20 Fantastic Kali Linux Tools

SwordSec
http://www.swordsec.com
November,2014

Beforebeginningyourpenetrationtestandsecurityauditing,rememberthatthebest
toolavailableisyourownmind.KaliLinuxisasuiteoftoolsbuilttohelpgatherinformation
andexploitweaknesses,butthelogicaldecisionmakingandanalysisisyours.Outsideofthe
technicalaspectsofattacking,beingcalmandorganizedwillhelpyoumorethananything.
Further,alwaysmakesureyouhavedirectpermissionorownershipofthesitesinvolvedin
yourpenetrationtesting.Onceyouhavelimitedyourrisktoundueoutsideinfluences,itis
timetobeginphaseoneofthepenetrationtest.Inordertobesufficientlythorough,illegal
toolsandactionsmustbeconsideredasweaponstheattackersmayimplement.

Acompleteandadequatepenetrationtestinvolvespenetrationtestersconducting
illegalactivitiesonsystemsexternalorinternaltoanorganizationsnetwork.
Organizationsmustunderstandthatpenetrationtestersperformingthetestsinmostcases
arebreakingthelaw.
SANSonpenetrationtesting

Tools for Phase One

Information Gathering and Analysis
KaliLinuxhasawonderfulsetoftoolsforgatheringdataonyourtarget.Theendgoalof
phaseoneistohavealogicalmapofthetargetsnetwork,bothofpeopleandofmachines.
Anyinformationdiscoverednowmaybekeytoapivotlateron,sothoroughnessisyourally.
Mosttoolsinthisstageareveryquiet,soiftimeisnotacriticalfactorinyourattack,thisisthe
besttimetomoveslowlyanddigdeep.Themoreyousweatnow,thelessyoullbleedlater.

1.
DNSenumEnumeratingtheServers
ThefirsthighlevelmapsofanorganizationsnetworkwillcomefromlocatingitsDNS
servers.Startingwithagoodfoundationherewillhelpyoufindthekeyfootholdsyoull
needlater.DNSenumisahighleveltoolthatisveryoftenthefirststepinmapping
yourtargetsnetwork.Usingtheformat...
./dnsenumenum[TARGETDOMAINNAME]
wecanbeginenumerationofthehigherlevelserversavailabletoourtarget.


DNSenuminterminal

2.

3.

dmitryTheNetworkRangefinder
OnceyourDNSenuminformationhascomeback,youwillhavearangeof
serversusedbyyourtarget.ThegoalofthedmitryrangefinderistofindoutwhichIPs
areusedonthoseservers.ThisisdoneusingaTCPtraceroutecommandwhichcan
bethreaded,anddisplayedgraphicallywithdmitrycommands.

Nmap
TheNmap(NetworkMap)projectisfamousforitsstandaloneapplicationandopen
sourcecode.TheNmaptoolinKaliLinuxisusedtodetermineifahostisalive,active,
andgivesabountyofotherinformationinonequickscan.Nmapisanessentialtool
forquicklygatheringspecificdetailsonanyactivemachine.

NmapusesrawIPpacketsinnovelwaystodeterminewhathostsareavailableon
thenetwork,whatservices(applicationnameandversion)thosehostsareoffering,
whatoperatingsystems(andOSversions)theyarerunning,whattypeofpacket
filters/firewallsareinuse,anddozensofothercharacteristics.


TheNmaptoolislocatedatKaliLinux/InformationGathering/LiveHostIdentifcation

4.

Toaddtothebeauty,theNmapscancangatherallofthisinformationoffonlya
handfulofpacketstossedaroundinsuchawayastobequieterthanmanyother
availabletools.

Maltego
MaltegoisanexcellentbuiltintoolfromthedevelopmentteamatPaterva
technologies.Thedesignisuniqueandwithalittletimespentlearninghowtobest
playwithit,Maltegoquicklybecomesanessentialtoolforanymediumtolargescale
penetrationtest.Thesystemisbuilttodeterminerelationshipsbetweenactorsinan
environment.Thiscouldbeaname,aDNSserver,anIPaddress,aWHOISlookup,or
anynumberofotherbitsofinformation.Maltegowilldosomerootingaroundand
comeupwithalogicalmapthatdisplaystheserelationshipsvisibly.Ininvaluabletool
forthecriticalpenetrationtester,theselogicalmapswillshedlightonamessy
situation,orreaffirmsuspectedrelationshiplinks.

OnceallyourinformationgatheredfromDNSenum,dmitry,andNmaphas
beenpouredoverandfilteredintoMaltego,acleanandclearlogicalmapofyour
targetsenvironmentcanbeformed.

5.

SocialEngineeringToolkit
TheSocialEngineeringToolkit(SET)isdesignedtohelpthepenetrationtesterwork
againstthehumanelementsofthetargetssecurityenvironment.Workingwithawide
varietyoftools,SETenablestheattackertoexploitweaknessesinsecuritytraining,as
opposedtoweaknessesinhardwareorsoftware.

Peopleareoftentheweakestlinkinanysecuritysystem.

SocialEngineeringtakesonadifferentattackpathatfirstglance,butinformation
gainedthroughsocialengineeringattackscanquicklybeturnedintoaserious

advantageforthepenetrationtestingteam.SETcanbeaccessedbyopeningterminal
andentering.setoolkit.Experienceworkingwithjavaappletswillbehelpfulwhen
workingwithSETtoplanattacks.SETcanalsobeusedduringPhaseFour:
Exploitation,todeliverclickablesthatwillhelpgainaccesstoatargetsmachine.
PersonallyIfinditmostusefulintheinformationgatheringstages,althoughitcanbe
moreinvasiveandlouderdependingonthelevelofsecurityawarenessinthetarget
environment.

Tools for Phase Two

Vulnerability Detection and Enumeration
6.

7.

NessusWorkingWithVulnerabilities
TakingyourlogicalmapfromMaltego,andthewealthoftechnicalinformation
gatheredfromthetimespentinNmap,itstimetofindvulnerabilitiesthatlieinthe
targetssystem.Neesustakescommandofthenextstep,findingvulnerabilitiesinthe
localsystem,inthelocalnetwork,andinbothLinuxandWindowsenvironments.
Whencheckinganetworkforvulnerabilities,Neesusisasthoroughastoolscome.
AlthoughNeesusworksonKaliLinux,itisnotbundledwiththedownload,andwill
needtobedownloadedandunpackagedontheKaliLinuxOS.Registrationthrough
theNeesuswebsiteisalsorequiredtorunthistool.

OpenVASOpenVulnerabilityAssessmentSystem
OpenVASisbundledandpackagedwithKaliLinux,butislesspolishedthanits
cousin.BothOpenVASandNeesusworktodiscovervulnerabilitiesinlocalsystems,
networks,andoperatingsystems.Afterrunningallyourgatheredinformationthrough
oneorbothofthesetools,youwillhavealistofvulnerabilitiesthatwillproveessential
ingettingintothetargetsystem.Usingthetargetingdatawegatheredinphaseone,
youcansetOpenVAStoscaneachmachineinthetargetsnetworkforvulnerabilities.
Afterthisdetailedscan,youcantakeastepbackandscanthetargetnetworkitselffor
vulnerabilities.Thelistofweaknessesislongandvaried,andwillgivetheattackers
essentialdatatohelptargetaspecificvulnerabilitytoexploit.

AlistofdifferentkindsofvulnerabilitiesOpenVAScanfind
fromtheKaliLinuxCookbook

Tools for Phase Three

Penetration Attempts
Atthisphase,penetrationtesterswilltakethelogicalmapsoftheenvironment,andthelistof
exploitablevulnerabilitiesgatheredinphasesoneandtwo.Inateamofattackers,thisisthe
perfecttimeforabriefpauseandgatheringofthetroops.Upuntilthispointmostofthetools
usedwererelativelyquietandnoninvasive,andwhileKaliLinuxisgenerallyaveryquietset
oftools,thepatternofattacksfromhereonoutisnecessarilynoisier,andalotmorerideson
thequalityofthedefense.Iftheattackingteamisproperlyprepared,choosingwhichattack
vectortohitisthenextkeystep.

Wifi Attacking
8.

Aircrackng
Aircrackngisavaluabletoolforinjectingwirelesspacketsintoanactivenetwork.This
toolreliesontheattackersknowledgeofwirelesscards,bothontheattackingmachine
andonthetargetmachine,sobeforedeployingAircracknginyouroffensive
environment,besureyouhavetherequisiteinformationgatheredfromphaseone.
Onceactive,Aircrackngcanalsorecover802.11WEPandWPAPSKkeysby
gatheringpacketssniffedwirelessly.WEPattackshavebeenwellknownandwell
documentedinthesecuritycommunitysinceatleast2007,butbecauseofthenature
ofnetworkedcommunication,injectionattacksarestillaverypopularmethodof
gettingaccesstoanetwork.

Web Application Attacking

9.

10.

BurpSuite
BurpSuiteisanintegratedplatformforperformingsecuritytestingofwebapplications.
Itsvarioustoolsworkseamlesslytogethertosupporttheentiretestingprocess,from
initialmappingandanalysisofanapplication'sattacksurface,throughtofindingand
exploitingsecurityvulnerabilities.Burpgivesyoufullcontrol,lettingyoucombine
advancedmanualtechniqueswithstateoftheartautomation,tomakeyourwork
faster,moreeffective,andmorefun.

Hydra
Webapplicationexploitationisagrowingsourceofheadachesfordefensivesecurity
teamsworldwide.Hydraisanextremelyfastpasswordcrackingtoolwhichsupports
attacksinover50differentprotocols.HoweverduetothenatureofHydrasattack

pattern,itsmuchnoisierthanothermethodsofpasswordcracking.Thebruteforce
methodsofpasswordstealingthatHydraallowsareveryeffectiveandexceptionally
fast,butthisshouldbeconsideredafallbacktoolforhighsecurityenvironmentsasit
willincreaseyourchancesofbeingdetected.

SupportedprotocolsinHydra

11.

OwaspZAP
Forthesecurityminded,Owaspshouldbeafamiliarname.TheOpenWeb
ApplicationSecurityProjectiswellknownasoneofthemostrespectedandactive
opensourcesecurityprojectsontheinternet.Foundedasanonprofitin2001,the
Owaspteamhasbeenactiveininformationsecurity,developmentofpenetrationtools
anddigitalfreedommovements.ZAPistheZedAttackProxyProject.Thetoolis
simpleenoughfornewpenetrationtesters,androbustenoughforprofessional
environments.Bothpassiveandactivescannersarebuiltin,andbruteforceattacks
canbeusedtobreakinandhuntforfileseveniftherearenodirectlinkstothefilesto
bedetected.

Password Attacks
12.

13.

JohnTheRipper
KnownbythenicknameJohn,JohntheRipperisawelldevelopedfreepassword
attackingtooldevelopedasanallpurposeattackingtool.Beingabletocallondifferent
librariesofpasswordguessingmethods,fromdictionaryattackstohybridcrackstothe
cumbersomebruteforcemethodsusedinothertools,Johnisacatchallforpassword
guessingsoftware.
PasstheHashToolkit
WhileJohngoesstraightforthepasswordinanattempttorevealit,thePasstheHash
Toolkitenablesattackerstogatherthehashfromanacceptedpasswordandusethe
dataafterthepasswordisacceptedtogetthroughintosystemswithouthavingtouse
noisyandslowpasswordguessingtechniques.Inaveryinformativewhitepaperoutof
theSANSinstitute,wegetagoodoverviewofPtHtechniques,andwhereitfitsin
contextuallywithotherpenetrationtestingtools.

Phase Four
Exploitation
Thisistherealmeatofanypenetrationtest.Alltheabovetoolsareusedtogaininformation
andaccesstoasystem.Someoffensivelymindedsecurityprofessionalsfindtheearlystages
ofapenetrationtesttobetediousanddry.Ibelievethefirstthreephasesarenotunlike
playingagameofchess,wherephasefouristhefinalexecutionofyourintricateplansjust
beforeacheckmate.Exploitationistheproofofalltheworkyouvedoneinmappingthe
systemandopeningthedoors.Evenmoresothanbefore,youmustbecarefulnotto
permanentlydamageanysystemsyouaretesting.Makenoteanddocumentthattheycould
havebeendamaged,andwhenthetimecomestopresentyourfindings,beclearandhonest
aboutthestateofsecurity.Doingpermanentdamagetoasystemisaquickwayfora
professionalpenetrationtestertofindhimselfunemployedandunemployable.

14.
MetasploitFramework
TheMetasploitFrameworkrunthroughtheMetasploitFrameworkConsoleisamong
themostadvancedtoolsintheKaliLinuxarsenal.TheMetasploitteamislegendary,
andtheirworkintheoffensiveinfosecfieldiswithoutparallel.KaliLinuxitselfwas
basedondevelopinganOSthatincorporatedallthetoolsofMetasploitandBacktrack
together.Metasploititselfcouldbeconsideredanallinonepenetrationtestingtool,
andformanyitstillis.Ofallthetoolsinthislist,onlyBurpSuitecomesclosein
robustnessandpolishthatMetasploitoffers,andtheBurpSuitetoolsareadistant
secondwhencomparedtothedepthofMetasploitstoolkit.Trulythetopofthelinefor
adedicatedoffensivesecurityprofessional.Metasploitofferstoolsthatcanbeusedin
everyphaseofapenetrationtest,frompassiveinformationgatheringtoolsto
vulnerabilityscans.Themostexcitingportionofthetoolkitcomesatexploitpayload
developmentanddelivery.


Metasploitisanincrediblyrobustpenetrationtestingtoolkit.

15.
TheBrowserExploitationFramework(BeEF)
BeEFisanexcellenttoolforexploitingvulnerabilitiesinthebrowserandbrowser
cachedinformationblocks.AtthetimeofwritingtheBeEFtoolinKaliLinuxisstillbeing
smoothedout,withacoupleerrorsandsomegeneralusabilityissuesbeingtouchedup.
BeEFspecializesinclientsideattacks,focusingonthewebbrowseritself.Noothertoolon
thislisthasreachedthelevelofusabilityandspecializationinspecificlocationattacksas
BeEF.Withspecialmethodsofattackingawebbrowser,BeEFallowstheattackertohitthe
systemdirectlyfromasecurityvectoroftenoverlookedbydefensivedevelopmentteams.

16.

Armitage
Ignoringthequirkyanimestyleofthewebsite,Armitageisactuallyaveryadvanced
toolforfindingandexecutingexploitstoallowthepenetrationtestingteamtogain
accesstoanetwork.BundledwithMetasploit,Armitageisnotthescriptkiddie
playthingitappearstobestylistically,butisactuallyadvancedenoughforprofessional
environments.Withbuiltinautomationofmanydifferentattacks,andoptionstofind
andexploitseveralattackvectorsonthesametarget,Armitageisaqualityweaponin
thearsenalevenifitisbrandedinapeculiarway.


17.

18.

19.

Yersinia
ArelativelyoldertoollaunchedbytheS21Secteamin2005,Yersiniahasreturnedto
popularityasareliabletoolthatattacksLayer2networksystems.Insteadofmore
traditionalattackslikeARPpoisoningorcacheattacks,Yersiniaisabletogoafter
switchesandhubs.Withmanynetworkshavinglimiteddefensesandpoorlyorganized
orconfigurednetworkinghardware,Yersiniaisaprimeexampleofatoolstriking
whereyourtargetisweakest.Further,asthesemostdefensivesecuritytoolsguard
webportals,databasesandworkstations,Yersiniaisworkinginanenvironmentwhere
noiseisthestandardanddetectionisgenerallyweaker.
DurandalsBackdoor(DBD)
DBDisannewandoftenoverlookedtoolusedtomaintainaccesstocompromised
systems.Thisisanabsolutelyessentialpartofasuccessfulpenetrationtest,
especiallyinlightofrecenthighprofileattackstoHomeDepotandTargetwhere
attackersstayedinthesystemforweeksaftergainingaccess.DBDiscurrently
operatinginonlyTCP/IPprotocol.Reconnectiontestingisalessexcitingpartof
exploitation,butkeytomakingsuredefensivesystemshavehadtheirproblems
actuallysolved.SuccessfulDBDtestingwillmakesurethesecurityholewasactually
closed,insteadofsimplythrowingtheattackersoutwhileleavingthedooropen.

ExploitDatabase(EDB)
Whilenotdirectlyanoffensiveexploittool,theexploitdatabasebuiltintoKaliLinuxis
thebestlocationforthemostuptodateexploitsavailable.MaintainedbytheKali
Linux,Metasploit,andOffensiveSecurityteams,EDBisthepossiblythebestplaceon
theinternettofindexploitsinanynumberofareas.Searchablebydescription,author,
platform,type,languageorport,EDBiscurrentlyholdingover30,000knownexploits
atthetimeofwriting.

InKaliopenupyourIceweaselbrowser.ExploitDBisalreadybookmarked.

Phase Five
Reporting

20.

RecordMyDesktop
Whileworkingwithalltheabovetools,weleapoverthelinefromsafetoillegaland
workdirectlywithtoolsthatcouldeasilybreakabusiness.Thepointofapenetrationtestisto
attackanenvironmentinacontrolledwaysothedefenderscanhaveaccurateandhonest
informationontheirweaknesses.Offensivesecurityisadefensivetool.Asflashyasexploits
maybe,everythinginyouroffensivearsenalcomesdowntoasimulatedattack.Wargamingis
onlyasgoodasthelessonslearnedattheend.RecordMyDesktopistheleasttechnicaltool
onthislist,butinmyopinion,themostimportant.Showingexactlyhowanexploitworked,and
havingaclearandobjectiverecordoftheattacktakingplacewillbeessentialfortheanalysis
andcleanupstagesafterthepenetrationtesthascompleted.

Remembertoaskquestionswhenindoubt.Thetoolslistedherecanbeusedforgreatevil,
andthatsexactlywhytheywereincluded.Knowingtheenemyishalfthebattle.

Keepyourselfsafe,andhappyhacking.