, for example, the network of a company,
well suggest you to follow the OSSTMM (http://www.isecom.org/research/osstmm.html) (Open Source
Security Testing Methodology Manual) methodology. This is an open source methodology so you dont
have to pay in order to get and follow it. This methodology, broadly speaking, is a guide about when and
what elements should be tested during a penetration test.
Talking about web application security, if you want something more specific that also allows you to know
what kind of vulnerabilities you have to search and what these vulnerabilities are, we highly recommend you
reading the OWASP Testing Guide (https://www.owasp.org/index.php/OWASP
_Testing_Guide_v3_Table_of_Contents).
From its website, OWASP (Open Web Application Security Project) is an open community dedicated to
enabling organizations to conceive, develop, acquire, operate, and maintain applications that can be trusted.
In order to accomplish their objectives, OWASP have developed many different methodologies to many
different problems such as pentesting web applications, reviewing source code, etc.
The OWASP Testing Guide is a great resource to know what kind of things you should look for when
conducting a web application penetration test. They explain all kind of vulnerabilities you may find, what they
are and how you can find them. Of course, the explanations are not in depth, but once read, you will have a
good standpoint to go on and search more information about the vulnerabilities and how to exploit them.
Ok, then. Now that the concepts that we will explain, are clear, lets explain them. As we said, the manual
tasks in a penetration test are the key to obtain a good outcome of your work, but given that we have a
limited time, we will need to somewhat relay in some automatic tools that will work in the background while
we manually check our target.
So the first step is to prepare those tools that will perform automatic scans. Here you have many possibilities.
Some of them will be in the Kali distribution and some will not. If you are a security professional, meaning that
you have some monetary gain from your work, we would advise you to buy one or more than one automatic
scanners. Here we list some tools that can have the work done for a reasonable price. Its worth noting that the
tools listed below are more focused in system vulnerabilities, but they can also detect web vulnerabilities.
Nessus Vulnerability Scanner
QualysGuard
13

KALI LINUX THE ULTIMATE GUIDE

Nessus is a tool that you will have to install in your local machine. On the contrary, QualysGuard is a service
in the cloud. In our experience, QualysGuard makes a pretty good job and, comparing it with Nessus,
QualysGuard probably gives less false positives. Both tools can produce reports as XML files so you can
easily integrate their results to your reports.
What we strongly advise is that you install more than one automatic scanner so you can compare their
results, and what is of critical importance You must always check the vulnerabilities reported by them!
If you dont have the resources or dont really want to buy any tool, you can always use w3af or the new
tool Arachni Web Scanner from your Kali distribution to perform web application scans. W3af is a great
tool and its already a pretty mature project.
Now that you have launched your automatic web scanners hopefully from a different machine so we have
plenty of memory/CPU resources-, we can start the manual part.
The following steps are completely related to a web application penetration test. Nowadays, web applications
are a critical component in the business model of enterprises. The fact that a lot of web applications are
specifically developed from the scratch to fulfill the company needs and that web vulnerabilities are easier to
exploit than system vulnerabilities makes that attackers focus their efforts in exploiting them. This means that
as pentesters we should also focus our efforts in securing them.
The first step we should take would be to launch Burp Suite. With Burp Suite you will configure a localhost
proxy in your browser so all the requests go through Burp. Then you configure the scope in Burp settings so
you only log those requests in which the destination address is your target. This way you will prevent a lot of
trash requests from showing up.

Figure 3. Requests
The next step would be to navigate through the entire target website while watching the request history page
in Burp. This way once you find an interesting web page in your target, you will know which request and
response has been sent and received and you will be able to highlight or even comment it in Burp. Lets define
what may be interesting.
14

KALI LINUX THE ULTIMATE GUIDE

Requests with GET parameters
Requests with POST parameters
Requests setting cookies (Set-Cookie header)
And everything your intuition tells you that might be important
You will end up with something similar to the next image: Figure 3.
At this point you will have visited the entire web site and will have an idea of where the critical sections are.
The third step would be to analyze all (or the most important) requests that might be important. Now is
when you experience comes into play. You will have to apply all your knowledge to identify all kind of
vulnerabilities. For example, if you are in front a request that sends POST parameters, that parameters will
probably be used in a database query, so you will have to try different things to check if a SQL injection
vulnerability exists.
If you are certain that those parameters hit a database or might be vulnerable to a cross-site scripting
vulnerability, you might want to combine your personal skills with the aid that tools such as Sqlmap or
XSSer can provide. This way you will have all the tedious work done by automatic tools and you will be
able to carry out the genius work.
You should proceed this way until you have checked all the important requests.
The next step would be to identify software weaknesses. Nowadays, the use of CMS is something really very
widespread, so tools that help you identify if a CMS is being used would help. You can use, for example,
WPScan in case you think that the CMS used is WordPress. This tool will help you identify the version of
WordPress used and if it has any plugins installed so you can check if the WordPress or the plugin versions
in use are outdated and, consequently, have vulnerabilities published.
Finally, you will try to find configuration weaknesses. Here you should look for things such as outdated server
software in use, bad SSL configurations, etc. With Qualys SSLLabs you will be able to obtain a good colored
graphic showing you the strengths and weaknesses of the target website SSL certificates as shown in the next
image: Figure 4.

Figure 4. The strengths and weaknesses of the target website SSL certificates
15

KALI LINUX THE ULTIMATE GUIDE

As you can see in the first image, the target website has an SSL certificate that does not have the correct
domain associated with it. And in the second image you can see and overall score generated by SSLLabs that
shows that the ciphers supported by the certificate in use are vulnerable to known waeknesses.
Needless to say that the same tasks that SSLLabs carry out, can be programmed by you with your own scripts
so you dont have to depend on external services. On the other hand, one good approach to check server
technologies is to check the HTTP headers. This can be done in different ways, for example, you could use
Burp, but given that it is something really easy to check is as simple as sending a GET request with netcat as
shown in the following image:

Figure 5. GET request

As you can see, we can obtain some valuable information such that they are using Apache web server
although the Apache version is hidden and thanks to the X-Powered-By header that should have been
removed we can infer that they are using Parallels Plesk Planel. Then we can try to find published exploits
for that software.
If it was not clear enough, sending a (malformed without the host directive -) request using HTTP1.1
protocol will generate an error that will give you information about the hosting service in use. Look at the
following image:

Figure 6. An error generated

From the response of the server, you can infer that the website is hosted (or has something to do with) by the
pracait.com service.
Once you have finished all the manual review of the web application, it will be the time to merge the results
you have found with the results that the automatic scanners have found.
Explain how a good looking report should be done would be a subject to cover in another full article, so for this
time, we will leave this out of the scope.
Following the all these steps you will be able to carry out a good penetration test. Of course, the results
obtained will depend on your experience and the time you have to perform the task.

16

KALI LINUX THE ULTIMATE GUIDE

Here we only have outlined some of the steps and methodical techniques that will help you to optimize your
time and efforts.

Learning from hacking

In the previous chapter we have mentioned many times that the resulting outcome of your work will depend,
in part, on the experience and intuition you have.
Its hard to define where the line between experience and intuition is given that, in most cases, your
supposed intuition really arises from past experiences. Therefore, the key to be a good pentester is his
experience.
It is a usual practice that when companies are hiring security professionals, they always require them to have
some prior proven experience, but, of course, if you have not worked before in the security field you will not
have that experience. It is an infinite loop. What is the solution? Wargames!
Wargames are a kind of challenges made for you to learn and get fun at the same time. Of course, you only
will get fun if you are geek enough! There are several kinds of wargames. You can divide them by their
architecture but also by their subject.
Regarding its architecture, you have wargames that are thought to be downloaded to your local machines
so you can overcome them offline. Other wargames are thought to be played online, therefore there are
communities that provide online machines in which the challenge will be stored so you can access them.
You can even download some wargames that are provided to you as virtual machines so you have a complete
laboratory with all the tools you will need.
There are so many wargames that they might cover all the security field knowledge. You can find wargames
to improve your system administration skills, about software exploitation, cryptography, protocol assessment
and, of course, web application security. Given that this article has treated many web security concepts, we
will talk about a wargame focused in web security.
Again, the amazing people from OWASP, provides us with a wonderful project. His name: OWASP Broken
Web Applications Project.
With this wargame we will have to download a virtual machine that contains several vulnerable applications.
These vulnerable applications are quite different between them.
On one hand, we have the training applications that are designed in a way in which any user can learn what
web vulnerabilities are in a friendly way. In this category you have applications such as Damn Vulnerable Web
Application and OWASP WebGoat. On the other hand, we have applications that have been left vulnerable on
purpose, but they are more realistic than the ones presented in the previous paragraph. From this category
we highlight a Google project called Gruyere. Gruyere addresses a lot of concepts related with web security
such as the different topologies of XSS, CRSF, XSSI, Ajax vulnerabilities and much other stuff.
Finally, with the virtual machine comes a very interesting kind of vulnerable applications. They give us many
real applications such as Wordpress or Joomla that are outdated, and given that its software is not updated they
contain real vulnerabilities that have been found in the wild some time ago.
So with this wargame you can go from 0 to an acceptable level thanks to the all-in-one wargame and its
incremental difficulty approach.
If you want to get a grasp of all the wargames out there, you can find a really good resource in this site:
http://www.amanhardikar.com/mindmaps/Practice.html.

17

KALI LINUX THE ULTIMATE GUIDE

Farewell
Im glad you are still here! As you can deduce, we only have scratched the surface of the covered topics.
No one will be outraged if you affirm that Kali distribution is the best security focused distro out there.
Regarding the pentesting point, I hope you could grasp the idea behind it. Its not an easy topic and it largely
depends on your abilities, but being methodical is a big step to be successful.
For this reason, we encourage you to train yourself with the mentioned wargames, because unlike other
careers, in the information security field you have plenty of opportunities to learn relevant subject by
yourself.
Keep Hacking!

Bibliography
Chapter 1

http://en.wikipedia.org/wiki/BackTrack
http://en.wikipedia.org/wiki/Kali_Linux
http://en.wikipedia.org/wiki/Kali
http://www.kali.org/about-us/

Chapter 2

http://www.kali.org/news/kali-linux-whats-new/
http://docs.kali.org/category/armel-armhf
http://docs.kali.org/category/live-build
http://docs.kali.org/network-install/kali-linux-network-pxe-install
http://docs.kali.org/

Chapter 3

http://nmap.org/nsedoc/index.html
https://www.volatilesystems.com/default/volatility

Chapter 4

https://www.owasp.org/index.php/About_OWASP

Chapter 6

https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

About the Author

Is a computer engineer that although finishing his degree the last year, has worked during two years
developing system security software and making source code reviews in a company from Barcelona
called Vntegris. Nowadays is gladly working for Internet Security Auditors as a security analyst where
he has to perform security analyses to all kind of targets. However, his passion is exploiting software
and everything related with low-level software development. For this reason, in 2009 he founded the
Overflowed Minds community with the idea of spreading information of such an amazing subject.

18

KALI LINUX THE ULTIMATE GUIDE

The Ultimate Installation Guide for Kali

Linux
by Aamir Lakhani
The Offensive Security team has released a new penetration testing Linux distribution named
Kali Linux. BackTrack 5 RC3 was the last version of the BackTrack distributions. The project
contributors have decided that to move forward with the challenges of cyber security and
modern testing, a new platform was needed. Kali Linux was born and released March 13th
2013. Kali Linux is based on Debian and an FHS-Compliant file system.
Kali has several advantages over the BackTrack distributions. Kali Linux comes with many more updated
tools. Many of the outdated or redundant tools in BackTrack have been removed from Kali. The tools are
streamlined with Debian repositories and synchronized four times a day. That means users have the latest
software updates and security fixes and patches. The FHS-compliant file systems translate into running most
tools from anywhere on the system. No need to go into pentest or other specific directory. Kali has also made
customization, unattended installation, and flexible desktop environments strong feature in Kali Linux.
Kali Linux is available for download at (http://www.kali.org/).

Kali System Setup

Kali Linux can be downloaded in a few different ways from http://www.kali.org/downloads/. One of the
most popular ways to get Kali Linux is to download the ISO image. The ISO image is available in 32-bit and
64-bit images and comes preloaded with the GNOME desktop environment.
If you plan on using Kali Linux on a virtual machine such as Oracles Virtual Box or VMWare, there is a
VM image prebuilt. The advantage of downloading the VM image is that it comes preloaded with open
source VM tools. If you do plan on using it specifically on VMWare we will discuss how to update open
source VM tools to VMWare Tools later in this article.

Running Kali Linux From External Media

Kali Linux can be run without installing software on a host hard drive by accessing it from a media source such
as memory card or DVD. This is a great method to test Kali Linux with minimum hassle.
Although it is a great way to test Kali Linux, you will most likely not want to run it off external media
for long periods of time, because it does have some negative performance impact on the system. Some
applications require and expect Kali Linux to be installed and do not work well when used over external
media sources. Furthermore, using a read-only storage media does not permit saving settings that may be
required to make Kali Linux operate correctly. Its highly recommended to install Kali Linux on a host
hard drive or on a virtual machine.

Installing Kali Linux

Installing Kali Linux on your computer is straightforward and similar to installing other operating systems.
First, youll need compatible computer hardware. Kali is supported on i386, amd64, and ARM platforms.
At the time of writing, Kali Linux can be installed on Galaxy Note 10.1, Raspberry Pi, Chromebooks, in
addition to standard i386 and amd64 platforms.
The hardware requirements are listed below, although I suggest exceeding the minimum amount by at least
3 times. The better hardware Kali Linux runs on, the better the performance and user experience will be.
19

KALI LINUX THE ULTIMATE GUIDE

Download Kali Linux and either burn the ISO to DVD, or prepare a USB stick with Kali Linux Live as the
installation medium. If you do not have a DVD drive or USB port on your computer, check out the Kali
Linux Network Install. Installation Minimum requirements
A minimum of 8 GB disk space for the Kali Linux install.
For i386 and amd64 architectures, a minimum of 512MB RAM.
CD-DVD Drive / USB boot support
You will also need an active Internet connection before installation. This is very important or you will not
be able to configure and repositories during installation.
When you start Kali you will be presented with a Boot Install screen (see Figure 1). You may choose which
type of installation (GUI based or Text Based) you would like to perform.

Figure 1. Kali Linux Boot Screen

Select the local language preference, country, and keyboard preferences (see Figure 2).

Figure 2. Language Preference

20

KALI LINUX THE ULTIMATE GUIDE

Select a hostname for the Kali Linux host (see Figure 3). The default hostname is Kali.

Figure 3. Selecting a hostname for Kali

Select a password (see Figure 4). Simple passwords may not work, so choose something that has some
degree of complexity.

Figure 4. Creating a root password

The next prompt asks for your time zone. Modify accordingly and select Continue. Figure 5 shows selecting
Eastern Standard time.
The installer will ask to setup your partitions (see Figure 6). If you are installing Kali on a virtual image,
select Guided Install Whole Disk. This will destroy all data on the disk and install Kali Linux. Keep in
mind on a virtual machine, only the virtual disk is getting destroyed.
21

KALI LINUX THE ULTIMATE GUIDE

Figure 5. Setting time zones

Figure 6. Partitioning your system

Figure 7. Partition Details

Advanced users can select manual configurations to customize partitions.
Kali also offers the option of using LVM, logical volume manager. LVM allows you to manage and resize
partitions after installation. In theory, it is supposed to allow flexibility when storage needs change from
initial installation. However, unless your Kali Linux needs are extremely complex, you most likely will not
need to use it.
The last window displays a review of the installation settings. If everything looks correct, select yes to
continue the process as shown in Figure 7.
22

KALI LINUX THE ULTIMATE GUIDE

Kali Linux using central repositories to distribute application packages. If you would like to install these
packages, you need to use a network mirror. The packages are downloaded via HTTP protocol. If your
network uses a proxy server, you will also need to configure the proxy settings for you network (see Figure
8). Kali will be prompt to install GRUB (see Figure 9). GRUB is a multi-bootlader that gives the user the
ability to pick and bootup to multiple operating systems. In almost all cases, you should select to install
GRUB. If you are configuring your system to duel boot, you will want to make sure GRUB recognizes the
other operating systems in order for it to give users the options to boot into an alternative operating system.
If it does not detect any other operating systems, the machine will automatically boot into Kali Linux.
Congratulations! You have finished installing Kali Linux. You will want to remove all media (physical or
virtual) and select continue to reboot your system (see Figure 10).

Figure 8. Configuring a Network Mirror

Figure 9. Installing GRUB

Figure 10. Finish Installation

Kali Linux and VM Image first run

On some Kali installation methods, you will be asked to set the root password. When Kali Linux boots up,
enter the root username and the password you selected (see Figure 11). If you downloaded a VM image of
Kali, you will need the root password. The default user name is root and password is: toor.

23

KALI LINUX THE ULTIMATE GUIDE

Figure 11. Booting Kali for the first time

Figure 12. Prepping Kali for VMWare Tools

Figure 13. Prepping Kali for VMWare Tools (cont)

Kali VMWare Tools Installation

The first thing you need to do on Kali Linux is prep the system for VMWare Tools (see Figure 12). You only
need to install VMWare tools if you are installing Kali on VMWare. If you are installing Kali on other virtual
platforms you do not need this step.
To install VMWare VM Tools issue the following commands (Note: all commands are typed as one line in
the terminal):

24

KALI LINUX THE ULTIMATE GUIDE

echo cups enabled >> /usr/sbin/update-rc.d
echo vmware-tools enabled >> /usr/sbin/update-rc.d
apt-get install gcc make linux-headers-$(uname -r)

Note: This is typed as one line see Figure 13.

ln -s /usr/src/linux-headers-$(uname -r)/include/generated/uapi/linux/version.h /usr/src/linuxheaders-$(uname -r)/include/linux

Now you are ready to mount the VM Tools CD. Simply go to the menu in VMWare and install VM Tools
(see Figure 14). NOTE: I did this from VMWare Fusion, but the process will be the same regardless of
VMWare platform.
Now go back to Kali Linux and use the following commands:
mkdir /mnt/vmware
mount /dev/cdrom /mnt/vmware/
cp -rf /mnt/vmware/VMwareTools* /tmp/

Figure 14. Loading VMWare Tools

Figure 15. Copying VMWare tools to temporary folder

Figure 16. Unpacking VMWare Tools

25

KALI LINUX THE ULTIMATE GUIDE

Figure 17. VirtualBox Guest Additions

Figure 18. VirtualBox Guest Additions

Next, you will change to the /tmp directory and run the VM Tools installation script.
cd /tmp/
tar zxpf VmwareTools-*.tar.gz
cd vmware-tools-distrib/

Lastly type: ./vmware-tools-install.pl to run the VM Tools installation script. Follow the onscreen
instructions when you run the script.

Installing Kali Linux Virtual Box

You can also install Kali Linux on Oracles Virtual Box virtualization platform. Virtual Box is a popular
platform because it is often distributed free under the GNU General Public License. In order to install Kali
Linux, you must be using version 4.22 or higher for virtual box.
26

KALI LINUX THE ULTIMATE GUIDE

Go thru the steps described above to download the ISO image of Kali Linux and install it in virtual box. When
Kali Linux boots up, you will need to install additional software to get full keyboard and mouse support, along
with other Virtual Box features.
As described in the official Kali Linux documentation (source: http://docs.kali.org/general-use/kali-linuxvirtual-box-guest), once you have booted into your Kali Linux within Virtual Box, open a terminal window
and issue the following command to install the Linux Kernel headers.
apt-get update && apt-get install -y linux-headers-$(uname -r)

Once this is complete you can now attach the Guest Additions Virtual BOX tools CD. Selecting Devices
from the VirtualBox Menu and selecting Install Guest Additions accomplish this. This will mount the
GuestAdditions ISO to the virtual DVD Drive in your Kali Linux virtual machine. When prompted to
autorun the DVD, click the Cancel button (see Figure 17).
From the terminal window, copy the VboxLinuxAdditions.run file from the Guest Additions CD-Rom to a
path on your local system. Ensure it is executable and run the file to begin installation.
cp /media/cd-rom/VBoxLinuxAdditions.run /root/
chmod 755 /root/VBoxLinuxAdditions.run
cd /root
./VBoxLinuxAdditions.run

Reboot the Kali Linux VM to complete the Guest Additions installation (see Figure 18). You should now
have full mouse and screen integration as well as the ability to share folders with the host system.

Creating Shared Folders with Kali Linux and Virtual Box

In order to share folders on your host system with your Kali Linux VM, there are a few short steps that need
to be completed.
From the VirtualBox Manager, select your Kali Linux VM instance and click on the Shared Folders link in the
right window pane. This will launch a pop up window for adding shared folders. Within this window click the
icon to add a folder (see Figure 19).

Figure 19. VirtualBox Shared Folders Host Configuration

27

KALI LINUX THE ULTIMATE GUIDE

In the Folder Path text box, provide the path to the folder you would like to share, or click the drop-down
arrow to browse your host system for the path. Select the check boxes that allow for Auto-mount and Make
Permanent and click the OK button both times when prompted.
Your shared folders will now be available in the media directory. You can create a bookmark or a link for easier
access to the directory (see Figure 20).

Figure 20. VirtualBox Shared Folders

Figure 21. Alfa Wireless Card

28

KALI LINUX THE ULTIMATE GUIDE

Installing a Wireless Adapter on Kali Linux

Kali Linux has numerous wireless testing tools. Installing a wireless card to be used for wireless testing with Kali
Linux is a straightforward task as long as you are using a card that is supported by Kali Linux.
My favourite adapters are the Alfa brand of cards (see Figure 21). I am using the Alfa AWUS051NH adapter.
Almost any Alfa wireless adapter will work. I am a big fan of the AWUS051NH adapter because its a duel
band adapter. However, this card is very difficult to find since it is no longer made, but you should have luck
on eBay and other places.

Figure 22. iwconfig command

The iwconfig command will show any wireless cards in the system. I am using a RealTek wireless card.
Linux ships with the RealTek drivers, making it a Linux plug and play wireless card.
The operating system recognizes a wireless interface named wlan0.
My next step will be to enable the wireless interface. This is accomplished by issuing the ifconfig
command (see Figure 23).

wlan0 up

Figure 23. ifconfig wlan command

I need to understand which wireless networks my wireless card sees. I issue the iwlist
command (see Figure 24).

wlan0 scanning

Figure 24. iwlist scanning command

This command forces the wireless card to scan and report on all wireless networks in the vicinity (see Figure 25).
As you can see from this example above, Kali command found my target network: Wireless Lab. It has also
found the MAC address of my access point: 0E:18:1A:36:D6:22. This is important to note because I want to limit
my attack to this specific access point (to ensure we are not attacking or breaking anyone elses password).
Secondly, we see the AP is transmitting on channel 36. This is important because it allows us to be specific
on which wireless channel we will want our wireless card to monitor and capture traffic from.
The next step is to change the wireless card to monitoring mode. This will allow the wireless card to
examine all the packets in the air. We do this by creating a monitor interface using airmon-ng (see Figure 26).
Issue the airmon-ng command to verify that airmon-ng sees your wireless card. From that point, create the
monitor interface by issuing the command: airmon-ng start wlan0.

29

KALI LINUX THE ULTIMATE GUIDE

Figure 25. iwlist results

Figure 26. Creating a wireless promiscuous interface

Figure 27. Ifconfig

Next, run the ifconfig command to verify the monitor interface is created (see Figure 27). We can see
mon0 is created.
Now verify that the interface mon0 has been created (see Figure 28).

Figure 28. mon0 Wireless Promiscuous Interface

Kali Linux now has a wireless interface in monitor mode. You should be able to use most of the wireless
tools found in Kali.
30

KALI LINUX THE ULTIMATE GUIDE

Kali Toolset Overview

Kali Linux offers a number of customized tools designed for penetration testing. Tools are categorized in the
following groups as seen in dropdown menu shown in Figure 29.
Information Gathering

These are reconnaissance tools used to gather

data on your target network and devices. Tools
range from identifying devices to protocols used.
Vulnerability Analysis

Tools from this section focus on evaluating

systems for vulnerabilities. Typically, these
are run against systems found using the
Information Gathering reconnaissance tools.
Web Applications

These are tools used to audit and exploit

vulnerabilities in web servers. Many of the audit
tools we will refer to in this book come directly
from this category. Although web applications
do not always refer to attacks against web
servers, they can simply be web-based tools for
networking services. For example, web proxies
will be found under this section.
Password Attacks

This section of tools primarily deals with brute

force or the offline computation of password or
shared keys used for authentication.

Figure 29. Kali Menu

Wireless Attacks

These are tools used to exploit vulnerabilities found in wireless protocols. 802.11 tools will be found here,
including tools such as aircrack, airmon, and wireless password cracking tools. In addition, this section has
tools related to RFID and Bluetooth vulnerabilities as well. In many cases, the tools in this section will need
to be used with a wireless adapter that can be configured by Kali to be put in promiscuous mode.
Exploitation Tools

These are tools used to exploit vulnerabilities found in systems. Usually vulnerability is identified during a
vulnerability assessment of a target.
Sniffing and Spoofing

These are tools used for network packet captures, network packet manipulators, packet crafting applications,
and web spoofing. There are also a few VoIP reconstruction applications.
Maintaining Access

Maintaining access tools are used once a foothold is established into a target system or a network. It is
common to find compromised systems having multiple hooks back to the attacker to provide alternative
routes in the event a vulnerability that is used by the attacker is found and remediated.

31

KALI LINUX THE ULTIMATE GUIDE

Reverse Engineering

These tools are used to disable an executable and debug programs. The purpose of reverse engineering is
analyzing how a program was developed so it can be copied, modified, or lead to development of other
programs. Reverse engineering is also used for malware analysis to determine what an executable does, or
by researchers to attempt to find vulnerabilities in software applications.
Stress Testing

Stress testing tools are used to evaluate how much data a system can handle. Undesired outcomes could be
obtained from overloading systems, such as causing a device controlling network communication to open all
communication channels or a system shutting down (also known as a Denial of Service attack).
Hardware Hacking

This section contains Android tools, which could be classified as mobile, and Ardunio tools that are used for
programming and controlling other small electronic devices.
Forensics

Forensics tools are used to monitor and analyze computer network traffic and applications.
Reporting Tools

Reporting tools are methods to deliver information found during a penetration exercise.
System Services

This is where you can enable and disable Kali services. Services are grouped into BeEF, Dradis, HTTP,
Metasploit, MySQL, and SSH.
NOTE: There are other tools included in the Kali Linux build such as web browsers, quick links to tune how
the Kali Linux build is seen on the network, search tools, and other useful applications.

Updating Kali Linux

After you have Kali Linux setup, you will want to update the packages. You do so by issuing the apt-get
update command (see Figure 30). Next, issue the apt-get upgrade command. You may be asked to confirm
disk space and other warning messages. Type Y to continue (see Figure 31).

Figure 30. apt-get update command

Figure 31. apt-get upgrade command

32

KALI LINUX THE ULTIMATE GUIDE

Figure 32. updatedb command

Finally, the updatedb command from a terminal window (see Figure 32). This command will ensure the
applications are in the Kali database and can be found when a user executes the locate command.

Summary
Congratulations, you have successfully installed and updated Kali Linux. Kali is a powerful penetration
platform. I recommend that you play around with Kali. You will find some key differences between
BackTrack and Kali, and some of these differences take time to learn. However, I am sure you will
appreciate the power and flexibility of the platform. Happy hacking!

About the Author

Aamir Lakhani is a leading Cyber Security architect. Lakhani is responsible to provide IT

security solutions to major commercial and federal enterprise organizations around the world.
Lakhani leads projects that implement security postures for Fortune 500 companies, the US
Department of Defense, major healthcare providers, educational institutions, and financial and
media organizations. Lakhani has designed offensive counter defense measures for defense and
intelligence agencies, and has assisted organizations in defending themselves from active strike
back attacks perpetrated by underground cyber groups. Lakhani is considered an industry leader in support of
detailed architectural engagements and projects on topics related to cyber defense, mobile application threats,
malware and Advanced Persistent Threat (APT) research, and Dark Security. Lakhani is the author of the soon
to be released book Web Penetration Testing with Kali Linux, in conjunction with PackT Publishing. Writing
under the pseudonym Dr. Chaos, Lakhani also operates the DrChaos.com blog. In its recent list of 46 Federal
Technology Experts to Follow on Twitter, FedTech magazine described Aamir Lakhani as a blogger, infosec
specialist, super hero...and all around good guy. World Wide Technology, Inc. (WWT) is a leading Systems
Integrator providing technology products, services, and supply chain solutions to customers around the globe.
WWT understands todays advanced technologies, including Unified Communications, Security, Data Center,
Wireless Mobility, and eCommerce. When properly planned, procured, and deployed, these business solutions
reduce costs, increase profitability and ultimately improve a companys ability to effectively serve their customers.
Founded in 1990, WWT has grown from a small startup to a world-class organization exceeding $5 billion in
revenue and over 2,200 highly trained employees. WWT continues to achieve consistent financial growth and
provide our partners with uncommon strength and stability.

33

KALI LINUX THE ULTIMATE GUIDE

How to Find Files in Kali Linux

by Rajesh Kumar
In this tutorial I will show how can you find a file or tool path. I will not make it more
complicated, so I will just show you some useful and easy commands which will help you in
your Linux work.

Step 1.
find

Find one or more files assuming that you know their approximate filenames (Figure 1).

Syntax find

/ -name file name

Example find

/ -name mrquiety.txt

Figure 1. FIND command

In the above example, the system will search for any file named mrquiety.txt on the root and all
subdirectories from the root.
Step 2.
locate

lists files in databases that match a pattern (Figure 2).

Syntax locate

name

Example locate

dnsenum

Figure 2. Locate command

34

KALI LINUX THE ULTIMATE GUIDE

In the above example, the system will locate dnsenum on the local machine.

Step 3.
whereis

locate a binary, source, and manual page files for a command (Figure 3).

Syntax whereis

name

Example whereis

dnsenum

Figure 3. Whereis command

advertisement

KALI LINUX THE ULTIMATE GUIDE

How to Use Detect_sniffer6

by Rajesh Kumar
Sniffing detection is basically detecting if there are any sniffers in your network. The
main feature of sniffers that is used to detect them is that they place the network card in
promiscuous mode, listening for all traffic. Typically, a sniffer is placed on a machine with a
full TCP/IP stack which will be affected by this mode (stackoverflow.com).

Step 1. How to open detect_sniffer6

A. GUI Method (Figure 1).
Applications Kali Linux Information Gathering Live Host Identification detect_sniffer6

Figure 1. Opening detect_sniffer6 in the GUI

B. Open the terminal, type detect_sniffer6, and hit Enter (Figure 2).

Figure 2. Opening detect_sniffer6 in the terminal

36

KALI LINUX THE ULTIMATE GUIDE

Step 2.
This is our BackTrack 5 (target machine). Here, we are running Wireshark so we can detect a sniffer in our
Kali Linux. If you want to test this tutorial you also need to run Wireshark before other steps (Figure 3).

Figure 3. Wireshark

Step 3.
In the Kali Linux OS, we run the command detect_sniffer6 eth0 (here, eth0 is Kali Linuxs interface name
see Figure 4) and we got our target ipv6 address (Figure 5).
Syntax detect_sniffer6 interface
Example detect_sniffer6 eth0

name

Figure 4. detect_sniffer6 eth0 command

37

KALI LINUX THE ULTIMATE GUIDE

Figure 5. Ipv6 address found

advertisement

KALI LINUX THE ULTIMATE GUIDE

How to Use DNSenum in Kali Linux

by Rajesh Kumar
DNSenum this tool is programmed in perl. It was designed with the purpose of enumerating DNS
information about a domain. Thanks to this tool, we can get following:
1. Get the hosts address
2. Get the name servers
3. Get the MX record
4. Trying Zone Transfers
5. BIND Version
6. Get extra names and subdomains via google scraping
7. Brute force subdomains from file, can also perform recursion on subdomains that have NS records
8. Perform reverse lookups on netranges
9. Write to domain_ips.txt file the ip-blocks

Step 1. How to open DNSenum

a. GUI method (Figure 1).
Application Kali linux information Gathering DNS Analysis dnsenum

Figure 1. Opening DNSenum from the GUI

39

KALI LINUX THE ULTIMATE GUIDE

b. Open the terminal, type dnsenum, and hit Enter. Read all commands (Figure 2).

Figure 2. Opening DNSenum from the terminal

Step 2.
In the terminal, type dnsenum domain, and hit Enter. Type ex- dnsenum facebook.com. After pressing enter, you
will see all the information like hosts address, name servers, MX, Zone transfer, etc.
Note do not add www within the domain (Figures 3 & 4).

Figure 3. Valuable information about the domain gained

40

KALI LINUX THE ULTIMATE GUIDE

Figure 4. More valuable information

Step 3.
Extra names and subdomains via Google scraping most of the time, this is not working with all domains
(Figure 5).
-p, --pages <value>

The number of google search pages to process when scraping names, the default is 20 pages, the -s switch
must be specified.
-s, --scrap <value>

The maximum number of subdomains that will be scraped from google.

Figure 5. Extra names and subdomains via Google scraping

41

KALI LINUX THE ULTIMATE GUIDE

NOTE: Since this is not functional, you can manually run the command in a Google search: allinurl: -www
site:DOMAIN-NAME-HERE.

Step 4. Brute forcing subdomains

-f, --file <file>

Read subdomains from this file to perform brute force (Figure 6).

Figure 6. Brute forcing subdomains

advertisement

www.nsfx.com

KALI LINUX THE ULTIMATE GUIDE

How to Use Dnsdict6 and Get the

IPv6/IPv4 Address of a Domain
by Rajesh Kumar
Dnsdict6 is an information gathering tool which is used for gathering information from a
website. Dnsdict6 can scan a website and, as result it, can show you how many sub-domains
or domains are available. It can also scan IPv6/IPv4 addresses. This tool is quite powerful
because it also extracts those sub-domains which are restricted or invisible for users.
Overall, this is a nice tool for gathering information from a website.

Step 1. How to open Dnsdict6

A. GUI method (Figure 1).
Applications Kali linux Information Gathering DNS Analysis dnsdict6

Figure 1. Opening Dnsdict6 from the GUI

B. Open the terminal, type dnsdict6, and hit Enter (Figure 2).

Figure 2. Opening Dnsdict6 from the terminal

43

KALI LINUX THE ULTIMATE GUIDE

Step 2.
This command is used to extract sub-domains of Google with their IPv4 and IPv6 information (Figure 3).
Syntax dnsdict6

domain name

Example dnsdict6

google.com

Figure 3. Extracting sub-domains with their IPv6/IPv4 information

Step 3.
Check one more command type: dnsdict6 d -4 google.com (domain name). Here, -d is used to display
information on Name Servers and MX Records, and -4 is used to dump IPv4 addresses (Figure 4).

44

KALI LINUX THE ULTIMATE GUIDE

Figure 4. Gathering Name Servers, MX Records, and IPv4/IPv6 addresses

advertisement

KALI LINUX THE ULTIMATE GUIDE

How to Use Dnsmap in Kali Linux

by Rajesh Kumar
Dnsmap is a passive network mapper and normally known as subdomain brute forcer. It is
used by pentesters during the information gathering/enumeration phase of infrastructure
security assessments. The tool enables to discover all sub domains associated to a given
domain. We can find remote access servers, misconfigured servers, new domain names which
allow you to assign network block non-obvious.
Some Features
IPv6 support
Obtain all IP addresses (A records) associated to each successfully brute forced subdomain, rather than
just one IP address per subdomain
Discover embedded devices configured with dynamic DNS services
Brute forcing by using a user-supplied wordlist
Saving the results in human-readable and CSV format for easy processing

Step 1. How to open dnsmap

A. GUI method (Figure 1).
Applications Kali Linux Information Gathering DNS Analysis dnsmap

Figure 1. Opening dnsmap in the GUI

46

KALI LINUX THE ULTIMATE GUIDE

B. Open the terminal and type dnsmap, and hit Enter (Figure 2).

Figure 2. Opening dnsmap in the terminal

Step 2.
This command is used to start brute forcing the domain (Figure 3).
Syntax dnsmap

domain name

Example dnsmap

google.com

Figure 3. Starting a brute force on the target domain

47

KALI LINUX THE ULTIMATE GUIDE

Step 3.
This command is used to save the result in a text file (Figure 4).
Syntax dnsmap

domain name r path

Example dnsmap

google.com r /root/

Figure 4. Saving the result in a text file

3A. You can see your saved file here (Figure 5).

Figure 5. Saved file visible in the Home folder

48

KALI LINUX THE ULTIMATE GUIDE

Step 4.
This command is used to save results in a csv file (Figure 6).
Syntax dnsmap

domainname c path

Example dnsmap

google.com c /root/

Figure 6. Saving results as a csv file

4 A. You can see your saved file here (Figure 7).

Figure 7. CSV file saved and visible in the Home folder

49

U P D AT E
NOW WITH

STIG

AUDITING

IN SOME CASES

nipper studio

HAS VIRTUALLY

REMOVED
the

NEED FOR a

MANUAL AUDIT
CISCO SYSTEMS INC.
Titanias award winning Nipper Studio configuration
auditing tool is helping security consultants and enduser organizations worldwide improve their network
security. Its reports are more detailed than those typically
produced by scanners, enabling you to maintain a higher
level of vulnerability analysis in the intervals between
penetration tests.
Now used in over 45 countries, Nipper Studio provides a
thorough, fast & cost effective way to securely audit over
100 different types of network device. The NSA, FBI, DoD
& U.S. Treasury already use it, so why not try it for free at
www.titania.com

www.titania.com